AKS authorized ip ranges does not mention devops environments

[jemag]

Unless I am mistaken, restricting the ip ranges will prevent azure devops environments to connect to the cluster:

This scenario does not seem to be talked about in the documentation.

Are there any ways to make environments still work in such a setup? Perhaps by using some kind of agent pushing the data instead or re-using an hosted vsts agent?

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 660320d4-fad5-3307-e29f-5f4cfad4b7f7
• Version Independent ID: 85ac2e8b-633f-6e1a-e642-0645ca92e129
• Content: API server authorized IP ranges in Azure Kubernetes Service (AKS) - Azure Kubernetes Service
• Content Source: articles/aks/api-server-authorized-ip-ranges.md
• Service: container-service
• GitHub Login: @mlearned
• Microsoft Alias: mlearned

[ketan-chawda-msft]

@jemag Thank you for your feedback! We will review and provide an update as appropriate.

[VikasPullagura-MSFT]

@MicrosoftDocs/aks-pm Please add your comments.

[jakaruna-MSFT]

@jemag Once we enable the authorized ip ranges, Then it will allow only the ips added to that.

So it restricts other environments to connect. For example , for the azure pipelines to connect, We need to add the ips of pipelines for that regions to the authorized ip ranges.

problem is that those ips may change on weekly basis.

Lets wait for the comments from the aks-pm team.

[jakaruna-MSFT]

@jemag Only way is to add the ips used by the azure pipelines of that region to the authorized ips list.

Also we need to update the ips when it changes for that region.

Please provide a feedback here for improvement.

Community can vote on this feedback and product teams will look into this items to build their backlog

[jemag]

@jakaruna-MSFT that seems quite unfortunate if this is the only option. With authorized IP ranges and now Private API Server in preview, it seems like there should be a better way to handle this.

Having a Private API Server would be inconvenient with the current Environments requirements. Anyway, thanks for the clarification I will try to create a feedback post a suggested.

[jemag]

@jakaruna-MSFT just to be sure, the link you provided is for AKS feedback, wouldn't it be more appropriate to leave the feedback for azure devops instead? Since environments is purely a devops concept.

[jakaruna-MSFT]

You can submit feedback in azure devops as well.

It would be easier to add "allow Azure devops" as one of the rule in Authorized ip ranges.

[jakaruna-MSFT]

I have added this issue for review with Product team

[jemag]

Adding the devops feedback url, for those who come by this issue: https://developercommunity.visualstudio.com/idea/947371/allow-devops-environments-communication-with-prote.html

[jakaruna-MSFT]

@jemag
I will close this out for now. If you need additional help please open a new issue.

[abarqawi]

i faced similar issue today with AKS+Azure DevOps pipeline that AzureDevOps cannot connect to AKS with Authorized Ips even with correct IP regions ,, and we were able to solve by adding following Azure CLI task
i added the outbound IPs also the regions Ips for india central and south india incase
but most important is the agent Ip

in the Azure Dev Ops :

Task 1: add the MS hosted Ips
IP=($(curl -s http://ipinfo.io/json | jq '.ip' | sed -e 's/^"//' -e 's/"$//'))
echo "This Microsoft hosted agent public IP is: $IP"
echo "##vso[task.setvariable variable=AGENT_IP;]$IP "
az aks update --resource-group myResourceGroup --name myAKSCluster --api-server-authorized-ip-ranges "13.107.6.0/24,13.107.9.0/24,13.107.42.0/24,13.107.43.0/24, 20.41.194.0/24, $IP"

Task 2: remove only the Agent Ip

az aks update
--resource-group myResourceGroup
--name myAKSCluster
--api-server-authorized-ip-ranges "13.107.6.0/24,13.107.9.0/24,13.107.42.0/24,13.107.43.0/24,20.41.194.0/24"

hope this helps