Sporadic Issues with Azure DevOps Agent Accessing Azure Storage Account Despite IP Whitelisting

Question

I am writing to seek assistance with an issue we have been experiencing with our Azure DevOps agent (Microsoft-hosted) accessing our Azure Storage account.

Despite adding the IP address of the Azure DevOps agent to the network rules of the storage account, we are encountering sporadic connectivity issues. This problem persists even though the IP address of the agent is correctly listed in the network rules, and the IP address does not change before and after the attempts to access the storage account.

Here is a brief summary of the steps we have taken:

1. Identified the IP address of the Azure DevOps agent.
2. Added this IP address to the network rules of the Azure Storage account to allow access.
3. Verified that the IP address remains the same before and after the access attempts.

However, despite these measures, the agent's ability to access the storage account remains inconsistent. There are periods when the access is successful, but more often than not, the attempts fail.

Even after waiting several minutes, the connection issue persists.

Additionally, I would like to note that this issue seems to be isolated to the storage account. The Azure DevOps agent has no trouble accessing many other resources under similar network rule configurations. We have also attempted to resolve the issue by removing and re-adding the IP address in the network rules, but this has not yielded any success.

We would appreciate your guidance on resolving this issue. Please let us know if there are additional configurations or steps we should consider to ensure reliable access for our Azure DevOps agent.

Thank you for your support.

Best regards,

Michael

Answer 1

Hi Schneider, Michael - Thanks for reaching out.

I would recommend starting by enabling the logging and reviewing what are the IP's hitting the storage in case of success versus failure calls. This shall give us a clear isolation if the IP failing is part of whitelisting or not.

https://learn.microsoft.com/en-us/azure/storage/blobs/monitor-blob-storage?tabs=azure-portal

It is recommended to whitelist the entire Range instead of only the current storage IP and you can try that as well of not already.

https://www.microsoft.com/en-us/download/details.aspx?id=56519

In case you have followed the above and still there are failure such as call failing with whitelisted IP or after whitelisting the range, this might need to be reviewed from backend via a support ticket.

Hope that helps!

Please let me know if there are any further queries/concerns, will be glad to assist.

---

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Answer 2

@Schneider, Michael Welcome to Microsoft Q&A Forum, Thank you for posting your query here!
I'd recommend posting your question in https://techcommunity.microsoft.com/t5/azure/bd-p/Azure This forum is the best place to get specialized help quickly since your issue is related to DevOps agents. You'll find a community of experts and fellow users who can provide insights and solutions to your problem based on your scenario.

Additional information: To check for any outages in Azure, you can use the Azure Service Health in the Azure portal, which provides a personalized experience with information on outages, planned maintenance, and service advisories. It's updated in real-time as the health of Azure services changes. You can also view the Azure status page for a global view of the health of Azure services and regions

Please let us know if you have any further queries. I’m happy to assist you further.    

---

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.