We have code repositories on Azure Devops example url :https://dev.azure.com/myorg/myproject
We also have Azure VM created. Our Azure VM is windows 10. When we create a new VM on azure, Internet is enabled by default.
The VM will be shared with development team member. To secure code, developer should NOT be able to use personal email boxes and any other drives like dropbox, onedrive etc. So what i feel i need is we need is Internet disabled but only access to Azure DevOps repo. Is this possible? How to achieve this?
You can use Network Security Group resource in Azure. Set rules to allow traffic only to specified services (in your example Azure DevOps) and deny rest of the connections.
https://learn.microsoft.com/pl-pl/azure/virtual-network/security-overview
Related
We have an on-premises data centre that is connected to Azure via VPN.
There are some on-premises Jenkins jobs that need to run when code is pushed in the Azure repository, and there is an on-premises Nexus server to store artifacts from other Azure pipelines. The rest can and should run in Azure.
I know there is a possibility to use a self-hosted agent that is placed in the Azure virtual network which could then connect to on-premises, but we do not want to manage/pay for a self-hosted agent.
My question is, is there something like a virtual network integration for Azure DevOps? The idea is to let DevOps connect to on-premises resources via the Azure VNet and the VPN without self-hosted agents in between.
E.g., does the ARM Service Connection only allow to access resources like VMs for deployments or does it also allow to connect to a VNet and the via VPN connected resources on-premises?
Thanks in advance!
I have already created a service connection between DevOps and the Azure subscription. I cannot check weather the connection to on-premises works for internal reasons.
The Microsoft hosted agents for Azure DevOps only allow for public internet connections to other resources. VPN and Use of expressroute or other connections to the internal corporate network are not supported. See this section of the docs for reference.
I have a hosted agent VM in a VNET in my Azure subscription that is supposed to do Bicep deployments to my Azure subscription. It is working well.
I am noticing that Microsoft-hosted agents also can deploy resources or do updates in my Azure subscription once they have a valid service connection. The same pipeline can run on both Self-hosted VM agents or Microsoft-hosted agents. This is a concern for our security department. The preference is that no external entity (outside a designated VNET in the subscription) should be able to access the subscription. We want to establish network isolation between subscription and external access, whether a valid service connection is available or not.
If you have private agent you can limit access to your resources by filtering IP address. I don't know your infrstracture so I cannot say preciesly but for App Services of Function App you could use scm restrictions to limits deployments just to your private agent.
You won't be able to establish that on subcription level, but you could try something different. If you host you agent on Azure (vritual machine or scale set), you could use Managed Identity, then you could use this instead of service connection (or try service connection with Managed Identity), and then using Service Connection outside of your agent become pointless.
Please check this tutorial for more details:
If you use the Managed Identity enabled on a (Windows) Virtual Machine in Azure you can only request an Azure AD bearer token from that Virtual Machine, unlike a Service Principal.
In Azure, I turned on IP restrictions for:
Web App (Networking > Access Restrictions)
SQL server (Firewalls and virtual networks > Add client IP)
SQL database (Set server settings)
The solution still builds locally and in DevOps (aka Team Foundation Server).
However, Azure App Service Deploy now fails:
##[error]Failed to deploy App Service.
##[error]Error Code: ERROR_COULD_NOT_CONNECT_TO_REMOTESVC
More Information: Could not connect to the remote computer
("MYSITENAME.scm.azurewebsites.net") using the specified process ("Web Management Service") because the server did not respond. Make sure that the process ("Web Management Service") is started on the remote computer.
Error: The remote server returned an error: (403) Forbidden.
Error count: 1.
How can I deploy through the firewall?
Do I need a Virtual Network to hide Azure resources behind my whitelisted IP?
The REST site scm.azurewebsites.net must have Allow All, i.e. no restriction. Also, Same restrictions as ***.azurewebsites.net should be unchecked.
It does not need additional restriction because url access already requires Microsoft credentials. If restrictions are added, deploy will fail the firewall, hence the many complications I encountered.
I think the answer is incorrect as you might face data ex-filtration and that's the reason Microsoft provide the feature to lock down SCM portal (Kudu console)
There is also a security issue on Kudu portal as it can display the secret of your keyvault (if you use keyvault) and you don't want someone in your organisation to access the Kudu portal for example.
You have to follow this link
https://learn.microsoft.com/en-us/azure/devops/organizations/security/allow-list-ip-url?view=azure-devops
It will provide you Azure DevOPS IP range that you need to allow on the SCM Access restriction.
Update: To make it works as expected and to use App Service Access Restriction (same for an Azure Function), you need to use the Service Tags "AzureCloud" and not the Azure DevOPS IP range as it's not enough. on the Azure Pipeline logs, you can see the IP blocked so you can see that it's within the ServiceTags "AzureCloud" in the Service Tags JSON file
It's not really clear on the MS Doc but the reason is that they struggled to define a proper IP range for Azure DevOPS Pipeline so they use IPs from AzureCloud Service Tag.
https://www.microsoft.com/en-us/download/details.aspx?id=56519
In my case I was deploying using Azure DevOps and got the error. It turned out the app service where my API was being deployed to, had the box checked "Same restrictions as xxxx.azurewebsites.net", under access restrictions or IP restrictions. you need to allow scm.azurewebsites.net.
Try adding the application setting WEBSITE_WEBDEPLOY_USE_SCM with a value of false to your Azure App Service. This was able to solve my issues deploying to a private endpoint.
In my case it was because the daily quota was overpassed.
So the solution in this case is either wait or pay more (scale up) the app service
In my case this was because the wrong agent (Windows Hosting) was being used when I should have been using a self hosted internal agent... so I needed to change it at the following location
How can I see the alert rules in virtual machine ( using remote desktop) azure.
I have RDP credentials but not the azure login.
Kindly help
How can I see the alert rules in virtual machine ( using remote
desktop) Azure.
I think it is not possible, because alert rules work on Azure platform, used for manage Azure resources.
Azure VM is a resource of Azure platform, can't see the alter rules without Azure account.
If I create a node on Azure through the Docker Cloud Service, will the Azure vm be managed for me? For example, will I have to manage security on the VM (firewalls etc), and updates?
Every virtual machine created in Azure will be secured by Microsoft by various ways. But here it would be helpful to know what you mean by the security - some of features are enabled as a service.
There is Azure Trust Center where you can find what Microsoft does for the security.
Basic information, including some Security-Features-As-a-Service, can be found on the Azure VMs landing page.