Skip to content

DO NOT REVIEW - Agent CDN - Added Warning in Initialize Phase when new Agent CDN is not reachable #5205

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

DO NOT REVIEW - Agent CDN - Added Warning in Initialize Phase when new Agent CDN is not reachable #5205

wants to merge 1 commit into from

Conversation

AdityaMankal-MS
Copy link
Contributor

Issue

[Se] Migrate Agent CDN URL from Edgio endpoint to a custom URL

Context

The Azure DevOps Agent previously relied on Edgio CDN (vstsagentpackage.azureedge.net) for binary distribution. As Edgio is being retired and the *.azureedge.net domain is scheduled for decommissioning, we are migrating to a new Akamai-backed CDN endpoint: download.agent.dev.azure.com. This ensures continued availability and aligns with our domain strategy.

Description of Changes

This PR adds a connectivity check during the Initialize Agent phase to verify reachability of the new CDN endpoint (download.agent.dev.azure.com). A warning will be logged if the agent cannot connect.

Risk Assessment: Low

The change is guarded behind a feature flag to ensure safe rollout and minimal impact.

Unit Tests Added: N/A

Manual Testing Performed

Warning when CDN is unreachable

Steps:

  1. Set up a self-hosted agent.
  2. Simulate CDN unavailability by adding 127.0.0.1 download.agent.dev.azure.com to the hosts file.
  3. Run a pipeline on the agent.
  4. Validate that a warning message appears in the pipeline logs.
    Unreachable Warning

Routing via Proxy (when configured)

Steps:

  1. Set up a self-hosted agent behind a proxy (e.g., Fiddler).
  2. Restrict all outbound traffic from Agent.Listener and Agent.Worker to allow only proxy-based routing:
netsh advfirewall firewall add rule name="Block Agent.Listener Outbound" dir=out action=block program="C:\agent\_layout\win-x64\bin\Agent.Listener.exe" enable=yes
netsh advfirewall firewall add rule name="Block Agent.Worker Outbound" dir=out action=block program="C:\agent\_layout\win-x64\bin\Agent.Worker.exe" enable=yes
  1. Allow Agent.Listener and the Agent.Worker processes to only access the Local Proxy (127.0.0.1)
netsh advfirewall firewall add rule name="Allow Agent.Listener to Proxy" dir=out action=allow program="C:\agent\_layout\win-x64\bin\Agent.Listener.exe" remoteip=127.0.0.1 enable=yes
netsh advfirewall firewall add rule name="Allow Agent.Worker to Proxy" dir=out action=allow program="C:\agent\_layout\win-x64\bin\Agent.Worker.exe" remoteip=127.0.0.1 enable=yes
  1. Run a pipeline and ensure traffic routes through the proxy:
    Proxy Routing
  2. Confirm no warning is shown in pipeline logs:
    No Warning via Proxy

@AdityaMankal-MS
Agent CDN - Added Warning in Initialize Phase when new Agent CDN is n…
2b86695 
…ot reachable - AB#2241315 (#5202)

* Agent CDN - Added Warning in Initialize Phase when new Agent CDN is not reachable

* Added AgentCDNAccessStatus Telemetry Event

(cherry picked from commit 42701b8)
@AdityaMankal-MS AdityaMankal-MS changed the title DO NOT REVIEW - Agent CDN - Added Warning in Initialize Phase when new Agent CDN is n… DO NOT REVIEW - Agent CDN - Added Warning in Initialize Phase when new Agent CDN is not reachable May 8, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@AdityaMankal-MS