Is the default Azure Virtual Machine Scale Set configuration sufficient to protect the instances in a CI/CD process since the machines do not have a public IP?

Question

Currently, I am using Azure Virtual Machine Scale Set as self-hosted agents in Azure DevOps. I used this command to deploy and create the Scale Set:

az vmss create \
  --name vmssagentspool \
  --resource-group vmssagentsdemo \
  --image Ubuntu2204 \
  --vm-sku Standard_E2as_v5 \
  --storage-sku StandardSSD_LRS \
  --authentication-type SSH \
  --generate-ssh-keys \
  --instance-count 1 \
  --disable-overprovision \
  --upgrade-policy-mode manual \
  --single-placement-group false \
  --platform-fault-domain-count 1 \
  --load-balancer "" \
  --orchestration-mode Uniform \
  --priority Spot \
  --eviction-policy Delete \
  --max-price 0.013

Seeing the details of the configuration of the instance running in the Scale Set tells me that I have only a private IP, in theory the machines that act as agents could not be attacked because they are in a private network, but also the instances have access to the internet, then I'm a little confused about the security of the instances, with this default configuration resulting from the above command, would be sufficient for security ? What if the CI/CD process is for a government, medical or banking entity?

Answer 1

Hello Julian Steven Molina Campos

VMs created without explicit outbound connectivity defined are assigned a default outbound public IP address. This IP address enables outbound connectivity from the resources to the Internet. This access is referred to as default outbound access.

To improve security consider, review the best practices for Security best practices for Azure DevOps and Azure security baseline for Virtual Machine Scale Sets.