sonar Setting up in Azure cloud and automate through VSTS - azure

I just gone through some documents regarding the sonar and azure cloud ,I am new to Sonar and Azure Cloud.As per the documentation which I gone through,I got some idea on this.I have installed sonar plugin in VSTS and tried to connect to azure but As per my understanding we need to set proxy in azure servers so that I can connect to azure.But still I am not having the approach to connect sonar with Azure.Do we need to setup any private agent in VSTS and install sonar or any subscription we need to add in Azure ( End point).Please share your thoughts on this.

You can create a Microsoft SQL Server VM in azure, then configure/install sonarqube and map 80 port (Public port) to Sonarqube port (default is 9000).
A related article: How to setup a SonarQube server in Azure.
On the other hand, the public IP address may be changed, you can use a static public IP address, more information you can refer to: Create a VM with a static public IP address using the Azure portal.
Regarding the sonarqube server just can be accessible from intranet, you need to setup a private build agent (can access that sonarqube from this build agent machine), then queue build with this private build agent.

Related

Failed to deploy web package to App Service. Ip Forbidden (CODE: 403)

I have an App Service that has a private endpoint and virtual network configured.
I deploy to this App Service from Azure DevOps pipeline that uses a Virtual Machine Scale Set that is in the same virtual network as the App Service. I deploy to a production App Service slot.
However, I still get the following error:
2021-10-29T11:24:48.0057934Z Package deployment using ZIP Deploy initiated.
2021-10-29T11:24:48.0198779Z ##[error]Failed to deploy web package to App Service.
2021-10-29T11:24:48.0217137Z ##[error]Error: Error: Failed to deploy web package to App
Service. Ip Forbidden (CODE: 403)
What could block the IP?
Thank you Christian Vorhemus posting your suggestion as an answer to help other community members.
"The reason for this is because as you add a private endpoint to your web app, all Internet traffic to this app is cut off. Since the Azure DevOps Default build/release agents have a public IP, they can't access the web app anymore.
To resolve your issue, in Azure create a VM or a VM Scale Set either in the same VNet as your private endpoint of the web app. Then add this scale set as a new agent pool. Finally make sure that in the release pipeline settings, the release is using this new agent pool."
Please refer this SO thread for more information .

Azure web app container private Endpoint deployment doesn't work with private endpoint container registry

The Setup I have:-
Azure web app container on a private endpoint that also has Vnet integration.
private endpoint azure container registry.
A self hosted azure devops virtual machine for running build jobs.
The Github repos are linked to the azure devops account.
For this particular project, I am building and pushing the docker image to azure container registry and then deploying that image to the azure web app container. All of the components in the above system are on the same virtual network. I used this guide for the pipeline:-
https://learn.microsoft.com/en-us/azure/devops/pipelines/targets/webapp-on-container-linux?view=azure-devops&tabs=yaml#deploy-with-azure-web-app-for-container
The problem:-
The pushing of image to the container registry works. But the azure web app container is not able to pull the container registry image over the private network. It tries to do it over the public internet which is disabled in registry firewall. Below is the error message I get:-
DockerApiException: Docker API responded with status code=InternalServerError,
response={"message":"Get https://xxxx.azurecr.io/v2/docker_file_path/manifests/19: denied: client with IP
'xx.xxx.132.231' is not allowed access. Refer https://aka.ms/acr/firewall to
grant access."}
The IP xx.xxx.132.231 is the public outbound IP of that azure web app so it's confirmed that it's tying to do so over the public internet.
What I found:-
I searched and found that another person had the exactly same error. The Microsoft team has been working on it since months but it still doesn't work yet.
https://learn.microsoft.com/en-us/answers/questions/280774/app-service-for-web-app-for-containers-container-r.html
Question:-
Is there any way I could make it work? Is there some other way of deployment for web app containers with private endpoint which can happen entirely over the virtual network? Thanks for reading.
Azure Container Apps Virtual Network Integration Announced 2022-02-02
https://techcommunity.microsoft.com/t5/apps-on-azure-blog/azure-container-apps-virtual-network-integration/ba-p/3096932

Is port 9000 allowed in Microsoft hosted ubuntu agent in azure devops

I have sonarqube configured in my localhost with 9000 port http://www.localhost:9000/
Now, I have created a service connection in azure DevOps with this url.
when I tried to analyze a project via pipeline building on a Microsoft hosted ubuntu image.. it throws error as error connection refused for port 9000 during prepare sonaranalysis task.
error:
##[error][SQ] API GET '/api/server/version' failed, error was: {"code":"ENOTFOUND","errno":"ENOTFOUND","syscall":"getaddrinfo","hostname":"www.localhost","host":"www.localhost","port":"9000"}
Finishing: SonarQubePrepare
Could someone help to fix this?
If the sonarqube configured in your local machine. Cloud hosted agents will not be able to access to the local hosted sonarqube server, for your local machine cannot be accessed from Microsoft cloud hosted agents.
You will need to create a self-hosted agent on your local machine. And run your pipeline on this self-hosted agent by targeting your private agent pool when queuing your pipeline. For the local hosted sonarqube server can be accessed from your local machine.
Another workaround is to expose your localhost:9000 to the public network using tools like ngrok as 4c74356b41 mentioned.
yeah, basically this will never work, you need to have an externally available endpoint for your sonarqube and connect to that one
so something like ngrok.com might help you with that if you want to host sonarqube on your workstation

Connecting to Azure Subscription from Microsoft Hosted Build Agent

I've got a Azure Build pipeline, which runs on Microsoft Hosted Build Agent.
CI build contains integration tests that need to connect to a SQL Server, which is hosted on a Azure Virtual Machine, however that SQL Server is accessible only from private network.
Is there a way for CI build to connect to that SQL Server in order to run integration tests?
Is there a way for CI build to connect to that SQL Server in order to run integration tests?
Indeed, just like Poney said, we could white list the IP address used by the Microsoft Azure Datacenter IP Ranges in the list mentioned:
https://www.microsoft.com/en-nz/download/details.aspx?id=41653
But this list gets updated every week, so please be mindful of this during the deployment planning.
As workaround, you could set start/stop IP range 0.0.0.0, but this option configures the firewall to allow all connections from Azure including connections from the subscriptions of other customers. When selecting this option, make sure your login and user permissions limit access to only authorized users.
Check the documents Azure SQL Database and SQL Data Warehouse IP firewall rules and Deploy .dacpc to Azure DB via VS Team Services Release–Using Hosted Agents for some more details.
This way you don't need to update the IP list according to the XML downloaded weekly.
Hope this helps.

How to deploy application from AzureDevOps to custom VM inside Azure?

I'am using AzureDevOps to build and pack my docker application.
The goal is to execute docker-compose commands in Azure VM, which is behind the firewall and can be access only thru vpn connection or standard web-browsing ports.
You can use deployment groups to achieve that. Reason this will work, because it is a one way communication (from agent to Azure Devops), so you dont really need to open ports for the VM, the VM has to only be able to reach Azure Devops endspoints (more on this).
TLDR. Using agents will work, because its an outgoing connection from the agent, not from Azure Devops to the agent.

Resources