Setting Up a Self-Hosted Azure DevOps Build Agent Without Internet Access

Описание: Learn how to configure a self-hosted build agent for Azure DevOps that uses a pull mechanism, keeping your local server secure and out of the DMZ.
---
This video is based on the question https://stackoverflow.com/q/77218925/ asked by the user 'TravelingFox' ( https://stackoverflow.com/u/1407842/ ) and on the answer https://stackoverflow.com/a/77219750/ provided by the user 'Daniel Mann' ( https://stackoverflow.com/u/781754/ ) at 'Stack Overflow' website. Thanks to these great users and Stackexchange community for their contributions.

Visit these links for original content and any more details, such as alternate solutions, latest updates/developments on topic, comments, revision history etc. For example, the original title of the Question was: Self-hosted Azure DevOps build agent with "pull" instead of "push" mechanism (no DMZ)?

Also, Content (except music) licensed under CC BY-SA https://meta.stackexchange.com/help/l...
The original Question post is licensed under the 'CC BY-SA 4.0' ( https://creativecommons.org/licenses/... ) license, and the original Answer post is licensed under the 'CC BY-SA 4.0' ( https://creativecommons.org/licenses/... ) license.

If anything seems off to you, please feel free to write me at vlogize [AT] gmail [DOT] com.
---
Setting Up a Self-Hosted Azure DevOps Build Agent Without Internet Access

In modern software development, enforcing security while maintaining continuous integration (CI) practices can be quite challenging. One common scenario developers face is establishing a Continuous Integration pipeline from Azure DevOps to a local server that isn't exposed to the internet. Many organizations prefer to keep their build agents secure, avoiding any exposure in the DMZ (demilitarized zone). This raises a crucial question: how can you set up a self-hosted Azure DevOps build agent that pulls updates instead of being pushed by Azure DevOps?

In this guide, we'll explore how to effectively set up a build agent in such an environment while ensuring security and functionality.

Understanding the Build Agent Mechanism

To clarify your concerns, it's important to realize how Azure DevOps build agents function fundamentally. Contrary to what some developers might think, these agents do not require incoming traffic from Azure DevOps; instead, they operate on a polling mechanism.

Here’s how the build agent works:

Polling: The agent periodically checks with the Azure DevOps server for any new commits.

Outbound Communication: It requires an open outbound connection to Azure DevOps over port 443 (the standard for HTTPS), enabling it to communicate back and forth securely.

No Inbound Requirement: There is no need for any incoming ports to be open, ensuring you can keep your local server isolated from public access.

Steps to Configure Your Self-Hosted Build Agent

Now that we understand the underlying mechanism, let’s dive into the steps required to set up your self-hosted Azure DevOps build agent effectively. Follow these instructions:

1. Prepare Your Environment

Hardware and Software: Ensure that you have a server ready with a compatible operating system for the Azure DevOps agent (Windows or Linux).

Network Requirements: Confirm that outbound access to port 443 is allowed from your local server to Azure DevOps.

2. Download the Build Agent Package

Go to your Azure DevOps organization.

Choose Project Settings Agent pools Default (or create a new pool).

Click on New agent and follow the instructions to download the agent package for your operating system.

3. Configure the Build Agent

Extract the downloaded agent package.

Open a command prompt (or terminal) and navigate to the agent directory.

Run the configuration command provided in the Azure DevOps documentation.

You will need your Azure DevOps PAT (Personal Access Token) for authentication during this process.

4. Run the Build Agent

Once configured, start the agent.

You can run it interactively or set it up as a service to run in the background.

5. Verify the Setup

Check your Azure DevOps portal to make sure the agent appears under the selected pool.

Trigger a build to test that the agent can successfully retrieve and execute jobs.

Conclusion

By following the above steps, you can successfully set up a self-hosted Azure DevOps build agent that operates on a pull mechanism, ensuring your local server remains secure and untouched by any direct internet traffic. This configuration not only helps maintain security protocols but also provides the flexibility needed for CI pipelines.

If you happen to run into any specific issues during the configuration, don’t hesitate to seek further assistance or clarify your queries, as pinpoint issues can require a more focused troubleshooting approach.

With this guide, you can enhance your DevOps practices while keeping your infrastructure safe and sound. Happy coding!