Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add rules to allow access to login.microsoftonline.com #32764

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add rules to allow access to login.microsoftonline.com #32764

wants to merge 1 commit into from
+39 −0

Conversation

stan-spotts
Copy link

@stan-spotts stan-spotts commented May 1, 2024
edited

Without these rules the action/login will fail, so your workflows will not be able to do much. If you're working with containers, this also affects docker/login-action.

Why:

Adding the three rules allows access to login.microsoftonline.com, which is necessary for the action azure/login@v2 to work. Otherwise its blocked. This also fixes the same problem for docker/login-action.

FWIW, the following is also useful and might possibly be added somewhere in the documentation, along with some instructions to add additional rules to support access to specific external resources. AllowDockerRegistryAndNpmOutbound is necessary to allow the job to reach registry-1.docker.io and production.cloudflare.docker.com to pull docker images, and registry.npmjs.org for npm install.

 {
        name: 'AllowDockerRegistryAndNpmOutbound'
        properties: {
          protocol: 'TCP'
          sourcePortRange: '*'
          destinationPortRange: '443'
          destinationAddressPrefix: '*'
          access: 'Allow'
          priority: 130
          direction: 'Outbound'
          destinationAddressPrefixes: [
            '54.227.20.253'
            '104.16.101.215'
            '104.16.29.34'
          ]
        }
      }

Closes:

Azure/login#439

What's being changed (if available, include any code snippets, screenshots, or gifs):

Added the following rules to the bicep file definition:

      {
        name: 'AllowAzureCloudOutbound'
        properties: {
          protocol: 'TCP'
          sourcePortRange: '*'
          destinationPortRange: '443'
          destinationAddressPrefix: 'AzureCloud'
          access: 'Allow'
          priority: 100
          direction: 'Outbound'
          destinationAddressPrefixes: []
        }
      }
      {
        name: 'AllowAzureADOutbound'
        properties: {
          protocol: 'TCP'
          sourcePortRange: '*'
          destinationPortRange: '443'
          destinationAddressPrefix: 'AzureActiveDirectory'
          access: 'Allow'
          priority: 110
          direction: 'Outbound'
          destinationAddressPrefixes: []
        }
      }
      {
        name: 'AllowAzureFrontDoorOutbound'
        properties: {
          protocol: 'TCP'
          sourcePortRange: '*'
          destinationPortRange: '443'
          destinationAddressPrefix: 'AzureFrontDoor.Frontend'
          access: 'Allow'
          priority: 120
          direction: 'Outbound'
          destinationAddressPrefixes: []
        }
      }

Check off the following:

  • I have reviewed my changes in staging, available via the View deployment link in this PR's timeline (this link will be available after opening the PR).

    • For content changes, you will also see an automatically generated comment with links directly to pages you've modified. The comment won't appear if your PR only edits files in the data directory.

  • For content changes, I have completed the self-review checklist.

@stan-spotts
Add rules to allow access to login.microsoftonline.com
18125fc 
Without these rules the action/login will fail, so your workflows will not be able to do much. If you're working with containers, this also affects docker/login-action.
@welcome Welcome
Copy link

welcome bot commented May 1, 2024

Thanks for opening this pull request! A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.

@github-actions github-actions bot added the triage Do not begin working on this issue until triaged by the team label May 1, 2024
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented May 1, 2024

Automatically generated comment ℹ️

This comment is automatically generated and will be overwritten every time changes are committed to this branch.

The table contains an overview of files in the content directory that have been changed in this pull request. It's provided to make it easy to review your changes on the staging site. Please note that changes to the data directory will not show up in this table.

Content directory changes

You may find it useful to copy this table into the pull request summary. There you can edit it to share links to important articles or changes and to give a high-level overview of how the changes in your pull request support the overall goals of the pull request.

Source Preview Production What Changed
admin/configuration/configuring-private-networking-for-hosted-compute-products/configuring-private-networking-for-github-hosted-runners-in-your-enterprise.md ghec
 ghec
 from reusable
organizations/managing-organization-settings/configuring-private-networking-for-github-hosted-runners-in-your-organization.md fpt
 fpt
 from reusable

fpt: Free, Pro, Team
ghec: GitHub Enterprise Cloud
ghes: GitHub Enterprise Server

@nguyenalex836 nguyenalex836 added content This issue or pull request belongs to the Docs Content team actions This issue or pull request should be reviewed by the docs actions team waiting for review Issue/PR is waiting for a writer's review and removed triage Do not begin working on this issue until triaged by the team labels May 1, 2024
@nguyenalex836
Copy link
Contributor

@stan-spotts Thanks so much for opening a PR! I'll get this triaged for review ✨

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
actions This issue or pull request should be reviewed by the docs actions team content This issue or pull request belongs to the Docs Content team waiting for review Issue/PR is waiting for a writer's review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@stan-spotts @nguyenalex836