| title | titleSuffix | description | ms.topic | ms.technology | ms.reviewer | ms.author | author | monikerRange | ms.date |
|---|---|---|---|---|---|---|---|---|---|
Add IP addresses and URLs to allow list |
Azure DevOps |
Add IP addresses and URLs to the Allow list for Azure DevOps and troubleshoot network connections. |
reference |
devops-security |
jominana |
ChComley |
chcomley |
>= tfs-2015 |
11/19/2020 |
[!INCLUDE temp]
If your organization is secured with a firewall or proxy server, you need to add certain IP addresses and domain URLs to the Allow list. Adding them to the Allow list helps to ensure that you have the best experiences with Azure DevOps.
For the best experience with Visual Studio and Azure Services, you open select ports and protocols. For more information, see Install and use Visual Studio behind a firewall or proxy server, Use Visual Studio and Azure Services.
Network connection issues could occur because of your security appliances, which may be blocking connections - Visual Studio uses TLS 1.2. When you're using NuGet or connecting from Visual Studio 2015 and later, update the security appliances to support TLS 1.2 for the following connections.
To ensure your organization works with any existing firewall or IP restrictions, ensure that dev.azure.com and *.dev.azure.com are open.
management.core.windows.netlogin.microsoftonline.comlogin.live.comgo.microsoft.comgraph.microsoft.comapp.vssps.dev.azure.comapp.vssps.visualstudio.comaadcdn.msauth.netaadcdn.msftauth.net
amcdn.msftauth.netwindows.netmicrosoftonline.comvisualstudio.commicrosoft.comlive.comdev.azure.comazure.microsoft.commanagement.azure.comazurecomcdn.azureedge.netamp.azure.netaexprodea1.vsaex.visualstudio.commanagement.core.windows.netaex.dev.azure.comapp.vssps.dev.azure.comapp.vssps.visualstudio.comvstsagentpackage.azureedge.netcdn.vsassets.io(hosts Azure DevOps Content Delivery Networks (CDNs) content)gallerycdn.vsassets.io(hosts Azure DevOps extensions)static2.sharepointonline.com(hosts some resources that Azure DevOps uses in "office fabric" UI kit for fonts, and so on)*.vstmrblob.vsassets.io(hosts Azure DevOps TCM log data)vsrm.dev.azure.com(package feed)
Azure DevOps uses CDNs to serve static content. Ensure the following CDNs are allowed.
*.vsassets.io*.gallerycdn.vsassets.io(Marketplace)
Users in China should also add the following domains to an allow list:
*.vsassetscdn.azure.cn*.gallerycdn.azure.cn(Marketplace)
We recommend you open port 443 to all traffic on these IP addresses and domains. We also recommend you open port 22 to a smaller subset of targeted IP addresses.
*.blob.core.windows.net*.visualstudio.com- all IP addresses in the "name": "Storage.{your region}" section of this file (updated weekly): Azure IP ranges and Service Tags - Public Cloud
azurewebsites.netnuget.org
Note
Privately owned NuGet server URLs may not be included in the list above. You can check the NuGet servers you're using by opening up %APPData%\Nuget\NuGet.Config.
Ensure the following IP addresses are allowed for outbound connection, so your organization works with any existing firewall or IP restrictions. The endpoint data, in the following chart lists requirements for connectivity from a user's machine to Azure DevOps Services. The list doesn't include network connections from Microsoft into a customer network, sometimes called hybrid or inbound network connections. Azure Service Tags are not supported for outbound connection.
[!div class="mx-tdCol2BreakAll"]
IP V4 ranges IP V6 ranges 13.107.6.0/242620:1ec:4::/4813.107.9.0/242620:1ec:a92::/4813.107.42.0/242620:1ec:21::/4813.107.43.0/242620:1ec:22::/48
If you're currently allow-listing the 13.107.6.183 and 13.107.9.183 IP addresses, leave them in place, as you don't need to remove them.
Ensure the following IP addresses are allowed for inbound connection, so your organization works with any existing firewall or IP restrictions. The endpoint data, in the following chart lists requirements for connectivity from Azure DevOps Services to customers' on-prem or other cloud services. The inbound connection applies to the following scenarios.
- Azure DevOps Services connecting to endpoints for Service Hooks
- Azure DevOps Services connecting to customer-controlled SQL Azure VMs for Data Import
- Azure Pipelines connecting to on-prem source code repositories such as GitHub Enterprise or BitBucket Server
- Azure DevOps Services Audit Streaming connecting to on-prem or cloud-based Splunk.
[!div class="mx-tdCol2BreakAll"]
Region IP V4 ranges Australia East 20.37.194.0/24 Australia South East 20.42.226.0/24 Brazil South 191.235.226.0/24 Central Canada 52.228.82.0/24 East Asia (Hong Kong) 20.189.107.0/24 South India 20.41.194.0/24 Central United States 20.37.158.0/23 West Central United States 52.150.138.0/24 East United States 20.42.5.0/24 East 2 United States 20.41.6.0/23 North United States 40.80.187.0/24 South United States 40.119.10.0/24 West United States 40.82.252.0/24 West 2 United States 20.42.134.0/23 Western Europe 40.74.28.0/23 United Kingdom South 51.104.26.0/24
Azure Service Tags are supported for inbound connection. Instead of allowing the IP ranges listed above, you may use the AzureDevOps service tag for Azure Firewall and Network Security Group (NSG) or on-prem firewall via a JSON file download.
The Service Tag does not apply to Microsoft Hosted Agents. Customers are still required to allow the entire geography for the Microsoft Hosted Agents. If allowing the entire geography is a concern, we recommend using the Azure Virtual Machine Scale Set Agents. The Scale Set Agents are a form of self-hosted agents that can be auto-scaled to meet your demands.
40.82.190.3852.108.0.0/1452.237.19.652.238.106.116/3252.244.37.168/3252.244.203.72/3252.244.207.172/3252.244.223.198/3252.247.150.191/32
For more information, see Worldwide endpoints and Adding IP address rules.
If you need to connect to Git repositories on Azure DevOps with SSH, you need to allow requests to port 22 for the following IP addresses:
ssh.dev.azure.comvs-ssh.visualstudio.com- all IP addresses in the "name": "AzureDevOps" section of this downloadable file (updated weekly) named: Azure IP ranges and Service Tags - Public Cloud
If your organization uses ExpressRoute, ensure the following addresses are allowed.
| IP V4 ranges | IP V6 ranges |
|---|---|
13.107.6.175/32 |
2620:1ec:a92::175/128 |
13.107.6.176/32 |
2620:1ec:a92::176/128 |
13.107.6.183/32 |
2620:1ec:a92::183/128 |
13.107.9.175/32 |
2620:1ec:4::175/128 |
13.107.9.176/32 |
2620:1ec:4::176/128 |
13.107.9.183/32 |
2620:1ec:4::183/128 |
13.107.42.18/32 |
2620:1ec:21::18/128 |
13.107.42.19/32 |
2620:1ec:21::19/128 |
13.107.42.20/32 |
2620:1ec:21::20/128 |
13.107.43.18/32 |
2620:1ec:22::18/128 |
13.107.43.19/32 |
2620:1ec:22::19/128 |
13.107.43.20/32 |
2620:1ec:22::20/128 |
For more information about Azure DevOps and ExpressRoute, see ExpressRoute for Azure DevOps.
If you use Microsoft-hosted agent to run your jobs and you need the information about what IP addresses are used, see Microsoft-hosted agents Agent IP ranges.
If you're running a firewall and your code is in Azure Repos, see Self-hosted Windows agents FAQs. This article has information about which URLs and IP addresses your private agent needs to communicate with.
For more information about hosted Windows and Linux agents, see Microsoft-hosted Agent IP ranges.
Currently, we don't publish hosted Mac IP address ranges.
During the import process, we highly recommend that you restrict access to your VM to only IPs from Azure DevOps. To restrict access, allow only connections from the set of Azure DevOps IPs, which were involved in the collection database import process. For information about identifying the correct IPs, see Azure DevOps Services IPs.