Enabling Azure Key Vault Firewall with Azure DevOps
Azure DevOps has become more and more popular. Lots of my customers are utilizing it for source code management, build automation and deployment automation. As its adoption steadily increase, more inquiries also come to me. Today I am going to talk about the tricks to make Azure DevOps get along with Azure Key Vault Firewall.
Lately, my customer is testing to leverage Azure Key Vault to store secrets(authentication keys) for its deployment pipeline. Everything went fine on development environment, until to the point that they are trying to security harden the Azure Key Vault with firewall — the below error message pops up during the execution of deployment pipeline to the testing environment.
At 1st glance, it is clear that the firewall has blocked access of Azure DevOps. The quick solution should be to add the IP exclusion list to the Azure Key Vault. That should not be too difficult, umm?
This is where my customer got stuck — they don’t know the IP range to whitelist. Every time they execute the pipeline, they saw a different IP address.
Why?
Before I explain further, let’s take a step back and see how deployment pipeline works. Refer to the below diagram quote from Microsoft.com.
From <https://docs.microsoft.com/en-us/azure/devops/pipelines/release/?view=azure-devops>
As you can see in the diagram, when the deployment pipeline is executed — it is the DevOps agent (automation agent) which runs the automation steps that deploy the artifacts to the target testing environment.
There are 2 types of DevOps agents, as mentioned in the link here. https://docs.microsoft.com/en-us/azure/devops/pipelines/agents/agents?view=azure-devops&tabs=browser
Here is a brief summary and a high level diagram that illustrates their differences.
· Microsoft hosted agent
As its name, it is an agent hosted on Microsoft Azure platform. The Azure DevOps will instruct the hosted agent to connect to Key Vault
· Self-hosted DevOps agent
As its name, it is a custom agent built and deployed on a customer designated network. It could be on cloud or on premise.
Most of the time, Microsoft Hosted Agents would the choice as there is no infrastructure to maintain (no virtual machine, no virtual network nor container).
However, the complication comes when the Azure Firewall is enabled. What shall be the IP to be whitelisted on the firewall for Microsoft Hosted Agent?
Microsoft has documented the IP whitelist in the website below.
If you follow the documentation and whitelisting the IP ranges mentioned, the agent can connect to the Azure Key Vault. Bingo!
However — while this works, this is not always the solution that the customer go for. This approach implies you have to trust the IP range specified by Microsoft — and the IP range included are not short. To some customers, whitelisting the whole ranges might not seem feasible from both maintenance point of view and security point of view.
There comes the 2nd solution — leveraging the self-hosted agent.
By deploying the agent to a designated network, now you know the exact IP range to whitelist for the Azure Key Vault. You can keep the key vault secure while not having to whitelist a big IP range of Azure data center.
Of course, as mentioned earlier, there is a cost for this solution — you have to maintain that virtual machine / container, or even the network it does not exist in the first place. You can find the setup instruction here. https://docs.microsoft.com/en-us/azure/devops/pipelines/agents/agents?view=azure-devops&tabs=browser#install
I hope you find this blog useful!
