We have our infrastructure on AWS and our NET Projects are starting to use Visual Studio Team Service (VSTS) to provide CI/CD and manage all the build/release process from there. We are using the Hosted Build Servers but the deploy is going to be on AWS IIS Server (EC2 Windows 8 R2 IIS Server).

I was trying to find what is the IP Range for VSTS in order to create the right Security Groups (SG) and added to our EC2 instances but I am unable to know what is the range and they provide the list by region by I need something more specific like 10.73.0.0 - 10.73.255.255 and then I will be able to do something like 10.73.0.0/16.

Is there anyway to know what is that IP Range because right now in my POC are you using a too open SG but I need to restrict this.

Visual Studio Team Service (VSTS) appears to be hosted in Azure. As a result you won't be able to get a more specific IP range list than the entire list of IPs for Azure, which are subject to change.

Azure publish a list here every Wednesday: https://www.microsoft.com/en-us/download/confirmation.aspx?id=41653:

And you will need to permit all the IP ranges for the region your account has been set up in.

My personal opinion is that this would be too difficult to maintain and you should look for other options to secure access, or consider a self-hosted equivalent of VSTS.

What IP Addresses are used by Hosted Build?

We have an XML document released every Wednesday that contains all of the IP ranges for Azure Datacenters broken out by region. Please see

https://www.microsoft.com/en-us/download/confirmation.aspx?id=41653:

This file contains the Compute IP address ranges (including SQL ranges) used by the Microsoft Azure Datacenters. A new xml file will be uploaded every Wednesday (Pacific Time) with the new planned IP address ranges. New IP address ranges will be effective on the following Monday (Pacific Time). Please download the new xml file and perform the necessary changes on your site before Monday. The Hosted agent should be in the same region as your VSTS account, you need to whitelist the IP address ranges for your region which you can get from the link above. To verify your region in VSTS navigate to the Settings page at:

https://<account>.visualstudio.com/_admin/_home/settings

Under Account you will see a field for Region.

• https://www.visualstudio.com/team-services/support-visual-studio-team-services/#!articles/904-7274-what-ip-addresses-are-used-by-hosted-build

So since you know when IP address xml changes thanks to Mark, you could write and schedule a lambda function to change the security group.

Here is an AWS example of doing just that but with the Cloudfront distribution IP address ranges.

https://github.com/awslabs/aws-cloudfront-samples

You can get the IP address of current build agent dynamically and create a security group dynamically (by using AWS SDK for .NET)

1. Open build definition > Select Options tab> Check Allow Scripts to Access OAuth Token
2. Add PowerShell step/task (Arguments: -RestAddress https://starain.vsdtl.visualstudio.com/DefaultCollection/_apis/vslabs/ipaddress -Token $(System.AccessToken)).

PS:

Param (
    [string]$RestAddress,
    [string]$Token
    )
$basicAuth = ("{0}:{1}" -f 'test',$Token)
$basicAuth = [System.Text.Encoding]::UTF8.GetBytes($basicAuth)
$basicAuth = [System.Convert]::ToBase64String($basicAuth)
$headers = @{Authorization=("Basic {0}" -f $basicAuth)}
$result = Invoke-RestMethod -Uri $RestAddress -headers $headers -Method Get
Write-Host $result.value
Write-Host "##vso[task.setvariable variable=CIP;]$($result.value)"

3. Add PowerShell on Target Machines step/task to call AWS console app. (You can pass CIP (Step 2) variable by specifying Script Arguments, such as -currentIP $(CIP))

An article about creating security group: Creating a Security Group in Amazon EC2