Does “Allow Azure services and resources to access this server” cover GitHub Actions workflows?

There is a famous option in Azure Firewall settings labeled:

Allow Azure services and resources to access this server

According to the UI hint, “This option configures the firewall to allow connections from IP addresses allocated to any Azure service or asset, including connections from the subscriptions of other customers.”

I’ve seen this option confuse my team members many times. It might be because people find it not specific enough (what is an Azure service or asset?). Or maybe, it’s just a bit hard to believe that a firewall allows opening gates to all Azure customers with a single checkbox.

Is GitHub an Azure service?

When I was building GitHub Actions Workflow, I had to additionally ask myself: does this firewall exemption cover GitHub Agents too?

GitHub is a separate product from Azure, yet it was bought by Microsoft some time ago. Also, I know that the infrastructure of Azure DevOps and GitHub is similar and probably shared to some degree.

The short answer is: Yes. This checkbox will also allow access from GitHub Workflow agents.

It was a bit hard to confirm if we can assume that and rely on it, but here are several sources to back this information:

Source 1: mention in the documentation

(…) Windows and Ubuntu runners are hosted in Azure and subsequently have the same IP address ranges as the Azure datacenters. macOS runners are hosted in GitHub’s own macOS cloud.

Source: Docs, “About GitHub-hosted Runners”

Source 1: community forums

If the Azure SQL is configured to allow access to Azure Services, that should be enough [to deploy database to Azure using GitHub CI/CD].

Source: Community thread, “GitHub CI/CD and the “deny public network access” setting”

Source 3: my own experience

And last but not least, my personal experience. I ran the azure/sql-action@v1 Action in a GitHub Workflow against an Azure SQL server with a firewall enabled (with the mentioned checkbox ticked), and it was able to deploy it.

By the way, if you are tempted to maintain a list of GitHub IP addresses in your firewall configuration by yourself, be warned that the GitHub IP address list is very long and:

Since there are so many IP address ranges for GitHub-hosted runners, we do not recommend that you use these as allow-lists for your internal resources. The list of GitHub Actions IP addresses returned by the API is updated once a week.

Source: Docs, “About GitHub-hosted Runners”

Thoughts and comments

This is useful for those using GitHub Actions to deploy to Azure. At the same time, it is hard not to notice that this single checkbox is a big hole punched in the firewall that allows everyone using Azure infrastructure to contact your server.

Leave a Comment