Summary

This article is Part.7 of virtual network architecture series. I will share how Azure Pipelines self-hosted agent in the docker works in the sample template api-management-vnet.

• Virtual Network architecture 1 - Do I need virtual network?
• Virtual Network architecture 2 - Deployment pipelines
• Virtual Network architecture 3 - Key Vault Private Endpoint
• Virtual Network architecture 4 - SQL Database Private Endpoit
• Virtual Network architecture 5 - App Service Private Endpoint
• Virtual Network architecture 6 - Service Bus Private Endpoint
• Virtual Network architecture 7 - Self-hosted agent

TOC

• Azure Container Instance

Azure Container Instance

Before I tried the self-hosted agent by myself, I thought the self-hosted agent running on Azure Container Instance is totally isolated from the Internet. And I was wondering how the self-hosted agent can access Azure Repos to get the updated software codes to deploy to services inside the virtual network. However, now I know Azure Container Instance is not isolated from the Internet at all. Below is some tips I found through my experience.

• Only outbound traffic of Azure Container Instance should be considered. And then the self-hosted agent does not need to have Private Endpoint, because Private Endpoint is only for inbound traffic.
• Similar with other Azure PaaS resources, a self-hosted agent in the docker running on Azure Container Instance has the public IP address. You have to protect Azure Container Instance in some ways, for example, described in Configure a single public IP address for outbound and inbound traffic to a container group.
• You can find what runtime the self-hosted agent installs when seeing start.ps1 on Create and build the Dockerfile for Windows, for example. The runtime controls the outbound traffic from the Azure Container Instance, and you do not need to take care of it.