New IP firewall rules for Azure DevOps Services

Whitney Jenkins

Whitney

Azure DevOps Services is currently investing in enhancing its routing structure. This change is designed to increase service availability and decrease service latency for many users. As a result of this enhancement, our IP address space will be changing. If you’re currently using firewall rules to allow traffic to Azure DevOps Services, please be sure to update these rules to account for our new IP ranges. These IP address changes go into full effect July 22, 2019.  

Determining impact

To help you determine whether this change impacts your organization, we are building an Azure DevOps IP check page. When you navigate to the page, we’ll run a sample request against our new routing structure. If the request fails you’ll get a red “X” in the response. To resolve, you’ll need to update your IP address whitelist. This feature currently isn’t implemented, however it is expected to be in place within the upcoming week.

IP address whitelist changes

To react to the changes in our IP address space, users should ensure dev.azure.com is open and update their whitelisted IPs to include the following IP addresses (based on your IP version). If you are currently whitelisting the 13.107.6.183 and 13.107.9.183 IP addresses, please leave these in place. You do not need to remove them.  

IPv4 ranges

  • 13.107.6.0/24
  • 13.107.9.0/24
  • 13.107.42.0/24
  • 13.107.43.0/24

IPv6 ranges

  • 2620:1ec:4::/48
  • 2620:1ec:a92::/48
  • 2620:1ec:21::/48
  • 2620:1ec:22::/48

A complete list of Azure DevOps Services guidelines for configuring firewalls and proxy servers can be found in the Allow IP addresses and URLs to the allow list document.

Rollout plan

Over the course of the next few weeks, we will conduct a series of tests to identify organizations that may be impacted by these routing changes. We will conduct our first test June 17th from 1300 – 1400 UTC. We will conduct our second test June 24th from 1300-1700 UTC. Our third test will be conducted on June 26th from 00 – 200 UTC. A final test will be conducted on July 16th from 1300-1700 UTC. During these tests, we will temporarily update DNS to flush out any unknown dependencies on the current IP address. After the test period is over, we will revert DNS to its original state. If you are unable to access your organization during this period of time, please navigate to the status page and check that there aren’t any ongoing incidents. In the event we are running these tests and you’re unable to access your Azure DevOps organization, please update your IP address whitelist.  

Schedule changes

Our roll out plan has changed a few times since the initial release of this blog post. During our tests, we uncovered some issues related to how our IP readiness checker handles IPv6 connections. Many users reported receiving a successful health message when they visited the IP check page, however they experienced connectivity issues during our test windows. As a result of these findings we’ve enhanced our IP check page to behave in a more sophisticated manner and we encourage all users to revisit the IP check page to ensure their organization is not impacted by the upcoming changes in our routing structure. Thank you to everyone who has reported issues during this test period. This has been a great opportunity to learn from you all along the way. Please continue to reach out and report any issues you encounter. We want to ensure this transition is seamless.

Reporting Issues

If you experience any issues with accessing your Azure DevOps organization after updating your IP whitelist, please post an update on this open developer community item.  

Whitney Jenkins
Whitney Jenkins

Follow Whitney   

15 comments

Leave a comment