ADO IP Whitelisting

Hello Imran Bashir, Thanks for reaching out on Microsoft Q&A!

Yes, you are right.
When using self-hosted Azure DevOps agents, the agents communicate outbound to Azure DevOps services. To ensure proper connectivity through firewalls or network security devices, you need to allow traffic to the Azure DevOps service IPs or domains.

• IP Addresses to Whitelist

Based on Microsoft’s documentation, the commonly used IP ranges for Azure DevOps services are:

13.107.6.0/24  
13.107.9.0/24  
13.107.42.0/24  
13.107.43.0/24  
150.171.22.0/24  
150.171.23.0/24  
150.171.73.0/24  
150.171.74.0/24  
150.171.75.0/24  
150.171.76.0/24  

These ranges cover the endpoints your self-hosted agents will connect to when pulling jobs, uploading artifacts, and reporting results.

Reference: Allowlist IP addresses and URLs for Azure DevOps

1. Recommended Best Practices

• Use Service Tags: Instead of hardcoding IPs, Microsoft recommends using the AzureDevOps service tag from the Azure Public IP JSON. This ensures your firewall rules automatically cover updated IPs. Download the JSON here: Allowlist IP addresses and URLs for Azure DevOps
• Allow FQDNs (if supported): Firewalls that support DNS rules can allow:

*.dev.azure.com
*.visualstudio.com

Direction of Traffic:

Outbound from agents → Required. Agents initiate connections.

Inbound to agents → Usually not required unless exposing agents externally (not recommended).

References:

• Allowlist IP addresses and URLs for Azure DevOps
• Azure IP Ranges and Service Tags – Public Cloud JSON

I hope this helps! Please let us know if you have further questions. Thank you!