This question relates to "Deployment Pool" member agents and not "Agent Pool" for builds (Microsoft still needs to work a bit to prevent the amount of confusion around the two. Its the same agent software, but that agent can be configured either to do builds of software OR just deploy artefacts to and run deployments)
Microsoft has a brief section on agents behind an on-prem firewall, but its a mixed message that doesn't clearly address just deployment pool agents.
(In the above link its the section called "Communication to deploy to target servers")
In the graphic, in my mind, it should look more like the image I have adapted and attached here
I have a battle around approval from network security to allow the agent software on a deployment pool agent to connect up to Azure DevOps to allow release pipelines to be triggered to it and artefacts to be downloaded to them.
I have said back that I believe each server you want to deploy an artefact and list of deployment steps in that pipeline will need to have the agent software installed AND have direct connectivity back to dev.azure.com via port 443
Am I correct in this assumption?
