Share via

How are the service tags for the Ubuntu agent in Azure Pipelines configured, and what service tags are available?

王艳芳 20 Reputation points
2026-03-03T02:31:15.93+00:00

How are the service tags for the Ubuntu agent in Azure Pipelines configured, and what service tags are available?
Is there this tag below?

service tag: AzureCloud AzureDevops

Will the name of the tag vary based on different Azure DevOps regions? For example: AzureCloud.southeastasia.

Azure DevOps
0 comments

Answer accepted by question author

  1. Q&A Assist
    2026-03-03T02:31:26.8666667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Microsoft-hosted Ubuntu agents in Azure Pipelines can't be granted access by using Azure service tags. They must be allowed by IP ranges instead.

    From the networking guidance for Microsoft-hosted agents:

    • Microsoft-hosted agents can't be listed by service tags.
    • To grant them access to resources (for example, through firewalls/NSGs), the IP range allow-listing method must be used.

    Therefore:

    1. There is no dedicated service tag for the Ubuntu (or any Microsoft-hosted) Azure Pipelines agents.
    2. Service tags such as AzureCloud and AzureDevOps exist as general Azure service tags, but they don't represent Microsoft-hosted build agents and can't be used to identify or allow those agents.
    3. Because service tags can't be used for Microsoft-hosted agents, regional variants like AzureCloud.southeastasia are not applicable for this purpose. Instead, the weekly Azure IP range files and/or other documented IP sources must be used.

    References:

    Was this answer helpful?

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Siddhesh Desai 7,055 Reputation points Microsoft External Staff Moderator
    2026-03-03T02:43:43.0633333+00:00

    Hi @王艳芳

    Thank you for reaching out to Microsoft Q&A.

    Microsoft-hosted Ubuntu agents in Azure Pipelines do not support Azure Service Tags for network access control. This is because Microsoft-hosted agents are ephemeral, dynamically created for each pipeline run, and their outbound IP addresses can change frequently. As a result, Azure cannot reliably associate these agents with a fixed service tag such as AzureCloud or AzureDevOps. Although service tags like AzureDevOps and AzureCloud do exist, they are intended for Azure DevOps service endpoints or broad Azure platform services and explicitly do not represent Microsoft-hosted build agents. Additionally, regional service tag variants (for example, AzureCloud.southeastasia) are not applicable to Azure Pipelines hosted agents. This limitation is by design and applies across all Azure DevOps regions.

    Refer below points to resolve this issue or as a workaround

    Use IP allow-listing for Microsoft-hosted agents

    Microsoft-hosted agents must be allowed through firewalls or NSGs by using the Azure IP Ranges and Service Tags (Public Cloud) JSON file published by Microsoft. This file is updated weekly and contains the IP ranges required for Azure DevOps hosted agents. Service tags cannot be used for this purpose.

    Do not use AzureDevOps or AzureCloud service tags for hosted agents

    While the AzureDevOps and AzureCloud service tags are valid Azure service tags, they do not apply to Microsoft-hosted Azure Pipelines agents. Using these tags will not allow traffic from hosted Ubuntu agents.

    Use self-hosted or VM Scale Set agents for stricter network control

    If allowing a broad set of Microsoft IP ranges is not acceptable for your security requirements, Microsoft recommends using self-hosted agents or Azure Virtual Machine Scale Set agents. With these options, you control the network, IP addresses, and NSG rules, and you can apply more granular firewall restrictions.

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.