I have a VM on Azure that runs SQL Server and I want to update my databases in a build pipeline of Azure devops. But the port of SQL Server is allowed to just some IP's and I don't want to expose for everyone... It is possible to update the allowed IP's in the build?
I found this link that could help to get the IP's of the hosted : https://learn.microsoft.com/pt-br/azure/devops/pipelines/agents/hosted?view=azure-devops&tabs=yaml#agent-ip-range
Microsoft update every week a json with the pipeline host IP''s but in the json are the services and the ips, but I don't know which the name of the service that I should get the IP's. I didn't find anything like "devops" or "pipeline".
Besides that, would be possible to auto update the allowed ip's in the build pipeline? I found this post: https://blog.simontimms.com/2020/01/10/2020-01-10-Allow-hosted-agents-through-firewall/ but I don't know how to edit my pipeline to do that.
Thank you
To confirm the ip adress of the Microsoft-hosted agent in Json file, you need to check the region of the Organizaiton.
You could navigate to Organization Settings -> Overview and check the region of the organization.
Then you could search the AzureCloud.<region> in Json file to get the Ipaddress Prefixes.
To run the Blog's script, you could add the Azure Powershell task in the pipeline.
By the way, you need to create a Azure Service connection before using this task.
In addition you may encounter this issue.
##[error]No MSFT_NetFirewallRule objects found with property 'DisplayName' equal to ' Remote Event Monitor'. Verify the value of
the property and retry.
The cause of this issue is that a firewall rule with this name that does not exist.
You need to use New-NetFirewallRule script to create a new firewall with the target name.
For example:
New-NetFirewallRule -DisplayName "Test" -Direction Inbound -LocalPort 80 -Protocol TCP -Action Allow
Then you could set the firewall rule with the Set-NetFirewallRule script.
I’m on my phone so I can’t test this, but you can probably find the Public IP of the hosted agent you are on in a task using a command like ‘ nslookup myip.opendns.com. resolver1.opendns.com’ and then add it to your NSG and then remove it when you are done.
Tested from cloud shell in the Azure app
https://imgur.com/a/lau2ZDs
Related
I have an Azure VM that I can access through Bastion in the Azure Portal without issue, but I would like to access this through my local native RDP client (in Windows). I have the following config:
Local account (un/pw) setup to access
Setup a NSG rule to restrict source and destination IP and port 3389 (for RDP).
Selected "Standard" Bastion (required for Native client RDP support)
I have tried the following:
Followed this guide to kick off from PowerShell/Azure CLI: https://jeffbrown.tech/azure-bastion-rdp-native-client/. However I am getting this error (BiFrostVMUnAvailableCredentialsException) :
Tried using RDP client directly w/IP:Port - I assume this doesnt work b/c some Azure account/tunneling magic needs to happen.
Temporarily opened up the NSG rule to allow traffic from any sources (not restricted to my VPN IP), and it prompts me for un/pw and I get a slightly different auth error. So this option seems to get further along than the others.
So what am I missing?
Also, relates to this question, but I think my scenario is slightly different.
Did you configure a subnet for Bastion?
I don't see anything about that in that guide you mentioned. I'm not an expert by any means, but I remember the subnet was something important when I deployed my test.
Apparently, it was necessary to add an RDP rule for the 3389 port in the nsg and allow the bastion subnet otherwise bastion would not connect at all, not even the browser version.
Is the VM domain joined? try adding the FQDN
I hope you got this solved by now.
nsg rule example
I am using Powershell script that resides in a VM to retrieve the list of resources in a subscription. Currently I have the outbound internet enabled on the NSG of the VM. But I would like to restrict the outbound internet access in future.
Is there a way to run the powershell script when internet access is denied ?
The Run Command feature can run scripts on your virtual machines remotely by using the VM agent. To function correctly, Run Command requires connectivity (port 443) to Azure public IP addresses. If you're blocking traffic on the virtual machine, you can use service tags to allow traffic to Azure public IP addresses by using the AzureCloud tag.
There is no service tag called azurecloud have whitelist azure datacenter IP. Also looking for option to create custom service which is not possible now
I've written a pretty basic SQL Backed VSTO Outlook addin, which will eventually be used by about 20 people in several offices of the company I work for. All will also be working from home periodically.
The tutorials I've followed so far go through adding "your own" IP address to the server firewall rules:
https://learn.microsoft.com/en-gb/azure/sql-database/sql-database-get-started-portal-firewall
As does a similar question I came across during my research for this question:
SQL Azure Firewall Rules on New Portal
This wasn't a problem when it was just me using the app, I followed the tutorial once to add my office IP address, and once to add my home IP address. It would be very awkward though if I had to get everyone to collect their IP addresses and set each of them up on the firewall.
This would be my first application to use remote resources, so I'm unsure of the next steps with the firewall, and so struggling to find a guide. Should I be:
Opening up the firewall to all, but creating a strong password stored within the app
Creating an initialisation step within the app to grant new users access through the firewall
Create some kind of proxy so that all of the SQL requests come from the same IP address.
In the case of (2) creating an initialisation step - azure sql server firewall settings appears to change a firewall rule - wouldn't that mean only one person can connect at once?
The best option would be:
1a. Opening up the firewall to all, but requiring Azure Active Directory Authentication for the users.
You can create a small application that can remotely update an Azure SQL firewall rule with a local PC IP address. For that you will need Microsoft Management Fluent library and Resource Group and Resource Management (Fluent) capabilities for Microsoft Azure. Here you will find a sample application.
You may also need to register the application as an Azure Active Directory application as explained here and assign a corresponding role for it. Then you will be able to create an authorization file for the application as explained here.
subscription=########-####-####-####-############
client=########-####-####-####-############
tenant=########-####-####-####-############
key=XXXXXXXXXXXXXXXX
managementURI=https\://management.core.windows.net/
baseURL=https\://management.azure.com/
authURL=https\://login.microsoftonline.com/
graphURL=https\://graph.windows.net/
You can also also provide all users with a PowerShell script that can get authenticated on its own to SQL Azure using an Azure Active Directory authentication token as explained here and then update a firewall rule or create a new one using the following script.
New-AzureRmSqlServerFirewallRule -ResourceGroupName "myResourceGroup"
-ServerName $servername -FirewallRuleName "AllowSome" -StartIpAddress "0.0.0.0" -EndIpAddress "0.0.0.0"
I have an Azure VM that has an NSG which needs to restrict outbound Internet access to only necessary services and applications (start with most restrictive then add rules). The Team Services agent extension also will get installed with an ARM template (which fails to download with the Deny all outbound Internet rule).
Does the weekly change of IP addresses used by VSTS apply for Deployment Groups? There is a similar question for IPs of Hosted Build.
I'm creating the VMs in a VSTS release definition. In the link above, I found an answer posted that you can call the REST API to get the IP address which would be easiest, but when I try this in a browser it looks like this is deprecated. ("Sorry! Our services aren't available right now.") Any other ideas on how I can apply the IPs for the NSG whenever I run the release to create the VMs?
"You can get the IP address of current build agent dynamically and
create a security group dynamically (by using AWS SDK for .NET)
Open build definition > Select Options tab> Check Allow Scripts to
Access OAuth Token Add PowerShell step/task (Arguments: -RestAddress
https://starain.vsdtl.visualstudio.com/DefaultCollection/_apis/vslabs/ipaddress
-Token $(System.AccessToken))."
If I read this right, you want to create a VM using VSTS pipeline and this new VM should host a VSTS Agent that calls back VSTS any time later.
I think there are no solutions. While it would be easy to get a valid IP for a VSTS instance at creation time, you have no guarantee that this IP will be valid for long time. You may be lucky in being able to setup the agent but the link to VSTS may stop any minute.
The question is interesting in itself and can be solved using the Azure PowerShell task. The script will:
resolve the name to the IP address using the Resolve-DnsName cmdlet
add or update the NSG rule using Set-AzureRmNetworkSecurityGroup etc.
That API is unavailable now, you can try to get the IP and update NSG through PowerShell task directly (e.g. $ip = Invoke-RestMethod http://ipinfo.io/json | Select -exp ip) PowerShell One Liner: Get External/Public IP Address.
On the other hand, you use a private agent: Deploy an agent on Windows
i've trouble getting proper access to my servers services.
It's an "new" ubuntu vm so that i can't access it via the old "manage" portal.
I cannot change the endpoint settings for this vm because the entry "endpoints" is missing, what can i do to fix this? Or am i supposed to use iptables / ufw? Because that's doesn't seem to be the case since i can access my server via ssh and either iptables nor ufw have entries for ssh.
Thanks in advise for helping informations.
Azure Resource Manager (ARM) is quite new addition to the Azure, so some things are only doable via Powershell at this time.
Please consider the following explanation on how to attach a Load Balancer to your Resource Group and then configure what we called "endpoints":
http://blog.itaysk.com/2015/08/03/azure-load-balancer-in-resource-manager-arm/