[Updated] New IP address ranges with Service Tags for Azure DevOps Services

Justin Chung

Please see the Rollout Update section below for important information about brownout status and schedule change for East US 2 region.

Azure DevOps Services will support Service Tags by the end of CY2020. Azure Service Tags are a convenient way for customers to manage their networking configuration to allow traffic from specific Azure services. Once a Service Tag has been set up for Azure DevOps Services, customers can easily allow access by adding the tag name azuredevops to their NSGs or firewalls either through the portal or programmatically. 

In preparation for this enhancement, our IP address space will be changing for outbound traffic from Azure DevOps Services to customers’ on-prem systems, effective October 5 2020. If you’re currently using firewall rules to allow traffic from Azure DevOps Services, please be sure to update these rules to account for our new IP ranges by that deadline. We will be conducting a brownout test from September 9, 2020 to September 15, 2020 as indicated below. Please note the change from originally announced date of September 8, 2020 to September 9, 2020. While most of the features will work, the below four scenarios will be impacted by the brownout test due to IP address range change. If you do not want any impact for these four scenarios during this period, please add the additional IP address ranges below for your region to your firewall rules as soon as possible.

  • Azure DevOps Services connecting to endpoints for Service Hooks,
  • Azure DevOps Services connecting to SQL server in customer’s on-prem systems for Data Import,
  • Azure Pipelines connecting to on-prem source code repositories such as GitHub Enterprise or BitBucket Server,
  • Azure DevOps Services Audit Streaming connecting to on-prem or cloud-based Splunk.
  • The Service Tag does not apply to Microsoft Hosted Agents. Customers are still required to allow the entire geography for the Microsoft Hosted Agents.  For inbound traffic from customers’ on-prem systems to Azure DevOps Services, customers can continue to follow the guidelines here.

    Determining impact

    To help you determine whether this change impacts your organization, we are building an Azure DevOps IP Check Tool. The IP Check Tool is used to validate inbound and outbound connectivity between Azure DevOps Services and customers’ on-prem systems. Please use this tool prior to the brownout and after to validate your connectivity.

    For inbound testing from your on-prem system to Azure DevOps Services, please make sure that the browser running the test is connected to your target network. We will attempt to contact Azure DevOps Services and report any errors we see.

    For outbound testing from Azure DevOps Services to your on-prem systems, please provide us with a REST URL you expect our services to call. We will attempt to call the URL from each of our service regions. Any HTTP status code between 200 and 499 will be considered a successful connection. All 5xx status codes will be reported as an error.

    If you are having issues, please post an update on this open developer community item.

    IP Address Changes

    To react to the changes in our IPv4 address range, users should ensure dev.azure.com is open and update their allowed IPs to include the following IPv4 addresses (based on your region). You will also be able to use the service tag name azuredevops to allow all IP ranges below but the tag will not  be available until November 2020. IPv6 is not supported at this time.

    IP Address Ranges

    Region IP address ranges
    brazilsouth 191.235.226.0/24
    asiaeast 20.189.107.0/24
    uscentral 20.37.158.0/23
    australiaeast 20.37.194.0/24
    indiasouth 20.41.194.0/24
    useast2 20.41.6.0/23
    uswest2 20.42.134.0/23
    australiasoutheast 20.42.226.0/24
    useast 20.42.5.0/24
    ussouth 40.119.10.0/24
    europewest 40.74.28.0/23
    usnorth 40.80.187.0/24
    uswest 40.82.252.0/24
    uksouth 51.104.26.0/24
    uswestcentral 52.150.138.0/24
    canadacentral 52.228.82.0/24

    Azure DevOps documentation will be updated with the new IP address ranges here. A complete list of Azure DevOps Services guidelines for configuring firewalls and proxy servers can be found in the Allow IP addresses and URLs to the allow list document.

    Rollout plan

    Over the course of the next few weeks, we will conduct a series of brownout tests to identify organizations that may be impacted by these routing changes. We will conduct our first test on September 9, 2020 and complete by September 15, 2020. Please note the change from originally announced date of September 8, 2020 to September 9, 2020 and also note the change for East US 2 region to September 16,2020 at 07:00 EDT (11:00 UTC). See below for the brownout schedule. The brownout test will take 2 hours.

    Rollout update

    Azure DevOps Services started the network configuration change for the East US 2 region on September 9, 2020 at 10:00 EDT (14:00 UTC) and noticed a spike of customer impacting failures during one of the deployments. The spike lasted for 1 to 3 minutes for web traffic and customers may have noticed a message with “TF400898: An Internal Error Occurred” in their browser. The brownout in the East US 2 region was halted but we completed the brownout in the Central Canada region with success. We will continue with the brownout in the South India and West US 2 regions on September 10, 2020. We have updated the brownout schedule for the East US 2 region to September 16, 2020 at 07:00 EDT (11:00 UTC).

    Brownouts in chronological order

    UTC Date Time Region Local Date Time
    2020-09-09 19:00 canadacentral 2020-09-09 15:00 EDT
    2020-09-10 11:00 indiasouth 2020-09-10 16:30 IST
    2020-09-10 17:00 uswest2 2020-09-10 10:00 PDT
    2020-09-11 12:00 uksouth 2020-09-11 13:00 BST
    2020-09-11 18:00 brazilsouth 2020-09-11 15:00 BRT
    2020-09-14 13:00 europewest 2020-09-14 15:00 CEST
    2020-09-15 00:00 asiaeast 2020-09-15 08:00 HKT
    2020-09-15 14:00 uscentral 2020-09-15 09:00 CDT
    2020-09-15 22:00 australiaeast 2020-09-16 08:00 AEST
    2020-09-16 11:00 useast2 2020-09-16 07:00 EDT

    In the event we are running these tests and use cases such as service hooks, data import, and pipelines are not working during this period of time, please navigate to the status page and check that there aren’t any ongoing incidents and update your IP address allow list. We are targeting November, 2020 to make Service Tags generally available for Azure DevOps.

    Reporting Issues

    If you experience any issues with accessing your Azure DevOps organization after updating your IP allow list, please post an update on this open developer community item.