Azure App Service access restrictions by Service Tag

Andy Yang 0 Reputation points
2023-08-25T22:07:30.3633333+00:00

I want to add Access Restrictions to an Azure App Service. If I want to permit deployments from Azure DevOps pipelines, I understand there isn't a specific Service Tag for the build hosts since they could be spun up anywhere in Azure Cloud.

If I create an Access Restriction allowing incoming traffic based on the 'AzureCloud' service tag - will that encompass any possible Microsoft-hosted agent from ADO? We have experimented with adding individual CIDR ranges from the weekly JSON file where we would only use the ranges defined for "AzureCloud.eastus2". If we created a rule by service tag, is that going to be for all AzureCloud hosts around the world? Or just whatever region our organization is defined in?

Thanks!

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,844 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. VenkateshDodda-MSFT 18,081 Reputation points Microsoft Employee
    2023-08-28T07:07:21.11+00:00

    @Andy Yang Thanks for reaching out to Microsoft Q&A, apologize for any inconvenience caused on this.

    Based on the shared information, I have understood that you want to create a access restriction rule that your Azure DevOps pipelines need to access the app service across the world using Service Tags.

    A service tag represents a group of IP address prefixes from a given Azure service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change, minimizing the complexity of frequent updates to network security rules.

    To achieve your requirement to restrict the inbound access to App service from Azure Devops Pipelines you can create an access restriction rule using the Service Tag AzureDevOps which can restrict inbound traffic only and also this service tag support regional restrictions as well.

    Refer to this documentation for more information about Service Tags and also Available Service Tags.

    If I create an Access Restriction allowing incoming traffic based on the 'AzureCloud' service tag - will that encompass any possible Microsoft-hosted agent from ADO?

    If you use the Service Tag Azure Cloud which means that your resource can be accessible from all the datacenter public Ip's either in both direction Inbound or outbound.

    We have experimented with adding individual CIDR ranges from the weekly JSON file where we would only use the ranges defined for "AzureCloud.eastus2". If we created a rule by service tag, is that going to be for all AzureCloud hosts around the world? Or just whatever region our organization is defined in?

    AzureCloud.eastus2 means that you are allowing only eastus2 datacenter public IP's to access your resource.

    Feel Free to reach back to me if you have any further questions on this.


  2. Andy Yang 0 Reputation points
    2023-08-30T20:02:32.33+00:00

    We ultimately decided against this approach and instead followed the suggestion here where we whitelist one IP at a time - whatever the public IP of the MS-hosted build agent happens to be:

    https://stackoverflow.com/a/72345453/55574

    0 comments No comments