why is it not allowed to ip whitelist a devops agent(in the same region) on a storage account?

Yael Goede 25

Terraform uses a storage account to store it's state. when using an azure pipelines agent you wanna JIT(just in time) allow that devops agent to read the terraform state. however the storage account firewall cannot give ip access to devops agents from the same region as the storage account. for other azure solutions like keyvault this approach works perfectly, yet storage accounts treat this differently. Why is this and is this intended behavior? will this change in the future? I know a solution is to provision private agents but this seems like alot of overhead just to access a storage account behind a firewall.

thank you in advance

SaiKishor-MSFT 17,201 Reputation points

2023-03-20T18:19:34.0733333+00:00

@Yael Goede Thanks for reaching out to Microsoft Q&A. I understand that you are having issues allowing Devops agent to Storage account via Firewall rules.

Were you able to determine the IPs/Ip range that the Devops is using for outbound traffic to Storage account? Have you tried adding it to the Firewall? Can you please let me know.

As long as it is a Public IP and it is added to the Firewall Allowed IPs in the Storage Account Firewall rules, this is possible. Please let me know. Thank you!
Yael Goede 25 Reputation points

2023-03-20T18:37:26.1366667+00:00

@SaiKishor-MSFT Thank you for replying. Yes I can add the IP to the firewall but the devops agent can still not access the storage account. it works when the devops agent is not in same region as the storage account but it does not when they are in the same azure region.
Yael Goede 25 Reputation points

2023-03-20T18:41:59.0266667+00:00

@SaiKishor-MSFT Thank you for replying. yes so I can add the ip to the storage account firewall. but the devops agent cannot access the storage account when it is in the same azure region as the storage account. The setup works fine if they are not in the same Azure region. Can it have something to do with Azure using internal ips when the in the same region? it's a little odd because the setup works fine for azure keyvault.

Accepted answer

SaiKishor-MSFT 17,201 Reputation points

2023-03-20T21:09:19.53+00:00

@Yael Goede

Yes, please refer to the following as per doc- https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal

Does that help? Please do let me know if you have any further questions. Thank you!

Remember:

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Want a reminder to come back and check responses? Here is how to subscribe to a notification.
Please sign in to rate this answer.
Yael Goede 25 Reputation points

2023-03-21T09:51:25.3366667+00:00

@SaiKishor-MSFT For other azure solutions like Azure keyvault this approach works perfectly, yet storage accounts treat this differently. this seems very counter intuitive because there would be no way to grant a default Azure devops agent access on a storage account. Can I send a request somewhere to have this feature added?

thank you for your time

SaiKishor-MSFT 17,201 Reputation points

2023-03-22T19:00:15.8033333+00:00

@Yael Goede Here is the website for requesting a feature- https://feedback.azure.com/d365community/forum/79b1327d-d925-ec11-b6e6-000d3a4f06a4

At this time Private endpoints + VNET isolation would be the alternatives for this issue. Hope this helps. Please let me know if you have any further questions and I will be glad to assist further. Thank you!

Remember:

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Want a reminder to come back and check responses? Here is how to subscribe to a notification.

SaiKishor-MSFT 17,201 Reputation points

2023-03-23T19:10:26.06+00:00

@Yael Goede

Please let us know if you have any more questions and we will be glad to assist you further. Thank you!

Remember:

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Want a reminder to come back and check responses? Here is how to subscribe to a notification.

Yael Goede 25 Reputation points

2023-03-23T19:21:07.2966667+00:00

@SaiKishor-MSFT thank you I will. I will request it as a feature for now. Seems counter intuitive to not be able to whitelist an internal ip. especially because it works fine for other services like keyvault. Thank you again for your help.
Sign in to comment

why is it not allowed to ip whitelist a devops agent(in the same region) on a storage account?

0 additional answers