Requires IP Range from Visual Team Team Service to create SG on AWS
We have our infrastructure on AWS and our NET projects are starting to use the Visual Studio Team Service (VSTS) to provide CI / CD and manage the entire build / release process from there. We are using Hosted Build Servers, but the deployment will be on AWS IIS server (EC2 Windows 8 R2 IIS Server).
I tried to find what the IP range for VSTS is in order to create the correct security groups (SGs) and added to our EC2 instances but I cannot know what the range is and they provide a list by region I need something more specific. for example 10.73.0.0 - 10.73.255.255 and then I can do something like 10.73.0.0/16.
Anyway, to find out what the IP range is because right now in my POC you are using a too open SG, but I need to limit that.
source to share
The Visual Studio Team Service (VSTS) appears to be hosted on Azure. As a result, you won't be able to get a more specific list of IP address ranges than the entire list of Azure IP addresses that can be changed.
Azure publishes the list here every Wednesday: https://www.microsoft.com/en-us/download/confirmation.aspx?id=41653 :
And you will need to allow all IP ranges for the region where your account was created.
My personal opinion is that it would be too difficult to maintain and you should look for other options to provide access, or consider a self-hosted VSTS equivalent.
What IP addresses are used by Hosted Build?
We have an XML document released every Wednesday that contains the entire IP range for Azure Datacenters burst by region. Cm.
https://www.microsoft.com/en-us/download/confirmation.aspx?id=41653 :
This file contains the Compute IP ranges (including SQL ranges) used by Microsoft Azure datacenters. A new xml file will be loaded every Wednesday (PST) with a new scheduled IP address range. The new IP ranges will be effective after Monday (Pacific Time). Upload the new xml file and make the necessary changes to your site by Monday. The hosting agent must be in the same region as your VSTS account, you need a whitelist of IP ranges for your region from which you can get the link above. To confirm your region in VSTS, go to the Settings page at:
https: //
<account>
.visualstudio.com / _admin / _home / settingsUnder the account, you will see a field for the region.
source to share
You can get the IP address of the current build agent dynamically and create a dynamic security group (using AWS SDK for .NET)
- Open an assembly definition> Select the Options tab > Check Allow scripts to access the OAuth token
- Add a PowerShell step / task (
Arguments: -RestAddress https://starain.vsdtl.visualstudio.com/DefaultCollection/_apis/vslabs/ipaddress -Token $(System.AccessToken)
).
PS:
Param (
[string]$RestAddress,
[string]$Token
)
$basicAuth = ("{0}:{1}" -f 'test',$Token)
$basicAuth = [System.Text.Encoding]::UTF8.GetBytes($basicAuth)
$basicAuth = [System.Convert]::ToBase64String($basicAuth)
$headers = @{Authorization=("Basic {0}" -f $basicAuth)}
$result = Invoke-RestMethod -Uri $RestAddress -headers $headers -Method Get
Write-Host $result.value
Write-Host "##vso[task.setvariable variable=CIP;]$($result.value)"
- Add a PowerShell parameter to target machines / task to invoke the AWS console application. (You can pass the CIP variable (step 2) by specifying Script Arguments like -currentIP $ (CIP))
Create a Security Group Article: Create a Security Group in Amazon EC2
source to share