Currently I'm working on updating my company's internal Ansible role for deploying Container Registries and one part of that has been restricting access to our company's internet facing IP range and the IP Ranges for MS hosted build agents. As of right now I know that ACR allows connections from trusted Azure services via Managed Identity, but we're curious to know if there are plans in the ACR roadmap to allow access from the IP ranges used by hosted build agents.
I have come across some documentation (Hosted Agents Networking) regarding how to get the hosted agent IP ranges. However, from reading the docs, they can change on a weekly basis which may prove challenging for keeping ACR firewall settings synchronized with the latest ranges.
Without going into too much detail, what would be the recommended practice for allowing access to ACR from MS hosted build agents if a builtin ACR service option isn't in the product roadmap?