docs icon indicating copy to clipboard operation
docs copied to clipboard
verified publisher icon github

Add rules to allow access to login.microsoftonline.com

Open stan-spotts opened this issue 1 year ago • 3 comments

Without these rules the action/login will fail, so your workflows will not be able to do much. If you're working with containers, this also affects docker/login-action.

Why:

Adding the three rules allows access to login.microsoftonline.com, which is necessary for the action azure/login@v2 to work. Otherwise its blocked. This also fixes the same problem for docker/login-action.

FWIW, the following is also useful and might possibly be added somewhere in the documentation, along with some instructions to add additional rules to support access to specific external resources. AllowDockerRegistryAndNpmOutbound is necessary to allow the job to reach registry-1.docker.io and production.cloudflare.docker.com to pull docker images, and registry.npmjs.org for npm install.

 {
        name: 'AllowDockerRegistryAndNpmOutbound'
        properties: {
          protocol: 'TCP'
          sourcePortRange: '*'
          destinationPortRange: '443'
          destinationAddressPrefix: '*'
          access: 'Allow'
          priority: 130
          direction: 'Outbound'
          destinationAddressPrefixes: [
            '54.227.20.253'
            '104.16.101.215'
            '104.16.29.34'
          ]
        }
      }

Closes:

https://github.com/Azure/login/issues/439

What's being changed (if available, include any code snippets, screenshots, or gifs):

Added the following rules to the bicep file definition:

      {
        name: 'AllowAzureCloudOutbound'
        properties: {
          protocol: 'TCP'
          sourcePortRange: '*'
          destinationPortRange: '443'
          destinationAddressPrefix: 'AzureCloud'
          access: 'Allow'
          priority: 100
          direction: 'Outbound'
          destinationAddressPrefixes: []
        }
      }
      {
        name: 'AllowAzureADOutbound'
        properties: {
          protocol: 'TCP'
          sourcePortRange: '*'
          destinationPortRange: '443'
          destinationAddressPrefix: 'AzureActiveDirectory'
          access: 'Allow'
          priority: 110
          direction: 'Outbound'
          destinationAddressPrefixes: []
        }
      }
      {
        name: 'AllowAzureFrontDoorOutbound'
        properties: {
          protocol: 'TCP'
          sourcePortRange: '*'
          destinationPortRange: '443'
          destinationAddressPrefix: 'AzureFrontDoor.Frontend'
          access: 'Allow'
          priority: 120
          direction: 'Outbound'
          destinationAddressPrefixes: []
        }
      }

Check off the following:

  • [x] I have reviewed my changes in staging, available via the View deployment link in this PR's timeline (this link will be available after opening the PR).

    • For content changes, you will also see an automatically generated comment with links directly to pages you've modified. The comment won't appear if your PR only edits files in the data directory.

  • [x] For content changes, I have completed the self-review checklist.

stan-spotts avatar May 01 '24 16:05 stan-spotts

Thanks for opening this pull request! A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.

welcome[bot] avatar May 01 '24 16:05 welcome[bot]

Automatically generated comment ℹ️

This comment is automatically generated and will be overwritten every time changes are committed to this branch.

The table contains an overview of files in the content directory that have been changed in this pull request. It's provided to make it easy to review your changes on the staging site. Please note that changes to the data directory will not show up in this table.

Content directory changes

You may find it useful to copy this table into the pull request summary. There you can edit it to share links to important articles or changes and to give a high-level overview of how the changes in your pull request support the overall goals of the pull request.

Source Preview Production What Changed
admin/configuration/configuring-private-networking-for-hosted-compute-products/configuring-private-networking-for-github-hosted-runners-in-your-enterprise.md ghec
 ghec
 from reusable
organizations/managing-organization-settings/configuring-private-networking-for-github-hosted-runners-in-your-organization.md fpt
 fpt
 from reusable

fpt: Free, Pro, Team ghec: GitHub Enterprise Cloud ghes: GitHub Enterprise Server

github-actions[bot] avatar May 01 '24 17:05 github-actions[bot]

@stan-spotts Thanks so much for opening a PR! I'll get this triaged for review ✨

nguyenalex836 avatar May 01 '24 18:05 nguyenalex836

Thanks for opening a pull request! We've triaged this issue for technical review by a subject matter expert :eyes:

github-actions[bot] avatar Jul 18 '24 18:07 github-actions[bot]

👋 @stan-spotts chiming in from the Actions product team. Thank you for submitting this PR. We have plans to add specific networking guides in the next few months and will include your content at that time. Meanwhile, we will add a note to our documentation indicating that the existing Bicep file represents the minimum set of rules. For now, we will close this pull request and will notify you when it is included in a future documentation update.

Steve-Glass avatar Jul 18 '24 19:07 Steve-Glass