This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi,
We plan to harden our AKS environment by use of API server authorized IP ranges for API server and Disable Public Access to Azure Container Registry by using Private endpoint with Azure Private Link for ACR or by use of Registry firewall rules. We use Azure DevOps pipelines to code, build, test and push our images to ACR and then use kubectl in pipelines to deploy on top of AKS cluster.
Our question - How we can enable the above security features without losing the connectivity to ACR or AKS cluster API server with azure devops pipelines which are being executed on random microsoft hosted buid agents?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 94%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAK%3C/text%3E%3C/svg%3E)
Hi @Kaushalendra Kumar ,
Thank you for your question.
The connection to both AKS and ACR would not be available when the features you mentioned are enabled, since the public agents (MS hosted) are using unpredictable IPs.
To work around this, I would consider using self-hosted agents, that have direct access to ACR's private link, and the AKS cluster, it would even work if you decided to go with a private AKS instead of authorized ranges.
Please check this document which also mentions the above points.
Also, check this blogpost for the Private AKS connection.
Thank you.
Please Accept the answer if the information helped you. This will help us and others in the community as well.
In scenarios where private networking is preferred, you should leverage self hosted agents. These will run on an adjacent subnet (or peered vnet) to your Container Registry. https://learn.microsoft.com/en-us/azure/devops/pipelines/agents/agents?view=azure-devops&tabs=browser#install
It is possible to get the list of IP addresses used by the Microsoft hosted agents, and create firewall exceptions for the inbound traffic - however most enterprise security teams do not favour this approach. https://learn.microsoft.com/en-us/azure/devops/pipelines/agents/hosted?view=azure-devops&tabs=yaml#networking
On your point about using Authorized IP ranges, an alternate option to consider is to use a Private AKS cluster, where communication to the Kubernetes API server will need to be made from a connected network.