3

We use Azure DevOps with Microsoft-hosted agents, and because we would like to apply authorized IP ranges for our AKS we need the agent IP addresses. To automate the process in our release pipeline we have included Azure CLI task with the command :

AGENT_IP=$(curl -s https://ipinfo.io/json | jq -r .ip)

az aks update --resource-group xxx --name yyy --api-server-authorized-ip-ranges ${AGENT_IP}

All the AGENT_IPs, we are getting from the command line, are not listed in the weekly json file. Even the operation is executed successfully and the AGENT_IP is included in the "apiServerAccessProfile.authorizedIpRanges" section, sometimes we are not able to deploy our microservice to the AKS and we are getting an error: "Unable to connect to the server: dial tcp xx.xx.xx.xx:443: i/o timeout". However sometimes the deployment is successful, even though the AGENT_IP is not listed in the weekly json.

Why the IP addresses I am getting, are not in the weekly json file ? Randomly I am able to deploy to AKS ?

milanski
  • 31
  • 1
  • 2

1 Answers1

1

Please read these docs:

I got IP address using this script:

Invoke-RestMethod -Uri ('http://ipinfo.io/'+(Invoke-WebRequest -uri "http://ifconfig.me/ip").Content)

And for build pipelines I got IP address which was outside of any IP range from weekly file for AzureCloud.westeurope. (In my case it was 168.63.69.117, 137.135.240.152). However for relese pipeline I got IP which are in IP ranges from weekly file:

  • 52.157.67.128 - IP Range 52.157.64.0/18
  • 40.118.28.211 - IP Range 40.118.0.0/17

But I noticed that build agents are located in Ireland and this is North Europe region. And yes, IP addresses matches IP ranges from North Europe:

  • 137.135.240.152 - IP Range 137.135.128.0/17
  • 168.63.69.117 - IP range 168.63.64.0/20

I have no idea why this works like that since I have West Europe region in my settings.

But to sum up:

  • build pipelines - North Europe region
  • release pipelines - West Europe region
Krzysztof Madej
  • 32,704
  • 10
  • 78
  • 107
  • Hey Krzysztof, thanks for your answer. I read the docs but somehow I still can not get what I am doing wrong. As agent IP in my release pipeline I am getting values like: 40.89.171.234/32, 13.74.46.232/32, 40.69.89.14/32 and even though I put every IP as AKS authorized IP range I am getting an error (randomly, not always). I also tried to put the IP ranges from their weekly for West Europe + France and still the same problem. – milanski Apr 07 '20 at 10:41
  • Hi, did you fix this problem? – Dmitry Zimin Jul 09 '20 at 14:57
  • 1
    @DmitryZimin my issue was closed on [develper community](https://developercommunity.visualstudio.com/content/problem/991669/build-agents-are-not-located-in-azure-devops-organ.html) as duplicate of [this](https://developercommunity.visualstudio.com/content/problem/980579/microsft-hosted-agent-in-release-pipeline-gets-wro.html) but this is still not solved. So if you plan to limit access to IP range you need to include both ranges North and West Europe. – Krzysztof Madej Jul 10 '20 at 08:08