question

ZachDay-7299 avatar image
0 Votes"
ZachDay-7299 asked RuhelaRahul-7002 answered

Allowing ACR Access to MS Hosted Build Agents

Currently I'm working on updating my company's internal Ansible role for deploying Container Registries and one part of that has been restricting access to our company's internet facing IP range and the IP Ranges for MS hosted build agents. As of right now I know that ACR allows connections from trusted Azure services via Managed Identity, but we're curious to know if there are plans in the ACR roadmap to allow access from the IP ranges used by hosted build agents.

I have come across some documentation (Hosted Agents Networking) regarding how to get the hosted agent IP ranges. However, from reading the docs, they can change on a weekly basis which may prove challenging for keeping ACR firewall settings synchronized with the latest ranges.

Without going into too much detail, what would be the recommended practice for allowing access to ACR from MS hosted build agents if a builtin ACR service option isn't in the product roadmap?


azure-container-registry
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

srbose-msft avatar image
0 Votes"
srbose-msft answered

Hi @ZachDay-7299,

Currently there is no such feature planned on the ACR Road Map. You can share your feedback at https://feedback.azure.com/forums/34192--general-feedback.

Other than https://docs.microsoft.com/en-us/azure/devops/pipelines/agents/hosted?view=azure-devops&tabs=yaml#networking, you can try to add a powershell script:

Invoke-RestMethod http://ipinfo.io/json | Select -exp ip

to get the Public IP address of the machine allotted for the particular build and then add it to the ACR's network rule using az acr network-rule add -n <ACR> --ip-address <ipaddress>

before the main job.

Please do let me know if this helps.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RuhelaRahul-7002 avatar image
0 Votes"
RuhelaRahul-7002 answered

Hi @srbose-msft ,

We can only add 100 IP/CIDR range in premium plan which is not enough. In EastUS, there are near about five thousand IP/CIDR range. How we can fix it with that range ?

Thanks,
Rahul Ruhela

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RuhelaRahul-7002 avatar image
0 Votes"
RuhelaRahul-7002 answered

Hi @srbose-msft ,

We can only add 100 IP/CIDR range in premium plan which is not enough. In EastUS, there are near about five thousand IP/CIDR range. How we can fix it with that range ?

Thanks,
Rahul Ruhela

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.