To prepare a Network Security Group (NSG) namedaz400-38443478-nsg1for hosting an Azure DevOps pipeline agent, while allowing only the required outbound port for Azure DevOps and denying all other inbound and outbound access to the Internet, follow these steps:
Create the NSG:
Navigate to the Azure Portal.
Go toNetwork Security Groupsand click on+ Create.
Fill in the details, including the nameaz400-38443478-nsg1, and create the NSG.
ConfigureOutbound Security Rules:
Once the NSG is created, go to its settings.
Navigate toOutbound security rules.
Click on+ Addto create a new rule.
Set theDestination port rangesto443, which is the required port for Azure DevOps12.
Set theProtocoltoTCP.
Set theActiontoAllow.
Assign aPrioritynumber (e.g.,100) that does not conflict with existing rules.
Provide a meaningfulNamefor the rule (e.g.,AllowAzureDevOps).
Configure Default Rules to Deny All Other Traffic:
In the sameOutbound security rulessection, edit the default rule to deny alltraffic.
Change theActiontoDenyfor the rule with the lowest priority (highest number).
Ensure that this rule applies to all protocols, source and destination IP ranges, and port ranges.
Associate the NSG with the Appropriate Resource:
Associate the NSGwith the subnet or network interface of the virtual machine or resource where the Azure DevOps pipeline agent will be hosted.
By following these steps, you will ensure that the Azure DevOps pipeline agent can communicate with Azure DevOps services over the required port while blocking all other inbound and outbound Internet access, adhering to the principle of least privilege and security best practices.
