Azure Pipelines Blob storage URL's

0
votes

We use Azure DevOps for building and deploying our applications and services in Azure. Right now we are also switching our on premise deployments to Azure DevOps as well.

Unfortunately we have one issue with our servers which are on the one hand protected by a firewall (outgoing internet traffic is mostly blocked) and on the other hand are part of Azure DevOps deployment groups. As soon as we create a new release and start the deployment to a stage the artifact download process fails since the server is not permitted to download the artifacts from the blob storage where the artifacts are stored.

Warning, https://elgvsblobprodsu6weus10.blob.core.windows.net/dbcXXXXXXX/XXXX
Try 1/5, retryable exception caught. Retrying in 00:00:01. Details: 
2019-10-21T19:59:02.7071549Z No LastRequestResponse on exception HttpRequestException: An error occurred while sending the request. System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.Http.WinHttpException: Error 12029 calling WINHTTP_CALLBACK_STATUS_REQUEST_ERROR, 'A connection with the server could not be established'.
2019-10-21T19:59:02.7071940Z    at System.Threading.Tasks.RendezvousAwaitable`1.GetResult()
2019-10-21T19:59:02.7072055Z    at System.Net.Http.WinHttpHandler.StartRequest(WinHttpRequestState state)
2019-10-21T19:59:02.7072112Z    --- End of inner exception stack trace ---
2019-10-21T19:59:02.7074791Z    at System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task`1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts)
2019-10-21T19:59:02.7074976Z    at Microsoft.VisualStudio.Services.Common.TaskCancellationExtensions.EnforceCancellation[TResult](Task`1 task, CancellationToken cancellationToken, Func`1 makeMessage, String file, String member, Int32 line)
2019-10-21T19:59:02.7075133Z    at Microsoft.VisualStudio.Services.BlobStore.WebApi.DedupStoreHttpClient.<>c__DisplayClass56_0.<<GetRedirectResponseAsync>b__0>d.MoveNext()
2019-10-21T19:59:02.7075213Z --- End of stack trace from previous location where exception was thrown ---
2019-10-21T19:59:02.7075312Z    at Microsoft.VisualStudio.Services.Content.Common.AsyncHttpRetryHelper`1.InvokeAsync(CancellationToken cancellationToken)

So is there any list of endpoints which are used for storing Azure Pipeline artifacts that can be added to our firewall policy, do we have to exclude *.blob.core.windows.net in general or is there any different approach?

Unfortunately the Microsoft docs do only provide a list of Urls which are required for establishing a connection with Azure DevOps in general, but not with the artifacts store.

1
azureazure-devopsazure-pipelines

1 Answers

1
votes

Is there any list of endpoints which are used for storing Azure Pipeline artifacts that can be added to our firewall policy.

Of course yes. We store these data in the corresponding region's Azure Data center.

Download the Json file in this link, the file list the IP Address range of different regions. But, here is one important thing you need pay attention to. For security, we update these IP address range regularly. (Also, publish it to users regularly)

If you choose this approach to achieve you want, you need to download the JSON file regularly, then make necessary updates in your access rules:

[!IMPORTANT] IP address ranges for Azure services can change, and updates are published weekly. Download the JSON file regularly, and make necessary updates in your access rules. If your scenario involves configuring network security group rules in an Azure virtual network to access Azure Container Registry, use the AzureContainerRegistry service tag instead.

See this doc: Allow access by IP address range.

But, if you think this method is inconvenient for you and your team. Another unique method is the one you are using now: allow access to all Azure blob storage accounts using the wildcard *.blob.core.windows.net.