Merge pull request #8468 from MicrosoftDocs/users/bryanr/add-debugscript-public

JamesJBarnett · web-flow · commit 4fa2a1def9d6 · 2025-10-27T10:08:08.000-07:00
Add script to MDP docs
diff --git a/docs/managed-devops-pools/configure-networking.md b/docs/managed-devops-pools/configure-networking.md
@@ -1,7 +1,7 @@
 ---
 title: Configure networking
 description: Learn how to configure networking for Managed DevOps Pools.
-ms.date: 07/29/2025
+ms.date: 10/27/2025
 ms.custom: sfi-image-nochange
 ---
 
@@ -206,6 +206,106 @@ If you have systems in place on your network (NSG, Firewall, etc.) that restrict
 
 If you configure your Azure DevOps Pipeline to run inside of a container, you need to also allowlist the source of the container image (Docker or ACR).
 
+## Validating endpoint connectivity
+
+To confirm that you can use a given subnet with Managed DevOps Pools, you can run the following script on a resource on that subnet to validate that the network flow is configured to reach all these available endpoints, and additionally the Managed DevOps control plane.
+
+> [!IMPORTANT]
+> You must run this script on a resource that is in your subnet, such as a VM or container, to validate that the network path is open from that subnet to the required endpoints.
+
+To run the script with PowerShell Core, or PowerShell 5 or greater, save the following script as `ValidateMDPEndpoints.ps1` and run the following PowerShell command: `.\ValidateMDPEndpoints.ps1 -organization "<your-organization>"`
+
+```powershell
+# ValidateMDPEndpoints.ps1
+param (
+    [string]$organization
+)
+$azureDevOpsUris = @(
+    "https://dev.azure.com",
+    "https://vssps.dev.azure.com",
+    "https://vsrm.dev.azure.com",
+    "https://management.azure.com",
+    "https://login.microsoftonline.com",
+    "https://graph.microsoft.com",
+    "https://aadcdn.msftauth.net",
+    "https://${organization}.visualstudio.com",
+    "https://${organization}.vsrm.visualstudio.com",
+    "https://${organization}.vstmr.visualstudio.com",
+    "https://${organization}.pkgs.visualstudio.com",
+    "https://${organization}.vssps.visualstudio.com",
+    "https://download.agent.dev.azure.com",
+    "download.agent.dev.azure.com"
+)
+$managedDevOpsPoolsControlPlaneUris = @(
+    # List of agent queue endpoints - maps to *.queue.core.windows.net
+    "https://rmprodaedefaultcq.queue.core.windows.net",
+    "https://rmprodbrsdefaultcq.queue.core.windows.net",
+    "https://rmprodcncdefaultcq.queue.core.windows.net",
+    "https://rmprodcusdefaultcq.queue.core.windows.net",
+    "https://rmprodeus2defaultcq.queue.core.windows.net",
+    "https://rmprodgwcdefaultcq.queue.core.windows.net",
+    "https://rmprodincdefaultcq.queue.core.windows.net",
+    "https://rmprodneudefaultcq.queue.core.windows.net",
+    "https://rmprodseadefaultcq.queue.core.windows.net",
+    "https://rmprodszndefaultcq.queue.core.windows.net",
+    "https://rmproduksdefaultcq.queue.core.windows.net",
+    "https://rmprodwcusdefaultcq.queue.core.windows.net",
+    "https://rmprodwus3defaultcq.queue.core.windows.net",
+    # CDN for downloading the Managed DevOps Pools agent - maps to *.prod.managedevops.microsoft.com
+    "rm-agent.prod.manageddevops.microsoft.com"
+    # List of control plane endpoints - maps to *.manageddevops.microsoft.com
+    "default.ae.prod.manageddevops.microsoft.com",
+    "default.brs.prod.manageddevops.microsoft.com",
+    "default.cnc.prod.manageddevops.microsoft.com",
+    "default.cus.prod.manageddevops.microsoft.com",
+    "default.eus2.prod.manageddevops.microsoft.com",
+    "default.gwc.prod.manageddevops.microsoft.com",
+    "default.inc.prod.manageddevops.microsoft.com",
+    "default.neu.prod.manageddevops.microsoft.com",
+    "default.sea.prod.manageddevops.microsoft.com",
+    "default.szn.prod.manageddevops.microsoft.com",
+    "default.uks.prod.manageddevops.microsoft.com",
+    "default.wcus.prod.manageddevops.microsoft.com",
+    "default.wus3.prod.manageddevops.microsoft.com"
+)
+$unreachableUris = @()
+foreach ($uri in $azureDevOpsUris) {
+    try {
+        $hostName = ($uri -replace "^https?://", "") -replace "/.*", ""
+        $connection = Test-NetConnection -ComputerName $hostName -Port 443 -WarningAction SilentlyContinue
+        if (-not $connection.TcpTestSucceeded) {
+            $unreachableUris += $uri
+        }
+    } catch {
+        $unreachableUris += $uri
+    }
+}
+if ($unreachableUris.Count -eq 0) {
+    Write-Output "All Azure DevOps endpoints are reachable."
+} else {
+    Write-Output "The following Azure DevOps endpoints could not be reached:"
+    $unreachableUris | ForEach-Object { Write-Output $_ }
+}
+foreach ($uri in $managedDevOpsPoolsControlPlaneUris) {
+    try {
+        $hostName = ($uri -replace "^https?://", "") -replace "/.*", ""
+        $connection = Test-NetConnection -ComputerName $hostName -Port 443 -WarningAction SilentlyContinue
+
+        if (-not $connection.TcpTestSucceeded) {
+            $unreachableUris += $uri
+        }
+    } catch {
+        $unreachableUris += $uri
+    }
+}
+if ($unreachableUris.Count -eq 0) {
+    Write-Output "All Azure Managed DevOps Pools endpoints are reachable."
+} else {
+    Write-Output "The following Managed DevOps Pools endpoints could not be reached:"
+    $unreachableUris | ForEach-Object { Write-Output $_ }
+}
+```
+
 ## Configure the Azure DevOps Agent to run behind a Proxy
 
 If you configured a proxy service on your image and want your workloads running on your Managed DevOps pool to run behind this proxy, you must add the following environment variables on your image.
