I need to change my Azure DevOps region/location

Question

I need to change my Azure DevOps region/location. The rest of my Azure subscription is West Europe. I need to change Azure DevOps to the same region so the service tags work on my storage account in the Azure DevOps pipeline.

I know the UI for changing this has been disabled in Azure DevOps, so I cannot do this myself.

I have also tried to create a ticket to request this, and got to a dead end that sent me here.

Answer 1

Hi Joe,

Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

I checked with backend team for any other option to change the region. They informed me that it is currently paused as mentioned in docs - Find or change your organization geography. 

So, you can try other solutions for accessing a Storage Account from Azure DevOps Pipelines. Below are the recommended workarounds. Please let me know if it helps or any further questions. 

Workaround 1: Use Managed DevOps Pools (Recommended)

Microsoft recently introduced Managed DevOps Pools, which bridges the gap between Microsoft-hosted and self-hosted agents. It allows you to spin up agent pools that are injected directly into your own Azure Virtual Network (VNet).

1. Create a Managed DevOps Pool in your West Europe subscription.
2. Integrate it with a VNet in West Europe.
3. Configure your Storage Account's firewall to allow traffic from that specific VNet using Service Endpoints or a Private Endpoint. This eliminates the need for Service Tags or IP whitelisting entirely.

 

Workaround 2: Use Self-Hosted Agents or VMSS Agents

If you do not want to use Managed DevOps Pools, you can deploy a Self-hosted agent (such as an Azure VM or Container) or an Azure Virtual Machine Scale Set (VMSS) in your West Europe subscription.

• Because the agent lives inside your Azure VNet, you can enable a VNet Service Endpoint for Microsoft.Storage on the agent's subnet.
• Add that specific subnet to the Storage Account's network firewall rules. The pipeline will securely access the storage account over the Azure backbone.

 

Workaround 3: Dynamically Allowlist the Agent's IP in the Pipeline

If you prefer to continue using Microsoft-hosted agents, you can temporarily add the agent's public IP to the Storage Account firewall at the beginning of your pipeline and remove it at the end. (Note: This only works because your DevOps org and Storage Account are currently in different regions).

You can do this using the AzureCLI@2 task in your pipeline:

steps:
- task: AzureCLI@2
  displayName: 'Add Agent IP to Storage Firewall'
  inputs:
    azureSubscription: '<Your-Service-Connection>'
    scriptType: 'bash'
    scriptLocation: 'inlineScript'
    inlineScript: |
      AGENT_IP=$(curl -s https://api.ipify.org/)
      echo "Agent IP is $AGENT_IP"
      az storage account network-rule add \
        --resource-group <YourResourceGroup> \
        --account-name <YourStorageAccountName> \
        --ip-address $AGENT_IP
      # Optional: Add a sleep command (e.g., sleep 30) here to allow the rule to propagate

# ... [Your pipeline tasks that interact with the Storage Account] ...

- task: AzureCLI@2
  displayName: 'Remove Agent IP from Storage Firewall'
  condition: always() # Ensures the IP is removed even if previous steps fail
  inputs:
    azureSubscription: '<Your-Service-Connection>'
    scriptType: 'bash'
    scriptLocation: 'inlineScript'
    inlineScript: |
      AGENT_IP=$(curl -s https://api.ipify.org/)
      az storage account network-rule remove \
        --resource-group <YourResourceGroup> \
        --account-name <YourStorageAccountName> \
        --ip-address $AGENT_IP