Security
Dev tunnels is a security-focused developer tunneling service. In this article, learn about how dev tunnels are secured.
Overview
By default, hosting and connecting to a tunnel requires authentication with the same Microsoft, Microsoft Entra ID, or GitHub account that created the tunnel. Tunneling requires outbound connections to be made to the service hosted in Azure. No inbound connections are required to use the service.
Domains
Access to dev tunnels can be controlled by allowing or denying outbound access to the following domains:
Authentication
github.comlogin.microsoftonline.com
Dev Tunnels
global.rel.tunnels.api.visualstudio.com[clusterId].rel.tunnels.api.visualstudio.com[clusterId]-data.rel.tunnels.api.visualstudio.com*.[clusterId].devtunnels.ms*.devtunnels.ms
The list of current [clusterId] values is available at https://global.rel.tunnels.api.visualstudio.com/api/v1/clusters.
Web-forwarding
Tunnel ports using the HTTP(S)/WS(S) protocols can be accessed directly via the provided web-forwarding url (for example: https://tunnelid-3000.devtunnels.ms).
- Insecure client connections are always automatically upgraded to HTTPS/WSS.
- HTTP Strict Transport Security (HSTS) is enabled with a one year max-age.
- The minimum TLS version the service supports is 1.2, with TLS 1.3 being the preferred version.
- TLS termination is done at service ingress using service certificates, issued by a Microsoft CA.
- After TLS termination, header rewriting takes place. This is required for many web application development scenarios.
Anti-phishing protection
When connecting to a web-forwarding url for the first time, users are presented with an interstitial anti-phishing page. The page is skipped under the following circumstances:
- The request uses a method other than
GET - The request
Acceptheader doesn't containtext/html - The request contains the
X-Tunnel-Skip-AntiPhishing-Pageheader - The request contains the
X-Tunnel-Authorizationheader - The user has already visited the page and clicked continue
Tunnel access
By default, tunnels and tunnel ports are private and only accessible to the user who created the tunnel.
If a tunnel or tunnel port does need to be accessed without authentication, an allow-anonymous Access control entry (ACE) can be added (use --allow-anonymous).
Tunnel access can also be extended to your current Microsoft Entra tenant (use --tenant) or specific GitHub organizations (use --organization); for the latter see GitHub Organization Access below.
The CLI can also be used to request access tokens that grant limited access to anyone holding the token (use devtunnel token). This is an advanced feature but can be useful in specific situations.
Currently, four types of tunnel access tokens are available:
- A "client access token" allows the bearer to connect to any ports of the tunnel.
- A "host access token" allows the bearer to host the tunnel and accept connections, but not make any other changes to it.
- A "manage ports access token" allows the bearer to add and delete ports on a tunnel.
- A "management access token" allows the bearer to perform any operations on that tunnel, including setting access controls, hosting, connecting, and deleting the tunnel.
All of the tokens are limited to the current tunnel; they don't grant access to any of the current user's other tunnels, if any. The tokens expire after some time (currently 24 hours). Tokens can only be refreshed using an actual user identity that has manage-scope access to the tunnel (not just a management access token).
Most CLI commands can accept a --access-token argument with an appropriate token as an alternative to logging in.
Web clients can pass a token in a header to authorize requests to a tunnel URI:
X-Tunnel-Authorization: tunnel <TOKEN>
Tip
This is useful for non-interactive clients as it allows them to access tunnels without requiring anonymous access to be enabled. We use the X-Tunnel-Authorization header instead of the standard Authorization header to prevent potentially interfering with application-specific authorization.
See the Manage dev tunnel access section to learn more about how to manage tunnel access through the CLI.
GitHub Organization Access
To support tunnels granting access to all members of a GitHub organization, install the Dev Tunnels GitHub app in the organization. That gives the Dev Tunnels service permission to check users' membership status in that organization. (Dev Tunnels does not require repo permissions to the org.) You may need to be an admin in the GitHub organization to perform this operation.
Further questions
If after reviewing this page, you have further questions, see Feedback and support.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for