Salesforce, Python, SQL, & other ways to put your data where you need it

Need event music? 🎸

Live and recorded jazz, pop, and meditative music for your virtual conference / Zoom wedding / yoga class / private party with quality sound and a smooth technical experience

Azure Managed DevOps Pools make life easier

07 Mar 2025 🔖 azure devops security
💬 EN

Table of Contents

Azure Managed DevOps Pools is a new service that allows Azure customers to provision privately networked Azure Pipelines agents that Microsoft automatically keeps at feature/fix parity with their public equivalents.

This is awesome, because you used to have to be a server administration and containerization expert to run privately networked CI/CD pipelines in Azure DevOps (“ADO”)!

Problem: managed Microsoft-hosted agents are public

Microsoft-hosted agents enable Azure Pipelines to automatically build code stored in Azure Repos into runnable artifacts.

However, because they exist on the public internet, their (rapidly changing and widely shared) IP addresses are forbidden from deploying those artifacts into privately networked target runtimes, such as:

  1. on-prem servers
  2. privately networked Azure App Service instances.

Problem: private self-hosted agents are unmanaged

Self-hosted agents enable Azure Pipelines to deploy built artifacts into privately networked target runtimes, but:

  1. they are difficult to provision, configure, and maintain to acceptable security, reliability, and availability standards.
  2. they do not come with the rich feature set of Microsoft-hosted agents, so they cannot build any codebases that have not been thought out in advance.
    • (Do your developers want to build from a .NET 8 codebase? Too bad for them if you forgot to install anything but a .NET 6 SDK onto your self-hosted agent.)

Solution: private managed agent pools

Luckily, the Microsoft team that produces Microsoft-hosted agents found that Microsoft’s internal developers were also struggling with self-hosted agent challenges above.

(In fact, on RunAsRadio podcast episode #972, Eliza Tarasila shared that one self-hosted agent was even found under a developer’s desk!)

Five years ago, they created Azure Managed DevOps Pools in response.

Two years ago, they started working on making it a public service, and in November of 2024, it became generally available to all Azure customers.

Implementation tips

Azure resource type: Microsoft.DevOpsInfrastructure/pools.

Publicly networked by default. To provision one into a privately networked subnet:

  1. Specify an Azure VNET subnet’s resource ID for the VmssFabricProfile.networkProfile.subnetId property of your Microsoft.DevOpsInfrastructure/pools resource.
    • You want the subnet hosting your Managed DevOps Pool to be able to reach the subnet hosting your deployment-target runtime (e.g. Azure App Service, an on-prem server).
    • This is easier said than done if you have no idea how to set up networking in Azure. That’s why I haven’t yet published an example! Coming soon, I hope. 😅
    • Presumably, someone at your company does know how, and can provide an appropriate subnet resource ID for your Managed DevOps Pool.
  2. When you register the Microsoft.DevOpsInfrastructure Azure resource provider, Microsoft automatically provisions a service principal named “DevOpsInfrastructure” into your Entra ID tenant.
--- ---