This post has been republished via RSS; it originally appeared at: Microsoft Developer Blogs.
Azure DevOps Services will support Service Tags by the end of CY2020. Azure Service Tags are a convenient way for customers to manage their networking configuration to allow traffic from specific Azure services. Once a Service Tag has been set up for Azure DevOps Services, customers can easily allow access by adding the tag name azuredevops to their NSGs or firewalls either through the portal or programmatically.
In preparation for this enhancement, our IP address space will be changing for outbound traffic from Azure DevOps Services to customers' on-prem systems, effective October 5 2020. If you're currently using firewall rules to allow traffic from Azure DevOps Services, please be sure to update these rules to account for our new IP ranges by that deadline. We will be conducting a brownout test from September 8, 2020 to September 15, 2020 as indicated below. Some of the scenarios are:
The Service Tag does not apply to Microsoft Hosted Agents. Customers are still required to allow the entire geography for the Microsoft Hosted Agents. For inbound traffic from customers' on-prem systems to Azure DevOps Services, customers can continue to follow the guidelines here.
Determining impact
To help you determine whether this change impacts your organization, we are building an Azure DevOps IP Check Tool. The IP Check Tool is used to validate inbound and outbound connectivity between Azure DevOps Services and customers' on-prem systems. Please use this tool prior to the brownout and after to validate your connectivity.
For inbound testing from your on-prem system to Azure DevOps Services, please make sure that the browser running the test is connected to your target network. We will attempt to contact Azure DevOps Services and report any errors we see.
For outbound testing from Azure DevOps Services to your on-prem systems, please provide us with a REST URL you expect our services to call. We will attempt to call the URL from each of our service regions. Any HTTP status code between 200 and 499 will be considered a successful connection. All 5xx status codes will be reported as an error.
If you are having issues, please post an update on this open developer community item.
IP Address Changes
To react to the changes in our IPv4 address range, users should ensure dev.azure.com is open and update their allowed IPs to include the following IPv4 addresses (based on your region). You will also be able to use the service tag name azuredevops to allow all IP ranges below but the tag will not be available until November 2020. IPv6 is not supported at this time.
IP Address Ranges
| Region | IP address ranges |
|---|---|
| brazilsouth | 191.235.226.0/24 |
| asiaeast | 20.189.107.0/24 |
| uscentral | 20.37.158.0/23 |
| australiaeast | 20.37.194.0/24 |
| indiasouth | 20.41.194.0/24 |
| useast2 | 20.41.6.0/23 |
| uswest2 | 20.42.134.0/23 |
| australiasoutheast | 20.42.226.0/24 |
| useast | 20.42.5.0/24 |
| ussouth | 40.119.10.0/24 |
| europewest | 40.74.28.0/23 |
| usnorth | 40.80.187.0/24 |
| uswest | 40.82.252.0/24 |
| uksouth | 51.104.26.0/24 |
| uswestcentral | 52.150.138.0/24 |
| canadacentral | 52.228.82.0/24 |
Azure DevOps documentation will be updated with the new IP address ranges here. A complete list of Azure DevOps Services guidelines for configuring firewalls and proxy servers can be found in the Allow IP addresses and URLs to the allow list document.
Rollout plan
Over the course of the next few weeks, we will conduct a series of brownout tests to identify organizations that may be impacted by these routing changes. We will conduct our first test on September 8, 2020 and complete by September 15, 2020. See below for the brownout schedule. The brownout test will take 2 hours.
Brownouts in chronological order
| UTC Date Time | Region | Local Date Time |
|---|---|---|
| 2020-09-08 14:00 | uscentral | 2020-09-08 09:00 CDT |
| 2020-09-08 22:00 | australiaeast | 2020-09-09 08:00 AEST |
| 2020-09-09 14:00 | useast2 | 2020-09-09 10:00 EDT |
| 2020-09-09 19:00 | canadacentral | 2020-09-09 15:00 EDT |
| 2020-09-10 11:00 | indiasouth | 2020-09-10 16:30 IST |
| 2020-09-10 17:00 | uswest2 | 2020-09-10 10:00 PDT |
| 2020-09-11 12:00 | uksouth | 2020-09-11 13:00 BST |
| 2020-09-11 18:00 | brazilsouth | 2020-09-11 15:00 BRT |
| 2020-09-14 13:00 | europewest | 2020-09-14 15:00 CEST |
| 2020-09-15 00:00 | asiaeast | 2020-09-15 08:00 HKT |
In the event we are running these tests and use cases such as service hooks, data import, and pipelines are not working during this period of time, please navigate to the status page and check that there aren't any ongoing incidents and update your IP address allow list. We are targeting November, 2020 to make Service Tags generally available for Azure DevOps.
Reporting Issues
If you experience any issues with accessing your Azure DevOps organization after updating your IP allow list, please post an update on this open developer community item.