Share via

Connection issue when accessing devops URL

tarun k 635 Reputation points
2025-06-16T05:22:54.55+00:00

dev.azure.com is not being called from AKS agent

how do we whitelist this dev.azure.com to be accessiable from AKS agent.

Azure DevOps
0 comments

Answer accepted by question author

Durga Reshma Malthi 11,600 Reputation points Microsoft External Staff Moderator
2025-06-16T07:58:09.2+00:00

Hi tarun k

To allow your AKS agent to access dev.azure.com, you’ll need to configure outbound network access by whitelisting the required IP ranges and domain URLs used by Azure DevOps.

Please follow the below steps to resolve this issue:

  1. Determine if your AKS cluster is Public or Private.
  2. Azure DevOps requires access to specific domains and IPs. You must allow outbound access to: Domains:
    • dev.azure.com
    • *.visualstudio.com
    • *.vsassets.io
    • *.vssps.visualstudio.com
    IP Ranges (IPv4): 
       13.107.6.0/24
   13.107.9.0/24
   13.107.42.0/24
   13.107.43.0/24
   150.171.22.0/24
   150.171.23.0/24
   150.171.73.0/24
   150.171.74.0/24
   150.171.75.0/24
   150.171.76.0/24
    You can find the latest list on: Allowed IP addresses and domain URLs
  3. If your AKS nodes are in a subnet with an NSG then go to Azure Portal -> Network Security Groups -> Select the NSG attached to your AKS subnet. Add Outbound Security Rules:
    • Destination: IP ranges listed above
    • Port: 443
    • Protocol: TCP
    • Action: Allow
    • Priority: Lower than any deny rule
  4. Update User Defined Routes (UDR) if Present.
  5. Ensure your AKS nodes can resolve dev.azure.com. If using custom DNS, add conditional forwarders or rules to resolve Azure DevOps domains and test with: nslookup dev.azure.com inside the pod.
  6. Deploy a test pod and run: 
       kubectl run curlpod --image=busybox -it --restart=Never -- sh
   # Inside the pod
   wget https://dev.azure.com

Hope this helps!

Please Let me know if you have any queries.

If you found the information helpful, please click "Upvote" on the post to let us know and consider accepting the answer as the token of appreciation. Thank You.

Was this answer helpful?

0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Durga Reshma Malthi 11,600 Reputation points Microsoft External Staff Moderator
    2025-06-17T06:34:35.6+00:00

    Hi tarun k

    Since you're using a private AKS cluster, the setup requires a few extra steps to ensure your agents can reach dev.azure.com, which is a public endpoint.

    1. Ensure your AKS subnet routes outbound traffic through a NAT Gateway or Azure Firewall that has internet access. NAT Gateway:
      • Create NAT Gateway in Azure Portal -> Set name, region, and associate the Public IP or IP Prefix, Set idle timeout (e.g., 10 minutes) -> Click Review + Create.
      • Now Go to Virtual Networks → Select your VNet → Subnets -> Click on the subnet used by AKS -> Under NAT Gateway, select the one you just created -> Save.
      • Deploy a test pod and run curl ifconfig.me to confirm outbound IP.
      Azure Firewall:
      • Create a Subnet for Azure Firewall -> Go to your Virtual Network -> Subnets -> + Subnet -> Name it AzureFirewallSubnet (must be exact) -> Use a unique address range (e.g., 10.0.2.0/24).
      • Now Go to Azure Firewall -> Create -> Set name, region, and select the VNet and AzureFirewallSubnet ->Assign a Public IP -> Click Review + Create -> Once created, copy private ip of azure firewall.
      • Go to Route Table -> Create -> Set name and region -> Click Create.
      • Under the Route Table -> Routes -> + Add -> Name: defaultRoute, Address prefix: 0.0.0.0/0, Next hop type: Virtual appliance, Next hop IP: paste the private IP of Azure Firewall.
      • Associate Route Table with AKS Subnet by navigating to your Virtual Network -> Subnet -> Select aks-subnet. Under Route Table, select the one you created -> Save.
      • Go back to Azure Firewall -> Rules -> Add Application Rule Collection. Allow access to:
      • dev.azure.com
      • *.visualstudio.com
      • *.vsassets.io
      • *.vssps.visualstudio.com
      Use port 443 and protocol HTTPS.
    2. If you are preferring NAT Gateway, then go to Azure Portal -> Network Security Groups -> Select the NSG attached to your AKS subnet. Add Outbound Security Rules:
    • Destination: IP ranges listed above
    • Port: 443
    • Protocol: TCP
    • Action: Allow
      • Priority: Lower than any deny rule
    1. If you're using Azure Private DNS -> Go to your DNS server (e.g., Windows DNS) -> Add a Conditional Forwarder:
      • Domain: azure.com
      • Forward to: 168.63.129.16 (Azure DNS)
      If you're using custom DNS: In your VNet DNS settings, set custom DNS to 168.63.129.16.
    2. Deploy a test pod and run: 
         kubectl run curlpod --image=busybox -it --restart=Never -- sh
   # Inside the pod
   wget https://dev.azure.com
   nslookup dev.azure.com

    Hope this helps!

    Please Let me know if you have any queries.

    If you found the information helpful, please click "Upvote" on the post to let us know and consider accepting the answer as the token of appreciation. Thank You.

    Was this answer helpful?

    0 comments
  2. tarun k 635 Reputation points
    2025-06-16T10:02:46.77+00:00

    It is private AKS cluster agent

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.