Not Monitored
Tag not monitored by Microsoft.
37,797 questions
How to access resources in VNET from azure pipeline and dev machines?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 24%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFN%3C/text%3E%3C/svg%3E)
Faltis, Noah
6
Reputation points
Hi,
we want our azure resources like app service, database, keyvault, blobstorage to be not accessible from the public internet to minimize the risk of security vulnerabilities. Therefore we are using a virtual network. Now there are scenarios where we need access to resources of the VNET from the outside of Azure:
- Microsoft hosted agents are not part of the Azure network and need access for deployments (e.g. to execute entity framework migrations or deploy artifacts to App Services)
- For debugging or operation activities the developers need access to the Azure resources from the developer machine (e.g. execute database queries or remote debugging)
We have identified two possible solutions to establish a connection to VNET protected Azure resources:
- using a VPN-Gateway
- using SSH-Tunnels through a VM which is part of the VNET
The problem with the VPN solution is that it is not possible to establish a VPN connection in a Microsoft Hosted Pipeline Agent. It is also required to host a own DNS-Server which forwards request to an intern Azure DNS-Server for private DNS Zone resolution from On-prem. But for developers its very convenient to use to access all hosts and services in the VNET. The SSH-Tunnel solution works in Microsoft Hosted Pipeline Agents but it is inconvenient to use because you need to open multiple SSH-Tunnels for different hosts/ports.
We definitely want to continue using Microsoft Hosted Pipeline Agent so we decided to combine both solutions:
This solution has a high complexity. Are there better solutions? Are we missing something?
Thanks in advance and best regards,
Noah
{count} vote
-
GitaraniSharma-MSFT 49,401 Reputation points Microsoft Employee2022-03-17T08:33:24.953+00:00 Hello @Faltis, Noah ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
Azure DevOps is currently not supported in the Q&A forums, the supported products are listed over here https://learn.microsoft.com/en-us/answers/products (more to be added later on).
You can ask the experts in the dedicated Azure DevOps forum over here:
Azure DevOps :
https://developercommunity.visualstudio.com/report?space=21&entry=problemAzure DevOps Server :
https://developercommunity.visualstudio.com/report?space=22&entry=problemRegards,
Gita -
GitaraniSharma-MSFT 49,401 Reputation points Microsoft Employee
2022-03-17T09:47:33.973+00:00 Hello @Faltis, Noah ,
The only thing I could find regarding your query is as below:
You cannot use private connections such as ExpressRoute or VPN to connect Microsoft-hosted agents to your corporate network. The traffic between Microsoft-hosted agents and your servers will be over public network.
In order to access the resources hosted in private VNET, you need to whitelist DevOps IPs as mentioned in the below documentation:
Refer : https://learn.microsoft.com/en-us/azure/devops/pipelines/agents/hosted?view=azure-devops&tabs=yaml#networkingAnd from the Azure Devops forum, I found the below info:
To connect to Azure resources like Storage Account and SQL server from Azure Devops, you could create an Azure Resource Manager(ARM) service connection. To do that, please go to Project setting ->click ‘Service connections’-> click ‘New service connection’ -> find the ‘Azure Resource Manager’ type and configure it.
Refer : https://learn.microsoft.com/en-us/azure/devops/pipelines/library/connect-to-azure?view=azure-devopsThen, just use it in the pipeline, such as the ‘Azure PowerShell’ task. The task has the dropdown that allow you choose the related ARM service connection. You could run the Azure PowerShell commands(e.g. ‘Remove-AzStorageBlob’) in the task to remove the specified storage blob.
Refer : https://learn.microsoft.com/en-us/azure/devops/pipelines/tasks/deploy/azure-powershell?view=azure-devopsFor better assistance, please raise a query in Azure Devops forum as advised above.
Regards,
Gita
Sign in to comment