I am working on creating a function app to query all workitems from an ADO project. Is there a way to limit the outbound calls from the function app only to the ADO API endpoint may be using outbound restrictions on NAT Gatweay? Can Service tags be applied in this case?
https://dev.azure.com/<organization>/<project>/_apis/wit/wiql?api-version=6.1-preview.2
The Azure DevOps service tag here indicates it can be used for inbound calls but was wondering if it can be used for outbound calls too.
Also can ADO endpoint be called via Azure backbone (private endpoints?) rather than the call routed through the internet?
As is shown in the doc: Available service tags
Azure DevOps Service tag doesn't support for outbound connections.
Is there a way to limit the outbound calls from the function app only to the ADO API endpoint may be using outbound restrictions on NAT Gatweay?
To meet your requirement, you can add the following IP addresses to the firewall Outbound connections.
13.107.6.0/24
13.107.9.0/24
13.107.42.0/24
13.107.43.0/24
Then it will allow the Azure function to access Azure DevOps to get the work items list.
For more detailed info, you can refer to this doc: Azure DevOps Outbound connections