I have an Azure VM that has an NSG which needs to restrict outbound Internet access to only necessary services and applications (start with most restrictive then add rules). The Team Services agent extension also will get installed with an ARM template (which fails to download with the Deny all outbound Internet rule).
Does the weekly change of IP addresses used by VSTS apply for Deployment Groups? There is a similar question for IPs of Hosted Build.
I'm creating the VMs in a VSTS release definition. In the link above, I found an answer posted that you can call the REST API to get the IP address which would be easiest, but when I try this in a browser it looks like this is deprecated. ("Sorry! Our services aren't available right now.") Any other ideas on how I can apply the IPs for the NSG whenever I run the release to create the VMs?
"You can get the IP address of current build agent dynamically and
create a security group dynamically (by using AWS SDK for .NET)
Open build definition > Select Options tab> Check Allow Scripts to
Access OAuth Token Add PowerShell step/task (Arguments: -RestAddress
https://starain.vsdtl.visualstudio.com/DefaultCollection/_apis/vslabs/ipaddress
-Token $(System.AccessToken))."
If I read this right, you want to create a VM using VSTS pipeline and this new VM should host a VSTS Agent that calls back VSTS any time later.
I think there are no solutions. While it would be easy to get a valid IP for a VSTS instance at creation time, you have no guarantee that this IP will be valid for long time. You may be lucky in being able to setup the agent but the link to VSTS may stop any minute.
The question is interesting in itself and can be solved using the Azure PowerShell task. The script will:
resolve the name to the IP address using the Resolve-DnsName cmdlet
add or update the NSG rule using Set-AzureRmNetworkSecurityGroup etc.
That API is unavailable now, you can try to get the IP and update NSG through PowerShell task directly (e.g. $ip = Invoke-RestMethod http://ipinfo.io/json | Select -exp ip) PowerShell One Liner: Get External/Public IP Address.
On the other hand, you use a private agent: Deploy an agent on Windows
Related
I have a VM on Azure that runs SQL Server and I want to update my databases in a build pipeline of Azure devops. But the port of SQL Server is allowed to just some IP's and I don't want to expose for everyone... It is possible to update the allowed IP's in the build?
I found this link that could help to get the IP's of the hosted : https://learn.microsoft.com/pt-br/azure/devops/pipelines/agents/hosted?view=azure-devops&tabs=yaml#agent-ip-range
Microsoft update every week a json with the pipeline host IP''s but in the json are the services and the ips, but I don't know which the name of the service that I should get the IP's. I didn't find anything like "devops" or "pipeline".
Besides that, would be possible to auto update the allowed ip's in the build pipeline? I found this post: https://blog.simontimms.com/2020/01/10/2020-01-10-Allow-hosted-agents-through-firewall/ but I don't know how to edit my pipeline to do that.
Thank you
To confirm the ip adress of the Microsoft-hosted agent in Json file, you need to check the region of the Organizaiton.
You could navigate to Organization Settings -> Overview and check the region of the organization.
Then you could search the AzureCloud.<region> in Json file to get the Ipaddress Prefixes.
To run the Blog's script, you could add the Azure Powershell task in the pipeline.
By the way, you need to create a Azure Service connection before using this task.
In addition you may encounter this issue.
##[error]No MSFT_NetFirewallRule objects found with property 'DisplayName' equal to ' Remote Event Monitor'. Verify the value of
the property and retry.
The cause of this issue is that a firewall rule with this name that does not exist.
You need to use New-NetFirewallRule script to create a new firewall with the target name.
For example:
New-NetFirewallRule -DisplayName "Test" -Direction Inbound -LocalPort 80 -Protocol TCP -Action Allow
Then you could set the firewall rule with the Set-NetFirewallRule script.
I’m on my phone so I can’t test this, but you can probably find the Public IP of the hosted agent you are on in a task using a command like ‘ nslookup myip.opendns.com. resolver1.opendns.com’ and then add it to your NSG and then remove it when you are done.
Tested from cloud shell in the Azure app
https://imgur.com/a/lau2ZDs
I have been using the New-AzureReservedIP cmdlet to create a new reserved IP address in Azure and associate it with an Azure cloud service staging slot. Basically what is described in this question. This cmdlet was part of the Azure module. However, as we know the Azure and AzureRM modules are not available in PS7 anymore. And this workstep is not even available in the Azure GUI.
As Microsoft recommends switching to PS7 and the Az module I assume that there is another way there to achieve the same thing. However, so far I was unable to find a solution.
The problem is that the staging slot requires a reserved IP if the production slot has one. To limit expenses we delete our staging slots after deployment. If we'd just keep and update it, that would not be a problem. Also, I was unable to find a way to re-use an existing reserved IP (that was created with New-AzureReservedIPpreviously) for the next staging deployment, so far I always needed to create a new one using New-AzureReservedIP. I ended up having quite a few reserved IP addresses which I don't use anymore so I wonder if they can be recycled somehow?
What would be best practice to solve this in PS7?
Reserved IP belongs to ASM API (Classic) and will be deprecated by 2023. Hence it doesn't exist in ARM. The new ARM API doesn't support this functionality. In ARM you have the option to use static Public IP (IP owned by Microsoft) or Public IP Prefix which is when you buy the IP address/IP range.
New-AzPublicIpAddress
https://learn.microsoft.com/en-us/powershell/module/az.network/new-azpublicipprefix?view=azps-4.5.0
New-AzPublicIpPrefix
https://learn.microsoft.com/en-us/powershell/module/az.network/new-azpublicipaddress?view=azps-4.5.0
But one thing to note is that if you are using App Service you actually get a Static Public IP for your App Service but that one is shared with many other customers hence you need to use your App Service URL eg. https://[AppServiceName].azurewebsites.net or add a Custom Domain to your App Service.
So if you really need a Public IP that is not shared you have to move over to IaaS eg. Virtual Machines
I am currently trying to use Azure Pipelines to build a Docker image and push it to the Azure Container Registry. I have a Service Connection setup, and but the build is failing with "denied." I suspect the reason for this is because my Container Registry is setup to only allow from "selected networks" and is restricted to a few IPs. I validated this by temporarily allowing all networks, and then the build/push succeeded.
Is there any way to get Azure Pipelines to successfully push a Docker image to the Container Registry that is only allowing selected networks? I thought that was what the Service Connection was for?
I'm afraid you're right. The possible reason is that you set it as select networks and do not add the IP address of the DevOps to allow the traffic. As I know, the IP address of the DevOps will change over time, here is the description:
In some setups, you may need to know the range of IP addresses where
agents are deployed. For instance, if you need to grant the hosted
agents access through a firewall, you may wish to restrict that access
by IP address. Because Azure DevOps uses the Azure global network, IP
ranges vary over time.
So you need to allow an IP range, not the single IP address. And it's not a secure way. Well, the most secure way from my experience is that control the access permission for all the people, not the networks. You can create multiple service principals and grant them with different roles to control the permission. For example, use the role AcrPull, it only has permission to pull the images. More details about the roles here. You can even control the permission on the repositories, here is more message about it.
By the way, the firewall to select the networks, I think it's more suitable for the resources inside the Azure, for this, you can use the endpoint to achieve it.
Please make sure that your service connection has AcrPush permission.
You can check it or add if needed here:
(You will find your connection under name 'your-organization-your-project')
I've written a pretty basic SQL Backed VSTO Outlook addin, which will eventually be used by about 20 people in several offices of the company I work for. All will also be working from home periodically.
The tutorials I've followed so far go through adding "your own" IP address to the server firewall rules:
https://learn.microsoft.com/en-gb/azure/sql-database/sql-database-get-started-portal-firewall
As does a similar question I came across during my research for this question:
SQL Azure Firewall Rules on New Portal
This wasn't a problem when it was just me using the app, I followed the tutorial once to add my office IP address, and once to add my home IP address. It would be very awkward though if I had to get everyone to collect their IP addresses and set each of them up on the firewall.
This would be my first application to use remote resources, so I'm unsure of the next steps with the firewall, and so struggling to find a guide. Should I be:
Opening up the firewall to all, but creating a strong password stored within the app
Creating an initialisation step within the app to grant new users access through the firewall
Create some kind of proxy so that all of the SQL requests come from the same IP address.
In the case of (2) creating an initialisation step - azure sql server firewall settings appears to change a firewall rule - wouldn't that mean only one person can connect at once?
The best option would be:
1a. Opening up the firewall to all, but requiring Azure Active Directory Authentication for the users.
You can create a small application that can remotely update an Azure SQL firewall rule with a local PC IP address. For that you will need Microsoft Management Fluent library and Resource Group and Resource Management (Fluent) capabilities for Microsoft Azure. Here you will find a sample application.
You may also need to register the application as an Azure Active Directory application as explained here and assign a corresponding role for it. Then you will be able to create an authorization file for the application as explained here.
subscription=########-####-####-####-############
client=########-####-####-####-############
tenant=########-####-####-####-############
key=XXXXXXXXXXXXXXXX
managementURI=https\://management.core.windows.net/
baseURL=https\://management.azure.com/
authURL=https\://login.microsoftonline.com/
graphURL=https\://graph.windows.net/
You can also also provide all users with a PowerShell script that can get authenticated on its own to SQL Azure using an Azure Active Directory authentication token as explained here and then update a firewall rule or create a new one using the following script.
New-AzureRmSqlServerFirewallRule -ResourceGroupName "myResourceGroup"
-ServerName $servername -FirewallRuleName "AllowSome" -StartIpAddress "0.0.0.0" -EndIpAddress "0.0.0.0"
Current guidelines to add an Endpoint mapping are way too complicated compared to the classic VMs model.
Is this the only way now to simply map a public port to an internal port?
https://azure.microsoft.com/pt-pt/documentation/articles/load-balancer-arm-powershell/
It's not the ultimate way to configure endpoints on IaaS VMs that use the ARM model. Actually - please note that it may change at the discretion of MS - each VM you create using the new portal will come by default with a network security group (NSG) with the same name as the VM, that you'll be able to search for later in the portal.
Then, you'll be able to edit those NSG to make them compliant with your requirements.