1

How to specify firewall rules in ACR when build & release pipelines are defined in Azure DevOps? Release pipeline (pull) may not have issue as the vnet of AKS service cidr can be allowed access in firewall rules but what about push that will go through build pipeline

Aalap
  • 13
  • 4
  • What firewall rule do you mean? – Charles Xu Mar 27 '20 at 06:02
  • 'Firewall and virtual network settings' under Azure Container Registry accessible from Azure Portal which limits access to ACR from the defined IPs/CIDRs – Aalap Mar 27 '20 at 06:05
  • OK, then what do you confuse about? The Vnet allowed access from or the firewall rule below? – Charles Xu Mar 27 '20 at 06:08
  • If a subnet or public IP is added, then what should be the ip address or vnet specified if a docker image has to be pushed from Azure DevOps build pipeline? – Aalap Mar 27 '20 at 06:42
  • See an answer [this SO post](https://stackoverflow.com/questions/63380084/) for how to add the IP of the current agent to your ACR firewall in a pipeline – BikerP Sep 29 '22 at 11:41

1 Answers1

0

The firewall of the ACR shows that when you enable it and allow the vnet to access the ACR. Then the resources in the vnet can access the ACR with the actions that pull and push the images and others. The IP address or the CIDR for the firewall means the IP address of the machine that you use to send the control requests.

For example, if you want to push the images to the ACR, and you also enable the firewall of the ACR, then you need to add the public IP of your local machine as the IP address of the ACR firewall rule.

When you use the Azure DevOps to create the tasks to control the ACR, I think you need to add the public IP of the Azure DevOps to the ACR firewall rule.

Charles Xu
  • 29,862
  • 2
  • 22
  • 39
  • Hello Charles, I am well aware of the feature of Firewall & Virtual Network settings of ACR. My concern is whitelisting Azure DevOps ip address. The range of IP addresses used by Azure DevOps can be obtained; but this will be a wide range of IPs. It will still enable any pipeline within Azure Devops having service connection, to push images within container registry then. Is there any other alternative? Acc.to me the security reliability here is more on service connection rather than ip whitelisting. – Aalap Mar 27 '20 at 08:06
  • @Aalap If you mean the firewall, then there is no alternative as I know. But I recommend you use the [access control](https://learn.microsoft.com/en-us/azure/container-registry/container-registry-roles) instead of the firewall. Also, you can control the permission of the repositories. – Charles Xu Mar 27 '20 at 08:23
  • Yes this is taken care using access control..I wanted to have clarity in terms of whitelisting IP..which I reckon both of us are on the same page.. – Aalap Mar 27 '20 at 09:37
  • @Aalap If the IP address is static, it's no problem. But as you said it's dynamic, so the whitelist IP is not a good way. OK, if the answer works for you, please mark it. – Charles Xu Mar 27 '20 at 09:44