Allowed IP addresses and domain URLs
Azure DevOps Services | Azure DevOps Server 2022 - Azure DevOps Server 2019
If your organization is secured with a firewall or proxy server, you must add certain internet protocol (IP) addresses and domain uniform resource locators (URLs) to the allowlist. Adding these IPs and URLs to the allowlist helps to ensure that you have the best experience with Azure DevOps. You know that you need to update your allowlist if you can't access Azure DevOps on your network. See the following sections in this article:
Tip
So that Visual Studio and Azure Services work well with no network issues, open select ports and protocols. For more information, see Install and use Visual Studio behind a firewall or proxy server, Use Visual Studio and Azure Services.
IP addresses and range restrictions
Outbound connections
Outbound connections target other dependent sites. Examples of such connections include:
- Browsers connecting to Azure DevOps website as users go to and use features of Azure DevOps
- Azure Pipelines agents installed on your organization's network connecting to Azure DevOps to poll for pending jobs
- CI events sent from a source code repository hosted within your organization's network to Azure DevOps
Ensure the following IP addresses are allowed for outbound connections, so your organization works with any existing firewall or IP restrictions. The endpoint data in the following chart lists requirements for connectivity from a machine in your organization to Azure DevOps Services.
13.107.6.0/24
13.107.9.0/24
13.107.42.0/24
13.107.43.0/24
If you're currently allowing the 13.107.6.183
and 13.107.9.183
IP addresses, leave them in place, as you don't need to remove them.
Note
Azure Service Tags aren't supported for outbound connections.
Inbound connections
Inbound connections originate from Azure DevOps and target resources within your organization's network. Examples of such connections include:
- Azure DevOps Services connecting to endpoints for Service Hooks
- Azure DevOps Services connecting to customer-controlled SQL Azure VMs for Data Import
- Azure Pipelines connecting to on-premises source code repositories such as GitHub Enterprise or Bitbucket Server
- Azure DevOps Services Audit Streaming connecting to on-premises or cloud-based Splunk
Ensure the following IP addresses are allowed for inbound connections, so your organization works with any existing firewall or IP restrictions. The endpoint data in the following chart lists requirements for connectivity from Azure DevOps Services to your on-premises or other cloud services.
Geography | Region | IP V4 ranges |
---|---|---|
Australia | Australia East | 20.37.194.0/24 |
Australia South East | 20.42.226.0/24 | |
Brazil | Brazil South | 191.235.226.0/24 |
Canada | Central Canada | 52.228.82.0/24 |
Asia Pacific | Southeast Asia (Singapore) | 20.195.68.0/24 |
India | South India | 20.41.194.0/24 |
Central India | 20.204.197.192/26 | |
United States | Central United States | 20.37.158.0/23 |
West Central United States | 52.150.138.0/24 | |
East United States | 20.42.5.0/24 | |
East 2 United States | 20.41.6.0/23 | |
North United States | 40.80.187.0/24 | |
South United States | 40.119.10.0/24 | |
West United States | 40.82.252.0/24 | |
West 2 United States | 20.42.134.0/23 | |
West 3 United States | 20.125.155.0/24 | |
Europe | Western Europe | 40.74.28.0/23 |
North Europe | 20.166.41.0/24 | |
United Kingdom | United Kingdom South | 51.104.26.0/24 |
Azure Service Tags are supported only for inbound connections. Instead of allowing the previously listed IP ranges, you may use the AzureDevOps service tag for Azure Firewall and Network Security Group (NSG) or on-premises firewall via a JSON file download.
Note
The Service Tag or previously mentioned inbound IP addresses don't apply to Microsoft Hosted agents. Customers are still required to allow the entire geography for the Microsoft Hosted agents. If allowing the entire geography is a concern, we recommend using the Azure Virtual Machine Scale Set agents. The Scale Set agents are a form of self-hosted agents that can be auto-scaled to meet your demands.
Hosted macOS agents are hosted in GitHub's macOS cloud. IP ranges can be retrieved using the GitHub metadata API using the instructions provided here.
Other IP addresses
Most of the following IP addresses pertain to Microsoft 365 Common and Office Online.
40.82.190.38
52.108.0.0/14
52.237.19.6
52.238.106.116/32
52.244.37.168/32
52.244.203.72/32
52.244.207.172/32
52.244.223.198/32
52.247.150.191/32
For more information, see Worldwide endpoints and Adding IP address rules.
Azure DevOps ExpressRoute connections
If your organization uses ExpressRoute, ensure the following IP addresses are allowed for both outbound and inbound connections.
13.107.6.175/32
13.107.6.176/32
13.107.6.183/32
13.107.9.175/32
13.107.9.176/32
13.107.9.183/32
13.107.42.18/32
13.107.42.19/32
13.107.42.20/32
13.107.43.18/32
13.107.43.19/32
13.107.43.20/32
For more information about Azure DevOps and ExpressRoute, see ExpressRoute for Azure DevOps.
Allowed Domain URLs
Network connection issues could occur because of your security appliances, which may be blocking connections - Visual Studio uses TLS 1.2 and above. When you're using NuGet or connecting from Visual Studio 2015 and later, update the security appliances to support TLS 1.2 and above for the following connections.
To ensure your organization works with any existing firewall or IP restrictions, ensure that dev.azure.com
and *.dev.azure.com
are open.
The following section includes the most common domain URLs to support sign in and licensing connections.
https://dev.azure.com
https://*.dev.azure.com
https://aex.dev.azure.com
https://aexprodea1.vsaex.visualstudio.com
https://*vstmrblob.vsassets.io
https://amp.azure.net
https://app.vssps.dev.azure.com
https://app.vssps.visualstudio.com
https://*.vsblob.visualstudio.com
https://*.vssps.visualstudio.com
https://*.vstmr.visualstudio.com
https://azure.microsoft.com
https://go.microsoft.com
https://graph.microsoft.com
https://login.microsoftonline.com
https://management.azure.com
https://management.core.windows.net
https://microsoft.com
https://microsoftonline.com
https://static2.sharepointonline.com
https://visualstudio.com
https://vsrm.dev.azure.com
https://vstsagentpackage.azureedge.net
https://*.windows.net
https://{organization_name}.visualstudio.com
https://{organization_name}.vsrm.visualstudio.com
https://{organization_name}.vstmr.visualstudio.com
https://{organization_name}.pkgs.visualstudio.com
https://{organization_name}.vssps.visualstudio.com
Azure DevOps uses content delivery network (CDN) to serve static content. The following URLs are part of that.
https://cdn.vsassets.io
https://*.vsassets.io
https://*gallerycdn.vsassets.io
https://aadcdn.msauth.net
https://aadcdn.msftauth.net
https://amcdn.msftauth.net
https://azurecomcdn.azureedge.net
The following endpoints are used to authenticate Azure DevOps organizations using a Microsoft Account (MSA). These endpoints are only needed for Azure DevOps organizations backed by Microsoft Accounts (MSA). Azure DevOps organizations backed a Microsoft Entra tenant doesn't need the following URLs.
https://live.com
https://login.live.com
The following URL is required if you're migrating from Azure DevOps server to the cloud service using our data migration tool.
https://dataimport.dev.azure.com
Note
Azure DevOps uses Content Delivery Networks (CDNs) to serve static content. Users in China should also add the following domain URLs to an allowlist:
https://*.vsassetscdn.azure.cn
https://*.gallerycdn.azure.cn
We recommend you open port 443
to all traffic on the following IP addresses and domains. We also recommend you open port 22
to a smaller subset of targeted IP addresses.
More domain URLs | Descriptions |
---|---|
https://login.microsoftonline.com | Authentication and sign-in related |
https://*.vssps.visualstudio.com | Authentication and sign-in related |
https://*gallerycdn.vsassets.io | Hosts Azure DevOps extensions |
https://*vstmrblob.vsassets.io | Hosts Azure DevOps TCM log data |
https://cdn.vsassets.io | Hosts Azure DevOps Content Delivery Networks (CDNs) content |
https://static2.sharepointonline.com | Hosts some resources that Azure DevOps uses in "office fabric" UI kit for fonts, and so on |
https://vsrm.dev.azure.com | Hosts releases |
https://vstsagentpackage.azureedge.net | Required to set up self-hosted agent in machines within your network |
https://amp.azure.net | Needed for deploying to Azure app service |
https://go.microsoft.com | Accesses go links |
Azure Artifacts
Ensure the following domain URLs are allowed for Azure Artifacts:
https://*.blob.core.windows.net
https://*.visualstudio.com
https://*.dedup.microsoft.com
Also allow all IP addresses in the "name": "Storage.{region}" section of the following file (updated weekly): Azure IP ranges and Service Tags - Public Cloud. {region} is the same Azure Geography as your organization.
NuGet connections
Ensure the following domain URLs are allowed for NuGet connections:
https://azurewebsites.net
https://*.nuget.org
Note
Privately owned NuGet server URLs might not be included in the previous list. You can check the NuGet servers you're using by opening %APPData%\Nuget\NuGet.Config
.
SSH connections
If you need to connect to Git repositories on Azure DevOps with SSH, allow requests to port 22 for the following hosts:
ssh.dev.azure.com
vs-ssh.visualstudio.com
Also allow IP addresses in the "name": "AzureDevOps" section of this downloadable file (updated weekly) named: Azure IP ranges and Service Tags - Public Cloud
Azure Pipelines Microsoft-hosted agents
If you use Microsoft-hosted agent to run your jobs and you need the information about what IP addresses are used, see Microsoft-hosted agents IP ranges. See all Azure Virtual Machine Scale Set agents.
For more information about hosted Windows, Linux, and macOS agents, see Microsoft-hosted agent IP ranges.
Azure Pipelines Self-hosted agents
If you're running a firewall and your code is in Azure Repos, see Self-hosted Linux agents FAQs, Self-hosted macOS agents FAQs or Self-hosted Windows agents FAQs. This article has information about which domain URLs and IP addresses your private agent needs to communicate with.
Azure DevOps import service
During the import process, we highly recommend that you restrict access to your virtual machine (VM) to only IP addresses from Azure DevOps. To restrict access, allow only connections from the set of Azure DevOps IP addresses, which were involved in the collection database import process. For information about identifying the correct IP addresses, see (Optional) Restrict access to Azure DevOps Services IPs only.
Note
Azure DevOps doesn't natively support allowlisting directly within its settings. However, you can manage allowlisting at the network level using your organization's firewall or proxy settings.