How to access resources in VNET from azure pipeline and dev machines?

Faltis, Noah 6 Reputation points


we want our azure resources like app service, database, keyvault, blobstorage to be not accessible from the public internet to minimize the risk of security vulnerabilities. Therefore we are using a virtual network. Now there are scenarios where we need access to resources of the VNET from the outside of Azure:

  1. Microsoft hosted agents are not part of the Azure network and need access for deployments (e.g. to execute entity framework migrations or deploy artifacts to App Services)
  2. For debugging or operation activities the developers need access to the Azure resources from the developer machine (e.g. execute database queries or remote debugging)

We have identified two possible solutions to establish a connection to VNET protected Azure resources:

  1. using a VPN-Gateway
  2. using SSH-Tunnels through a VM which is part of the VNET

The problem with the VPN solution is that it is not possible to establish a VPN connection in a Microsoft Hosted Pipeline Agent. It is also required to host a own DNS-Server which forwards request to an intern Azure DNS-Server for private DNS Zone resolution from On-prem. But for developers its very convenient to use to access all hosts and services in the VNET. The SSH-Tunnel solution works in Microsoft Hosted Pipeline Agents but it is inconvenient to use because you need to open multiple SSH-Tunnels for different hosts/ports.

We definitely want to continue using Microsoft Hosted Pipeline Agent so we decided to combine both solutions:


This solution has a high complexity. Are there better solutions? Are we missing something?

Thanks in advance and best regards,

Not Monitored
Not Monitored
Tag not monitored by Microsoft.
36,564 questions
{count} vote