Microsoft Launches Azure DevOps Service Tag

Service Tags are a simple and easy way to manage your networking configuration to allow traffic from specific Azure services

Recently, Microsoft announced the release of Azure DevOps Service Tag. Service Tags are a simple and easy way for users to manage their networking configuration to allow traffic from specific Azure services.

Actually, IP addresses changed when new Azure DevOps systems were added or migrated. Clients were unaware of the IP changes and were required to update their on-prem firewalls or Azure NSGs manually.

Now, as a service tag has been set up for Azure DevOps Services, you can easily allow access by adding the tag name AzureDevOps to their NSGs or firewalls programmatically using Powershell and CLI. The portal will be supported at a later date. 

Source: Microsoft

The service tags can also be used for on-prem firewall via a JSON file download. These Tags are supported for inbound connection only from Azure DevOps to customers’ on-prem. The inbound connection applies to scenarios like:

  • Azure DevOps Services connecting to endpoints for Service Hooks
  • Azure DevOps Services connecting to customer-controlled SQL Azure VMs for Data Import
  • Azure Pipelines connecting to on-prem source code repositories such as GitHub Enterprise or BitBucket Server
  • Azure DevOps Services Audit Streaming connecting to on-prem or cloud-based Splunk

Also, note that the Service Tag does not apply to Microsoft Hosted Agents. You will need to allow the entire geography for the Microsoft Hosted Agents. In case allowing the entire geography is a concern, Microsoft recommended using the Azure Virtual Machine Scale Set Agents. 



Next Recommended Reading Microsoft Announces Azure DevOps