You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
description: Learn how to configure networking for Managed DevOps Pools.
4
-
ms.date: 11/07/2025
4
+
ms.date: 11/18/2025
5
5
ms.custom: sfi-image-nochange
6
6
ms.topic: how-to
7
7
---
@@ -10,16 +10,141 @@ ms.topic: how-to
10
10
11
11
You can configure Managed DevOps Pools agents to run in an isolated virtual network or in an existing virtual network. This article describes how to configure your pool to run agents in your virtual network.
12
12
13
-
## Add agents to your own virtual network
13
+
## Choose your network type
14
14
15
-
You might want to add agents from Managed DevOps Pools to your own virtual network for scenarios such as:
15
+
Managed DevOps Pools supports two types of networking configurations:
16
16
17
-
- Your continuous integration and continuous delivery (CI/CD) agents need to access resources that are only available in your company network through a service like Azure ExpressRoute.
18
-
- Your CI/CD agents need to access resources that are isolated to private endpoints.
19
-
- You want to network isolate your CI/CD infrastructure by bringing your own virtual network with company-specific firewall rules.
20
-
- Any other unique use cases that can't be achieved by out-of-the-box Managed DevOps Pools networking features.
17
+
-[Isolated virtual network](#isolated-virtual-network): Each pool gets its own isolated virtual network that's created and managed by the Managed DevOps Pools service.
18
+
-[Agents injected into existing virtual network](#agents-injected-into-existing-virtual-network): You can bring your own virtual network and subnet. All virtual machines created for the pool will use that subnet, and no other resources will be able to use the subnet. You might want to add agents from Managed DevOps Pools to your own virtual network for scenarios such as:
19
+
- Your continuous integration and continuous delivery (CI/CD) agents need to access resources that are only available in your company network through a service like Azure ExpressRoute.
20
+
- Your CI/CD agents need to access resources that are isolated to private endpoints.
21
+
- You want to network isolate your CI/CD infrastructure by bringing your own virtual network with company-specific firewall rules.
22
+
- Any other unique use cases that can't be achieved by out-of-the-box Managed DevOps Pools networking features.
21
23
22
-
You can add your pool's agents to your virtual network by using the following steps:
24
+
## Isolated virtual network
25
+
26
+
By default, all pools use a Microsoft-provided virtual network, which restricts all inbound traffic and has the following outbound traffic configuration options.
27
+
28
+
1. Default outbound access connectivity is the current default, which allows all outbound traffic using a Microsoft-provided IP address. [Default outbound access for VMs in Azure is scheduled to be retired](https://azure.microsoft.com/updates?id=default-outbound-access-for-vms-in-azure-will-be-retired-transition-to-a-new-method-of-internet-access). When default outbound access is retired, pools will be configured with one static IP address by default.
29
+
1. Instead of using default outbound access, you can configure your pool to use up to 16 static outbound IP addresses. Managed DevOps Pools will create a NAT gateway in the same region as your pool to provide the IP addresses. This configuration enables you to allowlist specific IP addresses on external services that your pipelines need to access.
30
+
- The NAT gateway incurs additional Azure costs. You can model how much it will cost by using the Azure cost calculator. For more information, see [Azure NAT Gateway pricing](https://azure.microsoft.com/pricing/details/azure-nat-gateway/).
31
+
32
+
>[!IMPORTANT]
33
+
> If you modify the static IP address count after the pool is created, the IP addresses are subject to change, and you'll need to obtain the new IP addresses and update your allowlist on external services after the update operation completes.
34
+
35
+
#### [Azure portal](#tab/azure-portal/)
36
+
37
+
To configure IP Address Settings when creating a pool, go to the **Networking** tab. To update an existing pool, go to **Settings** > **Networking**.
38
+
39
+
Choose **None** for **Route through public IP addresses** to use default outbound access.
40
+
41
+
Choose **Microsoft Provided IPs** to configure static outbound IP addresses and specify the number of static IP addresses you want to use. Managed DevOps Pools creates a NAT gateway for you and manages the IP addresses.
42
+
43
+
:::image type="content" source="./media/configure-networking/ip-address-settings.png" alt-text="Screenshot of IP address settings.":::
44
+
45
+
46
+
#### [ARM template](#tab/arm/)
47
+
48
+
You can configure the static IP address count by specifying a `staticIpAddressCount` in the [networkProfile](/azure/templates/microsoft.devopsinfrastructure/pools?pivots=deployment-language-arm-template#networkprofile-1) section under `fabricProfile` when you create or update a pool.
49
+
50
+
To use default outbound access, omit the `networkProfile` property when you create or update a pool.
51
+
52
+
> [!NOTE]
53
+
> The `staticIpAddressCount` property is available starting with API version `2025-09-20`.
54
+
55
+
The following example shows the `networkProfile` section with one static IP address configured.
56
+
57
+
```json
58
+
{
59
+
"name": "MyManagedDevOpsPool",
60
+
"type": "Microsoft.DevOpsInfrastructure/pools",
61
+
"apiVersion": "2025-09-20",
62
+
...
63
+
"properties": {
64
+
...
65
+
"fabricProfile": {
66
+
"networkProfile": {
67
+
"staticIpAddressCount": 1
68
+
}
69
+
}
70
+
}
71
+
}
72
+
```
73
+
74
+
After you create or update your pool with static IP addresses configured, you can find the assigned IP addresses in the payload of the response.
75
+
76
+
```json
77
+
"networkProfile": {
78
+
"ipAddresses": [
79
+
"203.0.113.254"
80
+
],
81
+
"staticIpAddressCount": 1
82
+
}
83
+
```
84
+
85
+
#### [Azure CLI](#tab/azure-cli/)
86
+
87
+
You can configure the `staticIpAddressCount` in the `networkProfile` property in the `fabricProfile` section when you [create](/cli/azure/mdp/pool#az-mdp-pool-create) or [update](/cli/azure/mdp/pool#az-mdp-pool-update) a pool.
88
+
89
+
To use default outbound access, omit the `networkProfile` property when you create or update a pool.
90
+
91
+
```azurecli
92
+
az mdp pool create \
93
+
--fabric-profile fabric-profile.json
94
+
# other parameters omitted for space
95
+
```
96
+
97
+
The following example shows the `networkProfile` section of the **fabric-profile.json** file with one static IP address configured.
98
+
99
+
```json
100
+
{
101
+
"vmss": {
102
+
"sku": {...},
103
+
"images": [...],
104
+
"osProfile": {...},
105
+
"storageProfile": {...},
106
+
"networkProfile": {
107
+
"staticIpAddressCount": 1
108
+
}
109
+
}
110
+
}
111
+
```
112
+
113
+
#### [Bicep](#tab/bicep/)
114
+
115
+
To use Bicep, add a [networkProfile](/azure/templates/microsoft.devopsinfrastructure/pools?pivots=deployment-language-bicep#networkprofile) property in the `fabricProfile` section. Add a `staticIpAddressCount` property under `networkProfile` the desired count. In the following example, the pool is configured to use a single static outbound IP address.
116
+
117
+
To use default outbound access, omit the `networkProfile` property when you create or update a pool.
118
+
119
+
> [!NOTE]
120
+
> The `staticIpAddressCount` property is available starting with API version `2025-09-20`.
> There is a known issue: if your pool is configured with a [managed identity](./configure-identity.md), API calls won't return the `ipAddresses` property unless the DevOpsInfrastructure service principal is assigned the [Managed Identity Operator](/azure/role-based-access-control/built-in-roles/identity#managed-identity-operator) role on the managed identity. For detailed steps, see [Assign Azure roles by using the Azure portal](/azure/role-based-access-control/role-assignments-portal).
140
+
>
141
+
> Granting this role is not required for the static IP addresses to be functional. Without this role assignment, you can still find the assigned IP addresses by viewing them on the **Networking** page in the Azure portal.
You can configure your pool's agents to use your virtual network by using the following steps:
23
148
24
149
1.[Create or bring your virtual network and subnet](#create-or-bring-your-virtual-network-and-subnet).
25
150
1.[Delegate the subnet to `Microsoft.DevOpsInfrastructure/pools`](#delegate-the-subnet-to-microsoftdevopsinfrastructurepools).
@@ -103,7 +228,7 @@ If you're using Azure Resource Manager templates (ARM templates), add a `network
103
228
{
104
229
"name": "MyManagedDevOpsPool",
105
230
"type": "Microsoft.DevOpsInfrastructure/pools",
106
-
"apiVersion": "2025-01-21",
231
+
"apiVersion": "2025-09-20",
107
232
"location": "eastus",
108
233
"properties": {
109
234
...
@@ -147,7 +272,7 @@ The following example shows the `networkProfile` section of the **fabric-profile
147
272
To use Bicep, add a `networkProfile` property in the `fabricProfile` section. Add a `subnetId` property under `networkProfile` with the resource ID of your subnet.
If you have systems in place on your network (for example, network security groups or firewalls) that restrict outbound connectivity, you need to add certain endpoints to an allow list to fully support Managed DevOps Pools. These endpoints are divided into globally required endpoints (necessary on any machine using Managed DevOps Pools) and endpoints that you need for certain scenarios. All endpoints are HTTPS, unless otherwise stated.
298
+
If you have systems in place on your network (for example, network security groups or firewalls) that restrict outbound connectivity, you need to add certain endpoints to an allowlist to fully support Managed DevOps Pools. These endpoints are divided into globally required endpoints (necessary on any machine using Managed DevOps Pools) and endpoints that you need for certain scenarios. All endpoints are HTTPS, unless otherwise stated.
174
299
175
300
### Required endpoints for starting Managed DevOps Pools
176
301
177
-
If you don't add these endpoints to an allow list, machines fail to come online as part of the Managed DevOps Pools service, and you can't run pipelines on the pool:
302
+
If you don't add these endpoints to an allowlist, machines fail to come online as part of the Managed DevOps Pools service, and you can't run pipelines on the pool:
178
303
179
304
-`*.prod.manageddevops.microsoft.com`: Managed DevOps Pools endpoint used to communicate with the Managed DevOps Pools service.
180
305
-`rmprodbuilds.azureedge.net`: Used to download the Managed DevOps Pools worker binaries and startup scripts. The agent portion of the worker binaries is downloaded from `rm-agent.prod.manageddevops.microsoft.com` (formerly downloaded from `agent.prod.manageddevops.microsoft.com`), which is covered by the previous required `*.prod.manageddevops.microsoft.com` entry.
181
306
-`*.queue.core.windows.net`: Worker queue for communicating with the Managed DevOps Pools service.
182
307
183
308
### Required endpoints for connecting to Azure DevOps
184
309
185
-
If you don't add these endpoints to an allow list, machines might come online and might even go to an *allocated* state but fail to communicate with Azure DevOps, because the Azure DevOps Services task agent either can't connect or can't start.
310
+
If you don't add these endpoints to an allowlist, machines might come online and might even go to an *allocated* state but fail to communicate with Azure DevOps, because the Azure DevOps Services task agent either can't connect or can't start.
186
311
187
312
-`download.agent.dev.azure.com`: The Azure DevOps agent's content delivery network (CDN) location, used to download the Azure DevOps agent (formerly `vstsagentpackage.azureedge.net`; for more information, see [Edgio CDN for Azure DevOps is being retired](https://devblogs.microsoft.com/devops/important-switching-cdn-providers/)).
188
313
-`dev.azure.com`: Required to handle communication with Azure DevOps.
189
314
190
315
### Required endpoints for Linux machines
191
316
192
-
These endpoints are required to spin up Ubuntu machines, but aren't necessary if a pool is only using Windows. When you set up the Azure DevOps task agent, required packages are added and an `apt-get` command is run. This process fails if the following endpoints aren't added to an allow list.
317
+
These endpoints are required to spin up Ubuntu machines, but aren't necessary if a pool is only using Windows. When you set up the Azure DevOps task agent, required packages are added and an `apt-get` command is run. This process fails if the following endpoints aren't added to an allowlist.
193
318
194
319
-`azure.archive.ubuntu.com`: Provisioning Linux machines. This endpoint is HTTP (port 80), not HTTPS (port 443).
195
320
-`www.microsoft.com`: Provisioning Linux machines.
@@ -216,11 +341,11 @@ Azure virtual machines (VMs) might route traffic to certain Azure features throu
216
341
217
342
1.[Configure Azure traffic to run through service endpoints](/azure/virtual-network/virtual-network-service-endpoints-overview):
218
343
219
-
You can route traffic directly through Azure to avoid adding throughput to your network security groups or firewalls. You don't need to add the domains listed in the following option to an allow list.
344
+
You can route traffic directly through Azure to avoid adding throughput to your network security groups or firewalls. You don't need to add the domains listed in the following option to an allowlist.
220
345
221
346
For example, you can use the [data disk](./configure-storage.md) feature to involve network calls to Azure Storage. When you enable **Microsoft.Storage** service endpoint on your network, traffic routes directly through Azure, which avoids your network rules and reduces load.
222
347
223
-
1. To avoid routing traffic through service endpoints, add the `md-*.blob.storage.azure.net` domain to your allow list. This domain is required for [configuring a data disk](./configure-storage.md).
348
+
1. To avoid routing traffic through service endpoints, add the `md-*.blob.storage.azure.net` domain to your allowlist. This domain is required for [configuring a data disk](./configure-storage.md).
224
349
225
350
### Akamai CDN delivery IPs
226
351
@@ -230,7 +355,7 @@ On May 1, 2025, Azure DevOps CDN assets transitioned to a solution served by Aka
230
355
-[Azure CDN from Edgio retirement FAQ](/previous-versions/azure/cdn/edgio-retirement-faq)
231
356
-[Akamai TechDocs: Origin IP access control list](https://techdocs.akamai.com/origin-ip-acl/docs/update-your-origin-server)
232
357
233
-
If you configure your Azure DevOps pipeline to run inside a container, you need to also add the source of the container image (Docker or Azure Container Registry) to an allow list.
358
+
If you configure your Azure DevOps pipeline to run inside a container, you need to also add the source of the container image (Docker or Azure Container Registry) to an allowlist.
![learn-build-service-prod[bot]](https://avatars.githubusercontent.com/in/237442?v=4&size=40){kind=avatar}
0 commit comments