How does the internet connection work with Azure Virtual Machine Scale Sets as agents in Azure DevOps?

Julian Steven Molina Campos 100 Reputation points
2024-07-02T21:04:48.24+00:00

Currently, I am using Azure Virtual Machine Scale Set as self-hosted agents in Azure DevOps. I used this command to deploy and create the Scale Set:

az vmss create \
  --name vmssagentspool \
  --resource-group vmssagentsdemo \
  --image Ubuntu2204 \
  --vm-sku Standard_E2as_v5 \
  --storage-sku StandardSSD_LRS \
  --authentication-type SSH \
  --generate-ssh-keys \
  --instance-count 1 \
  --disable-overprovision \
  --upgrade-policy-mode manual \
  --single-placement-group false \
  --platform-fault-domain-count 1 \
  --load-balancer "" \
  --orchestration-mode Uniform \
  --priority Spot \
  --eviction-policy Delete \
  --max-price 0.013

Then I linked the Virtual Machine Scale Set to Azure DevOps as agents and everything works correctly, but I am wondering how the internet connection works with these instances. I am using the S3Upload@1 task to upload files to an AWS S3 bucket, and it works, but I don't understand how, because when I check the instance settings, it only has a private IP. So how does it manage to connect to the internet without a public IP?

Not Monitored
Not Monitored
Tag not monitored by Microsoft.
39,090 questions
Accepted answer
  1. Iheanacho Chukwu 995 Reputation points
    2024-07-03T00:02:12.3433333+00:00

    There is no additional costs for using Azure default outbound access.

    You may consider improving security by using Network Security Groups (NSGs), Azure Firewall, private endpoints, secure VNets, and continuous monitoring with Azure Monitor and Azure Security Center.

    Further Enhancements:

    Limit Access by IP:

    • Using an Azure NAT Gateway, you can provide a fixed IP address for outbound traffic from your VMSS instances.
    • Configure your AWS S3 bucket policy to allow access only from this IP address to enhance security.

    Review the Azure DevOps Security Best Practices, for securing your network.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Julian Steven Molina Campos 100 Reputation points
    2024-07-02T21:57:11.54+00:00

    Ok I understand, but I have more questions:

    does the use of this underlying infrastructure have any additional cost or just Azure will charge me for using the machines in the Scale Set ?

    How secure is this configuration ? Can these machines be used for CI/CD processes of government entities, banks, health systems etc ?

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.