Azure devops allow IP's rules of Azure VM

0
votes

I have a VM on Azure that runs SQL Server and I want to update my databases in a build pipeline of Azure devops. But the port of SQL Server is allowed to just some IP's and I don't want to expose for everyone... It is possible to update the allowed IP's in the build?

I found this link that could help to get the IP's of the hosted : https://docs.microsoft.com/pt-br/azure/devops/pipelines/agents/hosted?view=azure-devops&tabs=yaml#agent-ip-range

Microsoft update every week a json with the pipeline host IP''s but in the json are the services and the ips, but I don't know which the name of the service that I should get the IP's. I didn't find anything like "devops" or "pipeline".

Besides that, would be possible to auto update the allowed ip's in the build pipeline? I found this post: https://blog.simontimms.com/2020/01/10/2020-01-10-Allow-hosted-agents-through-firewall/ but I don't know how to edit my pipeline to do that.

Thank you

2
azureazure-devopsvirtual-machine
Hi @rafitas. Is there any update about this ticket? Feel free to let me know if the answers could give you some help. Just a remind of this.Kevin Lu-MSFT

2 Answers

0
votes

To confirm the ip adress of the Microsoft-hosted agent in Json file, you need to check the region of the Organizaiton.

You could navigate to Organization Settings -> Overview and check the region of the organization.

Then you could search the AzureCloud.<region> in Json file to get the Ipaddress Prefixes.

enter image description here

To run the Blog's script, you could add the Azure Powershell task in the pipeline.

enter image description here

By the way, you need to create a Azure Service connection before using this task.

In addition you may encounter this issue.

##[error]No MSFT_NetFirewallRule objects found with property 'DisplayName' equal to ' Remote Event Monitor'. Verify the value of the property and retry.

The cause of this issue is that a firewall rule with this name that does not exist.

You need to use New-NetFirewallRule script to create a new firewall with the target name.

For example:

New-NetFirewallRule -DisplayName "Test" -Direction Inbound -LocalPort 80 -Protocol TCP -Action Allow

Then you could set the firewall rule with the Set-NetFirewallRule script.

0
votes

I’m on my phone so I can’t test this, but you can probably find the Public IP of the hosted agent you are on in a task using a command like ‘ nslookup myip.opendns.com. resolver1.opendns.com’ and then add it to your NSG and then remove it when you are done.

Tested from cloud shell in the Azure app https://imgur.com/a/lau2ZDs