Search code examples
azureazure-devopsazure-storageazure-virtual-network

Accessing a private storage account from Azure Devops Hosted Agents

I'm trying to access an azure blob storage account to write some files from my pipeliens running with azure devops hosted agent. We can't use yet the azure devops service tag with azure devops hosted agent

And I was wondering if there is a smart solution to access my blob storage from my hosted agents without opening it to all the internet.

Thank you in advance guys

Solution

  • Based on your requirement, you need to access Private Storage account with Microsoft-hosted agent.

    As far as I know, service tag is not currently supported by Azure Storage account when setting Firewall.

    To meet your requirements, you can use script to get the current Microsoft-hosted agent IP and add it to Azure Storage account firewall whitelist with Azure CLI or Azure PowerShell.

    For example:

    steps:
- task: AzurePowerShell@5
  displayName: 'Azure PowerShell script: Set Rule'
  inputs:
    azureSubscription: kevin0215
    ScriptType: InlineScript
    Inline: |
     $IP= Invoke-RestMethod http://ipinfo.io/json | Select -exp ip
     
     $IP
     
     Add-AzStorageAccountNetworkRule -ResourceGroupName "ResourceGroup" -AccountName "kevin0204" -IPAddressOrRange "$IP"
     
     
     
    preferredAzurePowerShellVersion: ' 3.1.0'

- task: AzureFileCopy@4
  displayName: 'AzureBlob File Copy'
  inputs:
    SourcePath: test
    azureSubscription: kevin0322
    Destination: AzureBlob
    storage: test
    ContainerName: 1


- task: AzurePowerShell@5
  displayName: 'Azure PowerShell script: Remove Rule'
  inputs:
    azureSubscription: kevin0215
    ScriptType: InlineScript
    Inline: |
     $IP= Invoke-RestMethod http://ipinfo.io/json | Select -exp ip
     
     $IP
     
     Remove-AzStorageAccountNetworkRule -ResourceGroupName "ResourceGroup" -AccountName "kevin0204" -IPAddressOrRange "$IP"
     
     
    preferredAzurePowerShellVersion: ' 3.1.0'

    Explanation:

    You can add the IP to the firewall whitelist before uploading the file. After uploading, you can delete this IP.

    Note::The current azure storage account has a known limitation. Refer to this doc: Limitations of Azure Storage Account IP network rules.

    When your Azure Devops Service organization and Azure Storage Account are in the same region, they will be accessed through private ip. This can cause intermittent access issues.