New IP address ranges with Service Tags for Azure DevOps Services

This post has been republished via RSS; it originally appeared at: Microsoft Developer Blogs.

Azure DevOps Services will support Service Tags by the end of CY2020. Azure Service Tags are a convenient way for customers to manage their networking configuration to allow traffic from specific Azure services. Once a Service Tag has been set up for Azure DevOps Services, customers can easily allow access by adding the tag name azuredevops to their NSGs or firewalls either through the portal or programmatically. 

In preparation for this enhancement, our IP address space will be changing for outbound traffic from Azure DevOps Services to customers' on-prem systems, effective October 5 2020. If you're currently using firewall rules to allow traffic from Azure DevOps Services, please be sure to update these rules to account for our new IP ranges by that deadline. We will be conducting a brownout test from September 8, 2020 to September 15, 2020 as indicated below. Some of the scenarios are:

  • Azure DevOps Services connecting to endpoints for Service Hooks,
  • Azure DevOps Services connecting to SQL server in customer's on-prem systems for Data Import,
  • Azure Pipelines connecting to on-prem source code repositories such as GitHub Enterprise or BitBucket Server.

    The Service Tag does not apply to Microsoft Hosted Agents. Customers are still required to allow the entire geography for the Microsoft Hosted Agents.  For inbound traffic from customers' on-prem systems to Azure DevOps Services, customers can continue to follow the guidelines here.

    Determining impact

    To help you determine whether this change impacts your organization, we are building an Azure DevOps IP Check Tool. The IP Check Tool is used to validate inbound and outbound connectivity between Azure DevOps Services and customers' on-prem systems. Please use this tool prior to the brownout and after to validate your connectivity.

    For inbound testing from your on-prem system to Azure DevOps Services, please make sure that the browser running the test is connected to your target network. We will attempt to contact Azure DevOps Services and report any errors we see.

    For outbound testing from Azure DevOps Services to your on-prem systems, please provide us with a REST URL you expect our services to call. We will attempt to call the URL from each of our service regions. Any HTTP status code between 200 and 499 will be considered a successful connection. All 5xx status codes will be reported as an error.

    If you are having issues, please post an update on this open developer community item.

    IP Address Changes

    To react to the changes in our IPv4 address range, users should ensure dev.azure.com is open and update their allowed IPs to include the following IPv4 addresses (based on your region). You will also be able to use the service tag name azuredevops to allow all IP ranges below but the tag will not  be available until November 2020. IPv6 is not supported at this time.

    IP Address Ranges

    Region IP address ranges
    brazilsouth 191.235.226.0/24
    asiaeast 20.189.107.0/24
    uscentral 20.37.158.0/23
    australiaeast 20.37.194.0/24
    indiasouth 20.41.194.0/24
    useast2 20.41.6.0/23
    uswest2 20.42.134.0/23
    australiasoutheast 20.42.226.0/24
    useast 20.42.5.0/24
    ussouth 40.119.10.0/24
    europewest 40.74.28.0/23
    usnorth 40.80.187.0/24
    uswest 40.82.252.0/24
    uksouth 51.104.26.0/24
    uswestcentral 52.150.138.0/24
    canadacentral 52.228.82.0/24

    Azure DevOps documentation will be updated with the new IP address ranges here. A complete list of Azure DevOps Services guidelines for configuring firewalls and proxy servers can be found in the Allow IP addresses and URLs to the allow list document.

    Rollout plan

    Over the course of the next few weeks, we will conduct a series of brownout tests to identify organizations that may be impacted by these routing changes. We will conduct our first test on September 8, 2020 and complete by September 15, 2020. See below for the brownout schedule. The brownout test will take 2 hours.

    Brownouts in chronological order

    UTC Date Time Region Local Date Time
    2020-09-08 14:00 uscentral 2020-09-08 09:00 CDT
    2020-09-08 22:00 australiaeast 2020-09-09 08:00 AEST
    2020-09-09 14:00 useast2 2020-09-09 10:00 EDT
    2020-09-09 19:00 canadacentral 2020-09-09 15:00 EDT
    2020-09-10 11:00 indiasouth 2020-09-10 16:30 IST
    2020-09-10 17:00 uswest2 2020-09-10 10:00 PDT
    2020-09-11 12:00 uksouth 2020-09-11 13:00 BST
    2020-09-11 18:00 brazilsouth 2020-09-11 15:00 BRT
    2020-09-14 13:00 europewest 2020-09-14 15:00 CEST
    2020-09-15 00:00 asiaeast 2020-09-15 08:00 HKT

    In the event we are running these tests and use cases such as service hooks, data import, and pipelines are not working during this period of time, please navigate to the status page and check that there aren't any ongoing incidents and update your IP address allow list. We are targeting November, 2020 to make Service Tags generally available for Azure DevOps.

    Reporting Issues

    If you experience any issues with accessing your Azure DevOps organization after updating your IP allow list, please post an update on this open developer community item.

  • REMEMBER: these articles are REPUBLISHED. Your best bet to get a reply is to follow the link at the top of the post to the ORIGINAL post! BUT you're more than welcome to start discussions here:

    This site uses Akismet to reduce spam. Learn how your comment data is processed.