New IP firewall rules for Azure DevOps Services

Whitney Jenkins

Whitney

Azure DevOps Services is currently investing in enhancing its routing structure. This change is designed to increase service availability and decrease service latency for many users. As a result of this enhancement, our IP address space will be changing. If you’re currently using firewall rules to allow traffic to Azure DevOps Services, please be sure to update these rules to account for our new IP ranges. These IP address changes go into full effect July 1, 2019.  

Determining impact

To help you determine whether this change impacts your organization, we are building an Azure DevOps IP check page. When you navigate to the page, we’ll run a sample request against our new routing structure. If the request fails you’ll get a red “X” in the response. To resolve, you’ll need to update your IP address whitelist. This feature currently isn’t implemented, however it is expected to be in place within the upcoming week.

IP address whitelist changes

To react to the changes in our IP address space, users should ensure dev.azure.com is open and update their whitelisted IPs to include the following IP addresses (based on your IP version). If you are currently whitelisting the 13.107.6.183 and 13.107.9.183 IP addresses, please leave these in place. You do not need to remove them.  

IPv4 ranges

  • 13.107.6.0/24
  • 13.107.9.0/24
  • 13.107.42.0/24
  • 13.107.43.0/24

IPv6 ranges

  • 2620:1ec:4::/48
  • 2620:1ec:a92::/48
  • 2620:1ec:21::/48
  • 2620:1ec:22::/48

Rollout plan

Over the course of the next few weeks, we will conduct a series of tests to identify organizations that may be impacted by these routing changes. We will conduct our first test June 17th from 1 PM – 2 PM UTC. We will conduct our second test June 24th from 1PM – 5PM UTC. A final test will be conducted on June 26th from 12am – 2am UTC. During these tests, we will temporarily update DNS to flush out any unknown dependencies on the current IP address. After the test period is over, we will revert DNS to its original state. If you are unable to access your organization during this period of time, please navigate to the status page and check that there aren’t any ongoing incidents. In the event we are running these tests and you’re unable to access your Azure DevOps organization, please update your IP address whitelist.  

Reporting Issues

If you experience any issues with accessing your Azure DevOps organization after updating your IP whitelist, please post an update on this open developer community item.  

Whitney Jenkins
Whitney Jenkins

Follow Whitney   

8 Comments
Avatar
Islibadm Islibadm 2019-06-18 11:16:18
Hi Whitney, Are the following new IP addresses hosting new AZDO service, or are they superseding some existing services? IPv4 ranges13.107.6.0/2413.107.9.0/2413.107.42.0/2413.107.43.0/24 IPv6 ranges2620:1ec:4::/482620:1ec:a92::/482620:1ec:21::/482620:1ec:22::/48 Regards, David
Avatar
Grant Holliday 2019-06-12 05:00:08
You can use the following links to convert the test/live times to your local timezone & use as a countdown. Azure DevOps - IP Changes - First test (1 hour)https://aka.ms/azure_devops_ipchange/test1/yourtimezonehttps://aka.ms/azure_devops_ipchange/test1/countdown Azure DevOps - IP Changes - Second test (4 hours)https://aka.ms/azure_devops_ipchange/test2/yourtimezonehttps://aka.ms/azure_devops_ipchange/test2/countdown Azure DevOps - IP Changes - Livehttps://aka.ms/azure_devops_ipchange/live/yourtimezonehttps://aka.ms/azure_devops_ipchange/live/countdown
Avatar
Dennis Hsu 2019-06-03 10:39:17
Hi Whitney, We whitelist the URLs in "How do I configure the agent to bypass a web proxy and connect to Azure Pipelines?" section https://docs.microsoft.com/en-us/azure/devops/pipelines/agents/v2-windows?view=azure-devops#im-running-a-firewall-and-my-code-is-in-azure-repos-what-urls-does-the-agent-need-to-communicate-with Is there any action item for us? Thanks, Dennis