How to Whitelist Azure DevOps IP Addresses on AWS for Pipelines / Releases Hosted Agents

  1. They do not have a specific section in their IP Ranges .json dump, hence we practically have to add all of the ranges within a region.
  2. The IP addresses are updated weekly. Not a fun idea for a lazy programmer.
  3. There are security risks when we whitelist such a large range of IP addresses.

Work Around

Stackoverflow

The Script

The script is pretty simple. Assuming that you already have the proper IAM set up on AWS side as well as AWS CLI set up on the Azure DevOps side, you can add a “Bash Script” job that contains the following:

# 1. Get Agent's IP
currentIp=$(curl ipinfo.io/ip)
echo $currentIp
# 2. Authorize access
aws ec2 authorize-security-group-ingress \
--region us-west-2 \
--group-id sg-xxxx \
--protocol tcp \
--port yy \
--cidr $currentIp/32
# 3. Some commands to run
<commands to be executed here>
exitCode=$?
# 4. Revoke access
aws ec2 revoke-security-group-ingress \
--region us-west-2 \
--group-id sg-xxxx \
--protocol tcp \
--port yy \
--cidr $currentIp/32
# 5. Fail the job if command failed
if [ $exitCode -ne 0 ]; then
exit 1
fi
  1. We need to find out what’s the Hosted Agent’s IP Address, so we curl the third-party website to find out then store it into a variable called $currentIp.
  2. We ask AWS to whitelist this specific IP address $currentIp onto a security group called sg-xxxx for port yy. We also store the exit status into a variable $exitCode so that we can reuse this later. $? is a Bash specific variable for the exit code of the previous command executed.
  3. Then we execute the commands against our AWS resources as needed.
  4. And we revoke the access regardless of whether the commands are run successfully or not. While testing, you may want to comment out this step just so that you can see that the rules are indeed being added to the AWS Security Group.
  5. We added an additional step to check if our main command have failed to decide the right exit code to return. This is because if we don’t do that, even if the command have failed, if the Revoke Access step did not fail, the job would be marked as successful, which is not what we want. If you have a long chain of commands to be executed, your exitCode checks might need to be more complex.

Was it helpful?

If you find this article helpful, do give me a little clap on Medium. 😄 It really makes my day to know that I have helped a fellow developer out there. Thanks!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jian Jye

Jian Jye

47 Followers

I write about Laravel, PHP, and web development related articles.