How can I help Azure Network Security Group rules recognize Service Tags for Azure DevOps
I am attempting to setup inbound Network Security Group rules to permit controlled access from Azure DevOps Pipelines to Azure a public Azure vnet which interfaces with a private Azure vnet containing Azure Container Instances which are running Sonarqube. I've crafted this according to the Azure documents here.
The NSG rule for the inbound traffic from Azure DevOps is leveraging Service Tags, specifically the ‘AzureDevOps’ service tag. My ARM template currently contains these two NSG rules:
{
"name": "inbound-devops-rule",
"properties": {
"description": "Inbound Azure DevOps",
"protocol": "*",
"sourcePortRange": "*",
"destinationPortRange": "*",
"sourceAddressPrefix": "AzureDevOps",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 100,
"direction": "Inbound"
}
},
{
"name": "InboundRequiredGatewayPorts",
"properties": {
"description": "Inbound AZ admin",
"protocol": "TCP",
"sourcePortRange": "*",
"destinationPortRange": "65200-65535",
"sourceAddressPrefix": "GatewayManager",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 115,
"direction": "Inbound"
}
},
Currently, this does not permit traffic through the NSG rules and into the vnets. The only thing I’ve been able to do to resolve this in my testing has been to create a fully open rule allowing all traffic from all sources in my NSG…obviously not an ideal scenario from a security perspective. I have combed through the documents and attempted dozens of different configurations up to this point, and nothing but open/unprotected NSG configuration has allowed Azure DevOps traffic.
The simple error I am currently getting when attempting to connect to my containerized Azure Sonarqube resources from the Azure DevOps pipelines is:
2022-12-02T19:46:46.7098999Z ##[section]Starting: SonarQubePrepare
2022-12-02T19:46:46.7231846Z ==============================================================================
2022-12-02T19:46:46.7232191Z Task : Prepare Analysis Configuration
2022-12-02T19:46:46.7232466Z Description : Prepare SonarQube analysis configuration
2022-12-02T19:46:46.7232684Z Version : 5.8.0
2022-12-02T19:46:46.7232868Z Author : sonarsource
2022-12-02T19:46:46.7233232Z Help : Version: 5.8.0. [More Information](http://redirect.sonarsource.com/doc/install-configure-scanner-tfs-ts.html)
2022-12-02T19:46:46.7233633Z ==============================================================================
2022-12-02T19:47:08.4683602Z ##[error][SQ] API GET '/api/server/version' failed, error was: {"errno":"ETIMEDOUT","code":"ETIMEDOUT","syscall":"connect","address":"<REDACTED>","port":80}
2022-12-02T19:47:08.4811763Z ##[section]Finishing: SonarQubePrepare
Based on the rule sample above, is this properly configured to allow traffic from Azure DevOps using Service Tags? Can any additional guidance be provided for setting up NSG rules to allow traffic from my Azure DevOps pipelines to Azure containerized resources?
Azure DevOps Microsoft-hosted agents are using the Service Tag AzureCloud.region instead of Azure DevOps, addressed here: doc
First check your DevOps organization region in DevOps UI.
Then check the region in this Azure Geography
Pay attention to this: To obtain the complete list of possible IP ranges for your agent, you must use the IP ranges from all of the regions that are contained in your geography.
For your reference: if your DevOps organization locates in UK, you must add the service tag for both AzureCloud.uksouth and AzureCloud.ukwest to the NSG Inbound Security Rules to ensure the MS-hosted agents have access to the Azure Resources.
- Azure Service Plan - Convert Consumption App to Premium App
- No PK or FK when exporting SQL Server database
- Assigning a Token Lifetime Policy to an application in Microsoft EntraID seems to have no effect
- How to create a dataset for Azure custom speech using spx (speechCLI)
- Azure App Service Autoscale Fails to Scale In
- Azure Scale Out on Memory keeps flapping (not scaling in)
- Setting a server minimum for Azure Web App when using automatic scaling, from Bicep
- A keyvault created with access policy using BICEP creates compound identity
- Azure Loadbalancer with public IP forward traffic to Container Apps
- How to grant a Managed Identity permissions to an Azure SQL Database using IaC?
- What means skipNegotiation in SignalR HubConnection?
- Azure ClientCertificateCredential - Using SNI
- Azure AI Search MultiIndex / Conditional Semantic search
- MSAL Node service & The Partner Center API
- Load Registered Component in Azure ML for Pipeline using Python sdk v2
- Azure Blob:- How to automate Azure Archive Storage to Cool/Hot tier conversion, send download link once it's avaible , and re-archive after 72 hours?
- Azure App Service Custom Backup to Firewall Enabled Storage Account not working as expected
- How to take max value and replace it in drived column in data factory
- Synapse/ ADF - How to Truncate table if dynamic config column is True in pre-copy script
- Azure Cost Management - track costs associated with Databricks job
- Error: "OrganizationFromTenantGuidNotFound" (even with Microsoft 365 subscription)
- How to check Debug.Writeline() output in VS code?
- C# API - Provide download of files from Azure Blobstorage
- localhost:300/api is not working : "This page isn’t working"
- Creating an Azure Linux VM with Ubuntu 20.04 with Terraform
- Failed to deploy path that does not exist
- Using Azure WAF for my server(not in Azure)
- How and where to define an environment variable on Azure
- Azure Data Factory - Unable to preview data
- Azure yaml trigger pipeline every 14 days on a Saturday