-1

I've got a self hosted VSTS / Azure DevOps release agent up and running on a development server and have no trouble deploying my app.

I also have a QA and production environment, but it is locked down, only allowing outbound traffic to specified addresses / protocols. I know about the IP addresses I need to open from MSDNand I have the agents installed and they appear to be online. Those IP addresses are unblocked for port 443. I also have no DNS capabilities on these servers so I have added host entries for dev.azure.com and vsapps.dev.azure.com (I think that's right but I'm not in front of the machine right now). That got me online.

As soon as I try to do a deployment to these servers, it stalls and the error states that the communication with the server was lost. I'm assuming there are other subdomains under the *.dev.azure.com that I need to have host entries for, but I don't know what they are to enable them.

Is there a resource that either a) tells me which subdomains I need to add to my hosts file, or will allow me to do wildcard DNS lookups without having to install some third party proxy server on the my machine (not going to be allowed by networking and security). I understand I can't do wildcards in my hosts file.

4c74356b41
  • 69,186
  • 6
  • 100
  • 141
Matt Milner
  • 825
  • 5
  • 6
  • i think easiest would be to unblock outbound 53 to 8.8.8.8 and use that dns, tbh – 4c74356b41 Mar 16 '19 at 17:49
  • `vsrm.dev.azure.com` is definitely one, as is `feeds.dev.azure.com`. There are others as well. The REST APIs at https://learn.microsoft.com/en-us/rest/api/azure/devops/?view=azure-devops-rest-5.0 contain them. – Daniel Mann Mar 16 '19 at 18:08

1 Answers1

-1

Microsoft has a published list of whitelist addresses:

List of URLs for sign-in and licensing connections
https://management.core.windows.net
https://login.microsoftonline.com
https://login.live.com
https://go.microsoft.com
https://graph.windows.net
https://app.vssps.visualstudio.com

A more general list of URLs for signing in to Azure DevOps and Azure
https://windows.net
https://microsoftonline.com
https://visualstudio.com
https://microsoft.com
https://live.com
https://dev.azure.com
https://management.core.windows.net
https://app.vssps.visualstudio.com
https://vstsagentpackage.azureedge.net
https://cdn.vsassets.io -- hosts our CDN content
https://gallerycdn.vsassets.io -- hosts Azure DevOps extensions
https://static2.sharepointonline.com -- hosts some resources that we use in "office fabric" UI kit (fonts, etc).

To ensure your organization works with any existing firewall or IP restrictions, ensure that dev.azure.com is open and the 13.107.6.183 and 13.107.9.183 IP addresses are allowed.

NuGet connections
https://azurewebsites.net
https://nuget.org

Matt
  • 3,658
  • 3
  • 14
  • 27
  • That's not related to VSTS agents doing releases/deployments, it's for Visual Studio and the various tool windows that connect to Azure and VSTS and is focused on signing in. – Matt Milner Mar 18 '19 at 12:16
  • It has agent required addresses mixed-in. For example, you need to have this link to be able to have your agents auto-update: https://vstsagentpackage.azureedge.net – Matt Mar 18 '19 at 14:10
  • 1
    Perhaps, but what's not in there is vsrm.dev.azure.com and vssps.dev.azure.com. Turns out those were the two I needed for a release agent. feeds.dev.azure.com would also be needed if the release agent needed to pull down any packages from my Azure DevOps artifacts. – Matt Milner Mar 20 '19 at 18:11
  • Could you log a new github ticket to get them added to the whitelist then? You can do it directly from the Content feedback on that page or using this [link](https://github.com/MicrosoftDocs/vsts-docs/issues) – Matt Mar 20 '19 at 18:33