Azure Devops azure pipelines agents TCP connection failing - azure-devops

We are trying to start using the Azure Pipelines agents instead of Self hosted ones. While trying to convert over or Acceptance tests I am running into an issue with the agent not allowing our test to connect to an api we spin up with in the Agent that is running on port 44392. Noticed this post. How to open TCP port on localhost on VSTS build agent?, from a couple years ago and is pretty similar to how our test is working. Just wondering if the answer is still accurate or not.

Since your are using the Hosted Agents, which means that the machine is a shared resource between many Azure DevOps Organizations (tenants) and managed (and locked) down by Microsoft.
In other words, we do not provide end user to open port with these agents. The answer in your link is still valid.
You may have to install an agent on your own virtual machine and run the build there. The VM can be in the cloud or on premise. You trade simplicity and cheapness for full control.

Related

Connecting an Azure Devops Server instance to AD

Sorry for the noob question - I'm a developer and don't know much about Windows administration. I'm upgrading from TFS 2017 to Azure Devops Server (onPrem). This will be on a new set of boxes though so it's not an in-plaee upgrade. Right now I'm doing proof-of-concept testing on a machine not on our domain so obviously I can't add users from the domain. My question is once I install Azure Devops Server on a machine on the domain will it automatically sync with the corporate domain? I've read that that happens once an hour - I'm just wondering if there's anything I need to install/setup to make that happen.
What you need is to join the Windows server which installs Azure DevOps Server to Active Directory.
After that it will automatically sync with the corporate domain.
However, Azure DevOps use a background synchronization job, scheduled every hour, to look for changes in Active Directory (or the local machine workgroup if the server is not domain joined). So changes you make to local or Active Directory groups do not get reflected in Azure DevOps immediately. Instead, Azure DevOps will synchronize those groups regularly (by default every hour).
That's all required. After this, you could directly add domain users or groups to groups in Azure DevOps server.
You can also try to force Azure DevOps Server to sync with Active Directory by following instructions mentioned in this article: How to synchronize TFS users with AD (Active Directory)?, it's still available for current Azure DevOps Server versions.

Whitelisting Azure DevOps Pipeline

I have a server in AWS, which is hosting a security tool. Azure DevOps supports this tool and I've installed the add on for it. I've added the step to my Pipeline and configured the service connection.
We are using Hosted Agents in a Cloud AZD instance.
When I run my pipeline, I get the following error:
##[error][TOOL] API GET '/api/server/version' failed, error was: {"errno":"ETIMEDOUT","code":"ETIMEDOUT","syscall":"connect","address":"1.1.1.1","port":443}
In my AWS security group, I have allowed the Inbound IP's for Azure DevOps listed here https://learn.microsoft.com/en-us/azure/devops/organizations/security/allow-list-ip-url?view=azure-devops&tabs=IP-V4#ip-addresses-and-range-restrictions
I have also allowed the Geographical IP's for listed in the json file here https://www.microsoft.com/en-us/download/details.aspx?id=56519
If I allow all traffic for 443 through the security group as a test, this works as expected. This is not a solution however as this is a security tool and should not be public.
In my pipeline, I added a task to run a curl command to inspect the IP's of the pipeline. Neither of these ranges appear in any list I can find published.
51.142.72.0/24
51.142.229.0/24
I was advised to post here by AzureDevOps on Twitter for some help, so hopefully someone can assist me here.

What is the difference between Azure DevOps Service Hooks & Service Coonection

I am trying to understand the difference between Service Hooks and Service Connections in Azure DevOps.
Service Hooks and Service Connections both seem to do the same thing according to these description.
"Service connections enable you to connect to external and remote services to execute tasks in a job."
Service Connections
"Service hooks let you run tasks on other services when events happen in your Azure DevOps projects."
Service Hooks
None of these pages tell the reader the difference between service hooks and service connections. Even though I am sure each is used for a different purpose.
Service connections enable you to connect to external and remote services to execute tasks in a Azure pipeline job. For example, you may need to connect to your Microsoft Azure subscription, to a different build server or file server, to an online continuous integration environment, or to services you install on remote computers.
You could go to Project Settings>>Service connections page to see available service connections. And when you use tasks which required to connect to external and remote services, you will see it requires you to set up corresponding service connection. For example, if you use GitHub repository as the source repository in pipeline, you need to set up GitHub service connection.
In the meanwhile, Service hooks let you run tasks on other services when events happen in your Azure DevOps projects. You could go to Project Settings>>Service hooks page to integrate with your favorite services by notifying them when events happen in your project. For example, create a card in Trello when a work item is created or send a push notification to your team's mobile devices when a build fails.
You can also use service hooks in custom apps and services as a more efficient way to drive activities when events happen in your projects. Also you could create a service hook for Azure DevOps with Microsoft Teams, so members can get notified when builds are completed, work item updated, etc.

Deploy issue with Azure Release Pipeline

I am having trouble deploying files to my servers through the Release Pipelines.
I need to copy files to a Windows and a Linux server. I have tried using the file copy and the ssh file copy tasks, but they seem to be getting blocked because the microsoft servers aren't in my firewall whitelist. What is worse is that I can't seem to get a reliable list of IP's that I need to whitelist, and even if I did it seems they change over time.
So, any advice appreciated.
Also, I am a bit confused about the azure agent. My understanding was that you install them on the servers so that you don't need to worry about firewall issues. I just have the feeling I am missing something. I have no idea what that agent is doing at the moment - it certainly doesn't seem to be helping with the file deploy.
Thanks in advance!
Deploy issue with Azure Release Pipeline
Self-hosted agent: An agent that you set up and manage on your own to run jobs is a self-hosted agent.
To resolve this issue, you could create your private agent, then you can add the IP address of the machine where your private agent deployed to the firewall whitelist of your server machine.
In this case, Azure Release Pipeline runs on your private agent, and the IP of the machine where the private agent is located is added as a whitelist, so that it will not be blocked by the firewall of Windows and Linux servers.
You could refer the document Self-hosted agents to create your private agent.

Desired state configuration

I have two web servers and one service server and a database server and all these servers are domain joined. And I have set my private build agent from VSTS from where I can build my artifacts and based on build configuration. And all my DEV,QA and STAGING environments are setup on those servers.
My problem is i am looking for a way using PowerShell Desired state configuration such a way that based on the environment artifacts (DEV,QA and STAGING) the scripts has to copy the artifacts to specific location on those "TWO web-servers" and ensure the website is configured correctly with all the required permissions where these artifacts are used to host IIS website and perform the delete and creation action of particular windows service on "SERVICE service" and should also perform the migration activities on "DATABASE server" for particular database. since I have separated database for each individual environment.
Any kind of help or suggestion would be appreciated. thank you.
My suggestions are:
Don't use DSC for deployment (i.e. deploy applications or databases)
Use DSC for configuration (e.g. install IIS)
Install the VSTS Agent on each server in Deployment Groups mode, running as a service with local administrator privileges
Use the IIS Deploy Tasks designed for Deployment Groups
Use the Powershell Task to manage the Windows Services (tip. help *-Service)