MS-hosted Azure DevOps Agents (windows) runs from GitHub cloud IP address range instead of ADO organization region

Aliaksandr Urbanovich1 20 Reputation points
2024-02-13T14:03:20.5433333+00:00

Hi
We are using Azure DevOps for release webapp and Sql migration scripts for Sql Managed Instance from Microsoft-hosted agents. According this documentation we have solution to whitelist at Network Security group level for Sql Managed Instance IP address range of agents that are taken from weekly file for our AzureCloud.eastus2 region. Its set by security reason from our IT department at organization

Few days ago Ive found, that some release tasks related for running sql migration script are failed due timeout. Investigating logs and troubleshooting Ive found, that sometimes, IP range is taken from GitHUB IP addresses but not from weekly file range.
as example - those ip was today on Azure Devops Agent selected with Windows-2019 image: 20.42.19.149
which is listed at GitHub Meta API with CIDR block 20.42.0.0/17

so main question - why this happens?
because whitelist all addresses from GitHub Meta API is impossible at Network security group level per limit of 4000 ip addresses/cidrs. Perhaps its a good time to make possibility to whitelist at Network Security group by Service Tag? as currently its not working for whitelisting IP addresses. Also adding service tag for GitHub ip addresses is good idea too.

Not Monitored
Not Monitored
Tag not monitored by Microsoft.
38,660 questions
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.