Azure DevOps Agent Firewall Rules for Secure Networking

To set up Azure DevOps Agent Firewall Rules for Secure Networking, you need to define the firewall rules that will allow the agent to communicate with the Azure DevOps server.

Firewall rules are used to control incoming and outgoing network traffic based on predetermined security rules. In Azure DevOps, you can configure these rules to allow or deny traffic to and from the agent.

To enable secure networking, you must allow traffic on specific ports, including port 443 for HTTPS and port 22 for SSH. These ports are used for communication between the agent and the Azure DevOps server.

To set up Azure DevOps agent firewall rules, you'll need to identify the possible IP ranges for your Microsoft-hosted agents. This involves several steps.

First, identify the region for your organization in Organization settings. Then, identify the Azure Geography for your organization's region. Next, map the names of the regions in your geography to the format used in the weekly file, such as AzureCloud.westus.

You can find the region names in the Azure Geography list or by reviewing the region names passed to the constructor of the regions defined in the source code for the Region class, from the Azure Management Libraries for .NET. Note that there is no API to list the regions for a geography, so you'll need to list them manually.

To retrieve the IP addresses for all regions in your geography, use the weekly file. If your region is Brazil South or West Europe, you'll also need to include additional IP ranges based on your fallback geography. For Brazil South, the capacity fallback geography is United States.

Here are the steps to identify the IP ranges for your Microsoft-hosted agents in a table format:

Remember to include additional IP ranges for Brazil South or West Europe, if applicable.

When registering an Azure DevOps agent, you'll need to choose an authentication type. This will prompt you for additional information specific to each type.

There are three main authentication types to choose from: Personal access token, Device code flow, and Service principal.

The Personal access token requires a token, which is used to authenticate the agent. You can obtain this token from the Azure DevOps portal.

Device code flow is another option, which generates a code that you can use to authenticate the agent. This code is usually displayed on a device, hence the name.

Service principal is a third option, which involves setting up a service principal in Azure Active Directory. This requires additional setup and configuration.

If you choose Alternate authentication, you'll be prompted for your Basic authentication credentials. This is a simpler option that requires only your username and password.

Here are the available authentication types in a quick reference list: