Connecting to Azure Subscription from Microsoft Hosted Build Agent - azure

I've got a Azure Build pipeline, which runs on Microsoft Hosted Build Agent.
CI build contains integration tests that need to connect to a SQL Server, which is hosted on a Azure Virtual Machine, however that SQL Server is accessible only from private network.
Is there a way for CI build to connect to that SQL Server in order to run integration tests?

Is there a way for CI build to connect to that SQL Server in order to run integration tests?
Indeed, just like Poney said, we could white list the IP address used by the Microsoft Azure Datacenter IP Ranges in the list mentioned:
https://www.microsoft.com/en-nz/download/details.aspx?id=41653
But this list gets updated every week, so please be mindful of this during the deployment planning.
As workaround, you could set start/stop IP range 0.0.0.0, but this option configures the firewall to allow all connections from Azure including connections from the subscriptions of other customers. When selecting this option, make sure your login and user permissions limit access to only authorized users.
Check the documents Azure SQL Database and SQL Data Warehouse IP firewall rules and Deploy .dacpc to Azure DB via VS Team Services Release–Using Hosted Agents for some more details.
This way you don't need to update the IP list according to the XML downloaded weekly.
Hope this helps.

Related

Azure App Service Deploy returns (403) Forbidden with IP restriction

In Azure, I turned on IP restrictions for:
Web App (Networking > Access Restrictions)
SQL server (Firewalls and virtual networks > Add client IP)
SQL database (Set server settings)
The solution still builds locally and in DevOps (aka Team Foundation Server).
However, Azure App Service Deploy now fails:
##[error]Failed to deploy App Service.
##[error]Error Code: ERROR_COULD_NOT_CONNECT_TO_REMOTESVC
More Information: Could not connect to the remote computer
("MYSITENAME.scm.azurewebsites.net") using the specified process ("Web Management Service") because the server did not respond. Make sure that the process ("Web Management Service") is started on the remote computer.
Error: The remote server returned an error: (403) Forbidden.
Error count: 1.
How can I deploy through the firewall?
Do I need a Virtual Network to hide Azure resources behind my whitelisted IP?
The REST site scm.azurewebsites.net must have Allow All, i.e. no restriction. Also, Same restrictions as ***.azurewebsites.net should be unchecked.
It does not need additional restriction because url access already requires Microsoft credentials. If restrictions are added, deploy will fail the firewall, hence the many complications I encountered.
I think the answer is incorrect as you might face data ex-filtration and that's the reason Microsoft provide the feature to lock down SCM portal (Kudu console)
There is also a security issue on Kudu portal as it can display the secret of your keyvault (if you use keyvault) and you don't want someone in your organisation to access the Kudu portal for example.
You have to follow this link
https://learn.microsoft.com/en-us/azure/devops/organizations/security/allow-list-ip-url?view=azure-devops
It will provide you Azure DevOPS IP range that you need to allow on the SCM Access restriction.
Update: To make it works as expected and to use App Service Access Restriction (same for an Azure Function), you need to use the Service Tags "AzureCloud" and not the Azure DevOPS IP range as it's not enough. on the Azure Pipeline logs, you can see the IP blocked so you can see that it's within the ServiceTags "AzureCloud" in the Service Tags JSON file
It's not really clear on the MS Doc but the reason is that they struggled to define a proper IP range for Azure DevOPS Pipeline so they use IPs from AzureCloud Service Tag.
https://www.microsoft.com/en-us/download/details.aspx?id=56519
In my case I was deploying using Azure DevOps and got the error. It turned out the app service where my API was being deployed to, had the box checked "Same restrictions as xxxx.azurewebsites.net", under access restrictions or IP restrictions. you need to allow scm.azurewebsites.net.
Try adding the application setting WEBSITE_WEBDEPLOY_USE_SCM with a value of false to your Azure App Service. This was able to solve my issues deploying to a private endpoint.
In my case it was because the daily quota was overpassed.
So the solution in this case is either wait or pay more (scale up) the app service
In my case this was because the wrong agent (Windows Hosting) was being used when I should have been using a self hosted internal agent... so I needed to change it at the following location

How to enable the access to Azure services in my AZURE SQL database server?

I'm trying to create a "Integration Runtime" (AZURE-SSIS type) in my data factory. (To run my SSIS packages in cloud) I already have a virtual machine (Azure SQL data base server Up and running).
While during the IR creation process I'm not able to link my AZURE SQL database SSISDB catalog to "Catalog database server endpoint" (OR) the server is not showing up in the drop down box.
In the MSDN blog it says
"Confirm that the **Allow access to Azure services** setting is enabled for the database server. This is not applicable when you use Azure SQL Database with virtual network service endpoints/Managed Instance to host SSISDB."
Could anyone know how to enable this feature ? I hope by enabling this feature I can link my server in the IR and run the packages in the cloud.
Thanks
To allow applications from Azure to connect to your Azure SQL server,
Azure connections must be enabled. When an application from Azure
attempts to connect to your database server, the firewall verifies
that Azure connections are allowed. A firewall setting with starting
and ending address equal to 0.0.0.0 indicates Azure connections are
allowed. If the connection attempt is not allowed, the request does
not reach the Azure SQL Database server.
you can do it any way, powershell, az cli, arm templates. if you go to the portal to the firewall blade, there would be a button to do that.
https://learn.microsoft.com/en-us/azure/sql-database/sql-database-firewall-configure
Please take a look where is located on below image.
On this documentation you will have instructions how to reach that screen.

How to deploy application from AzureDevOps to custom VM inside Azure?

I'am using AzureDevOps to build and pack my docker application.
The goal is to execute docker-compose commands in Azure VM, which is behind the firewall and can be access only thru vpn connection or standard web-browsing ports.
You can use deployment groups to achieve that. Reason this will work, because it is a one way communication (from agent to Azure Devops), so you dont really need to open ports for the VM, the VM has to only be able to reach Azure Devops endspoints (more on this).
TLDR. Using agents will work, because its an outgoing connection from the agent, not from Azure Devops to the agent.

sonar Setting up in Azure cloud and automate through VSTS

I just gone through some documents regarding the sonar and azure cloud ,I am new to Sonar and Azure Cloud.As per the documentation which I gone through,I got some idea on this.I have installed sonar plugin in VSTS and tried to connect to azure but As per my understanding we need to set proxy in azure servers so that I can connect to azure.But still I am not having the approach to connect sonar with Azure.Do we need to setup any private agent in VSTS and install sonar or any subscription we need to add in Azure ( End point).Please share your thoughts on this.
You can create a Microsoft SQL Server VM in azure, then configure/install sonarqube and map 80 port (Public port) to Sonarqube port (default is 9000).
A related article: How to setup a SonarQube server in Azure.
On the other hand, the public IP address may be changed, you can use a static public IP address, more information you can refer to: Create a VM with a static public IP address using the Azure portal.
Regarding the sonarqube server just can be accessible from intranet, you need to setup a private build agent (can access that sonarqube from this build agent machine), then queue build with this private build agent.

Can I host an application in Windows Azure and have the database stored on different server

Can I host an application in Windows Azure and have the database stored on different server? For example I want to keep my data on a server where I dont have to worry about privicy issues. And if this is possible does it remove the value of having an application hosted in the cloud?
thanks
You mean hosting your application on Windows Azure and then hosting the database on your own servers? This is totally possible, but you'd have to publicly expose your database. You could host your database on SQL Azure and that would be a 'separate server' from your Windows Azure host. With SQL Azure, you can set up a firewall rule to allow only your application to access your database.
If you were to host your database on your own servers, I don't think that it would completely diminish the value of hosting your application on the cloud as your app tier at least would still be hosted "in the cloud". Though, you could also run into performance issues in this scenario as SQL is a little slow to access over the internet using TCP.
You can host on premise and use a secure VPN as part of Azure now. This can be done using Azure network in the latest release.
Can setup an Azure site to site VPN and get access to your private data centre that way.

Resources