Firewall rules for On-Premise Octopus to Azure

We have an on-premise Octopus server which has no Internet connectivity by default. IT are asking for a list of firewall rules required to deploy our services.

What is required to deploy to Azure (Ports)?
Does anyone know if and when the Azure IP ranges are different between resource groups / subscriptions / regions etc?

We have looked at the IP addresses of some of our services and noticed there is some variance even for the same resource type (i.e. web apps in different resource groups) I’m just wondering if this is a common problem and if there is a recommended strategy to manage this?

Hi Scott,

Thanks for getting in touch.

For Azure web apps / app services, Octopus uses Microsoft WebDeploy to sync packages to Azure. The call that actually does the web-deploy to Azure can be seen in the Calamari source code here.

By default, we believe the Management Service for WebDeploy runs using the HTTPS protocol on port 8172, so as long as you have this port open, Octopus should be able to use WebDeploy to sync your web apps to Azure. For more information, see the “Configure Firewall Exceptions” section of the Microsoft documentation here.

If you’re dealing with Octopus Azure “Cloud Service” deployments, Octopus uses the Azure PowerShell cmdlets (as can be seen here), so you could try and track down which ports you would need to open from the Microsoft PowerShell modules documentation, or just try with the standard 80 and 443 tcp/ip ports open and see if that’s enough to let your cloud-service deployment through.

Hope this helps.