1

I have to delete all the files in azure blob storage(specific container) automatically via azure release pipelines. So I have configured a task to get the IP address of Microsoft agent dynamically and add the IP address into blob Firewall. Below script working successfully sometimes, but I'm not able to see the IP in the Firewall list.

Also same script is failing many times and throwing a error like

The request may be blocked by network rules of storage account. Please check network rule set using 'az storage account show -n accountname --query networkRuleSet'.If you want to change the default action to apply when no rule matches, please use 'az storage account update'.

IP=`curl -s http://ipinfo.io/json | jq -r  '.ip'`


echo "Opening firewall for the IP : $IP"

az storage account network-rule add -g custom-web --account-name   "customwebapp" --ip-address $IP

I'm not sure on this , Any one able to advise me a best way to achieve this or Another alternate secure way for connecting the azure blob via Microsoft hosted agent ?

References https://learn.microsoft.com/en-us/cli/azure/storage/account/network-rule?view=azure-cli-latest

Debugger
  • 690
  • 1
  • 18
  • 41
  • You can refer to this [ticket](https://stackoverflow.com/questions/61397786/network-rules-of-storage-account-blocking-container-creation) – Walter Feb 15 '21 at 10:14
  • @WalterQian-MSFT - Thanks - I already checked that solution and added sleep 60 secs after network-rule add. But not luck – Debugger Feb 15 '21 at 10:44
  • I have the same issue as yours, you can try to rerun the failed jobs. – Walter Feb 16 '21 at 09:33
  • Yeah Already I was patching like that for temporarily, But as per Continuous Deployment we need to find RC and fix. – Debugger Feb 16 '21 at 10:02
  • As a workaround, you can rerun the failed jobs. You can also add a Auto-redeploy trigger in Post-deployment conditions of release pipeline. Here is a same ticket in [Developer community](https://developercommunity.visualstudio.com/content/problem/1337796/azure-cli-scripts-to-delete-blob-files-not-working.html). Please vote and follow this ticket. – Walter Feb 19 '21 at 08:07

2 Answers2

2

Communication between microsoft hosted agents and storage account behind firewall is always a troublesome one, even with the above work around of dynamically opening the storage firewall for that specific microsoft hosted agents IP address. This is mainly due to limitations on the storage account side.

1. Each storage account supports up to 200 IP network rules.

So we cannot add the entire IP ranges of hosted agents that spin up from any of your ADO orgs geographical region. If organization is hosted in West Europe, then hosted agents can come up from North and West Europe. So the no. of IP ranges that should be whitelisted will be more than 200.

Due to this, users go with the above work around of allowing the particular hosted agent IP address. however the following limitations will not make the above workaround fool proof. When the hosted agent spin up in the same region as your storage account, workaround does not work.

2. Services deployed in the same region as the storage account use private Azure IP addresses for communication.
3. IP network rules have no effect on requests originating from the same Azure region as the storage account

manoj kumar bale
  • 21
  • 2
2

Work around is to temporary enable public access:

az storage account update --resource-group "$ResourceGroupName" --name "$Name" --default-action Allow

And after you are done with your operation you can turn it off again.

Xiwen Cheng
  • 41
  • 4