Azure DevOps and Azure Resources Behind Firewall

Azure DevOps and Azure Resources Behind Firewall

·

2 min read

We noticed our release pipeline broken after fixing some Kenna warnings relating to a storage account not having it's firewall enabled. The storage account is accessed from our DevOps pipelines. This required us to whitelist the build/release agent's IP Address. Since these IP addresses aren't static we would have to do this dynamically. Two tasks were added to add and remove the agent's IP Addresses.

Task 1

steps:
- task: AzureCLI@4
  displayName: 'Azure CLI - Add Agent''s IP from Temp Storage Account'
  inputs:
    azureSubscription: 'YOUR_AZURE_SUBSCRIPTION'
    scriptType: ps
    scriptLocation: inlineScript
    inlineScript: |
     [string] $ip = (((invoke-webrequest -Uri 'http://checkip.amazonaws.com/').Content | % {[char]$_}) -join "").TrimEnd()

     Write-Output "Agent's external IP=$ip"
     Write-Host "##vso[task.setvariable variable=ip]$ip"
     az storage account network-rule add --resource-group "YOUR_RESOURCE_GROUP" --account-name "YOUR_ACCOUNT_NAME" --ip-address $ip

Task 2

Azure File Copy

Task 3

az storage account network-rule remove --resource-group "s00481prodrgp0prodriskrfa" --account-name "s00481sta0rfaprodart" --ip-address "$(ip)"

You could also disable the firewall and re-enable it, with the --default-action parameter, but it would be a last resort option.

A Task output variable is set from the first task which is then referenced by the third task.

Write-Host "##vso[task.setvariable variable=ip]$ip"

If isoutput=true is set then referencing the variable in Task 3 would be $(my_task_name.ip).

Write-Host "##vso[task.setvariable variable=ip;isoutput=true]$ip"

This bit me...

To see all the debug output declare and set System.Debug variable to true under Variables in the pipeline definition.

Azure CLI was chosen over Azure Powershell since using it has always been problematic for me (access issues even with the same resources).

Note that checkip.amazonaws.com response is in ascii character codes and includes a newline. The AWS API was chosen over https://ifconfig.me/ip for reliability/security.

References