Allowed address lists and network connections

Azure DevOps Services | Azure DevOps Server 2020 | Azure DevOps Server 2019 | TFS 2018 - TFS 2015

If your organization is secured with a firewall or proxy server, you need to add certain IP addresses and domain URLs to the allowlist. Adding them to the allowlist helps to ensure that you have the best experiences with Azure DevOps.

For the best experience with Visual Studio and Azure Services, you open select ports and protocols. For more information, see Install and use Visual Studio behind a firewall or proxy server, Use Visual Studio and Azure Services.

Domain URLs to allow

Network connection issues could occur because of your security appliances, which may be blocking connections - Visual Studio uses TLS 1.2. When you're using NuGet or connecting from Visual Studio 2015 and later, update the security appliances to support TLS 1.2 for the following connections.

Azure DevOps domains to allow

To ensure your organization works with any existing firewall or IP restrictions, ensure that dev.azure.com and *.dev.azure.com are open.

URLs to support sign in and licensing connections

  • management.core.windows.net
  • login.microsoftonline.com
  • login.live.com
  • go.microsoft.com
  • graph.microsoft.com
  • app.vssps.dev.azure.com
  • app.vssps.visualstudio.com
  • aadcdn.msauth.net
  • aadcdn.msftauth.net

Additional URLs for signing into Azure DevOps and Azure

  • amcdn.msftauth.net
  • windows.net
  • microsoftonline.com
  • visualstudio.com
  • microsoft.com
  • live.com
  • dev.azure.com
  • azure.microsoft.com
  • management.azure.com
  • azurecomcdn.azureedge.net
  • amp.azure.net
  • aexprodea1.vsaex.visualstudio.com
  • management.core.windows.net
  • aex.dev.azure.com
  • app.vssps.dev.azure.com
  • app.vssps.visualstudio.com
  • vstsagentpackage.azureedge.net
  • cdn.vsassets.io (hosts Azure DevOps Content Delivery Networks (CDNs) content)
  • gallerycdn.vsassets.io (hosts Azure DevOps extensions)
  • static2.sharepointonline.com (hosts some resources that Azure DevOps uses in "office fabric" UI kit for fonts, and so on)
  • *.vstmrblob.vsassets.io (hosts Azure DevOps TCM log data)
  • vsrm.dev.azure.com (package feed)

Additional domains

Azure DevOps uses CDNs to serve static content. Ensure the following CDNs are allowed.

  • *.vsassets.io
  • *.gallerycdn.vsassets.io (Marketplace)

Users in China should also add the following domains to an allowlist:

  • *.vsassetscdn.azure.cn
  • *.gallerycdn.azure.cn (Marketplace)

We recommend you open port 443 to all traffic on these IP addresses and domains. We also recommend you open port 22 to a smaller subset of targeted IP addresses.

Azure Artifacts

NuGet connections

  • azurewebsites.net
  • nuget.org

Note

Privately owned NuGet server URLs may not be included in the previous list. You can check the NuGet servers you're using by opening up %APPData%\Nuget\NuGet.Config.

IP addresses and range restrictions

Outbound connections

Outbound connections are those that originate from inside your organization and that target Azure DevOps or other dependent sites. Examples of such connections include:

  • Browsers connecting to Azure DevOps website as users go to and use features of Azure DevOps
  • Azure Pipelines agents installed on your organization's network connecting to Azure DevOps to poll for pending jobs
  • CI events being sent from a source code repository hosted within your organization's network to Azure DevOps

Ensure the following IP addresses are allowed for outbound connection, so your organization works with any existing firewall or IP restrictions. The endpoint data in the following chart lists requirements for connectivity from a machine in your organization to Azure DevOps Services.

IP V4 ranges IP V6 ranges
13.107.6.0/24 2620:1ec:4::/48
13.107.9.0/24 2620:1ec:a92::/48
13.107.42.0/24 2620:1ec:21::/48
13.107.43.0/24 2620:1ec:22::/48

If you're currently allowing the 13.107.6.183 and 13.107.9.183 IP addresses, leave them in place, as you don't need to remove them.

Note

Azure Service Tags are not supported for outbound connection.

Inbound connections

Inbound connections are those that originate from Azure DevOps and that target resources within your organization's network. Examples of such connections include:

Ensure the following IP addresses are allowed for inbound connection, so your organization works with any existing firewall or IP restrictions. The endpoint data in the following chart lists requirements for connectivity from Azure DevOps Services to your on-premises or other cloud services.

  Region   IP V4 ranges
Australia East 20.37.194.0/24
Australia South East 20.42.226.0/24
Brazil South 191.235.226.0/24
Central Canada 52.228.82.0/24
Asia Pacific (Hong Kong) 20.189.107.0/24
South India 20.41.194.0/24
Central United States 20.37.158.0/23
West Central United States 52.150.138.0/24
East United States 20.42.5.0/24
East 2 United States 20.41.6.0/23
North United States 40.80.187.0/24
South United States 40.119.10.0/24
West United States 40.82.252.0/24
West 2 United States 20.42.134.0/23
Western Europe 40.74.28.0/23
United Kingdom South 51.104.26.0/24

Azure Service Tags are supported for inbound connection. Instead of allowing the previously listed IP ranges, you may use the AzureDevOps service tag for Azure Firewall and Network Security Group (NSG) or on-premises firewall via a JSON file download.

Note

The Service Tag or previously mentioned inbound IP addresses do not apply to Microsoft Hosted Agents. Customers are still required to allow the entire geography for the Microsoft Hosted Agents. If allowing the entire geography is a concern, we recommend using the Azure Virtual Machine Scale Set Agents. The Scale Set Agents are a form of self-hosted agents that can be auto-scaled to meet your demands.

Azure DevOps ExpressRoute connections

If your organization uses ExpressRoute, ensure the following addresses are allowed for both outbound and inbound connections.

IP V4 ranges IP V6 ranges
13.107.6.175/32 2620:1ec:a92::175/128
13.107.6.176/32 2620:1ec:a92::176/128
13.107.6.183/32 2620:1ec:a92::183/128
13.107.9.175/32 2620:1ec:4::175/128
13.107.9.176/32 2620:1ec:4::176/128
13.107.9.183/32 2620:1ec:4::183/128
13.107.42.18/32 2620:1ec:21::18/128
13.107.42.19/32 2620:1ec:21::19/128
13.107.42.20/32 2620:1ec:21::20/128
13.107.43.18/32 2620:1ec:22::18/128
13.107.43.19/32 2620:1ec:22::19/128
13.107.43.20/32 2620:1ec:22::20/128

For more information about Azure DevOps and ExpressRoute, see ExpressRoute for Azure DevOps.

Other IP addresses

  • 40.82.190.38
  • 52.108.0.0/14
  • 52.237.19.6
  • 52.238.106.116/32
  • 52.244.37.168/32
  • 52.244.203.72/32
  • 52.244.207.172/32
  • 52.244.223.198/32
  • 52.247.150.191/32

For more information, see Worldwide endpoints and Adding IP address rules.

SSH connections

If you need to connect to Git repositories on Azure DevOps with SSH, you need to allow requests to port 22 for the following IP addresses:

  • ssh.dev.azure.com
  • vs-ssh.visualstudio.com
  • all IP addresses in the "name": "AzureDevOps" section of this downloadable file (updated weekly) named: Azure IP ranges and Service Tags - Public Cloud

Azure Pipelines Agents

If you use Microsoft-hosted agent to run your jobs and you need the information about what IP addresses are used, see Microsoft-hosted agents Agent IP ranges.

If you're running a firewall and your code is in Azure Repos, see Self-hosted Windows agents FAQs. This article has information about which URLs and IP addresses your private agent needs to communicate with.

For more information about hosted Windows and Linux agents, see Microsoft-hosted Agent IP ranges.

Currently, we don't publish hosted Mac IP address ranges.

Azure DevOps import service

During the import process, we highly recommend that you restrict access to your VM to only IPs from Azure DevOps. To restrict access, allow only connections from the set of Azure DevOps IPs, which were involved in the collection database import process. For information about identifying the correct IPs, see (Optional) Restrict access to Azure DevOps Services IPs only.