Restrict Azure DevOps access from Azure virtual desktop

Question

We have a requirement to restrict Azure DevOps service only from our Azure Virtual Desktop environment.

We have deployed Azure AD Premium P2 with conditional access restricting to internal IP Range but problem is while using Azure Virtual Desktop the outgoing public ip is dynamic. We don't want to use NAT Gateway.

Is there any alternative using conditional access policy to restrict DevOps? Please help.

Thanks

Answer 1

Maybe not the best solution but you can narrow the list of IPs by the region using this, dynamically updated, list of IPs: https://www.microsoft.com/en-us/download/details.aspx?id=56519.

e.g. for WEU it is:

{
  "name": "WindowsVirtualDesktop.WestEurope",
  "id": "WindowsVirtualDesktop.WestEurope",
  "properties": {
    "changeNumber": 2,
    "region": "westeurope",
    "regionId": 18,
    "platform": "Azure",
    "systemService": "WindowsVirtualDesktop",
    "addressPrefixes": [
      "13.69.82.138/32",
      "40.68.18.120/32",
      "40.114.241.90/32",
      "51.136.28.200/32",
      "51.137.89.79/32",
      "52.137.2.50/32",
      "65.52.158.177/32",
      "104.40.156.194/32",
      "104.214.237.23/32",
      "137.117.171.26/32",
      "168.63.31.54/32"
    ],
    "networkFeatures": null
  }
}

However agree with a @jamiecon, NAT Gw and you good to go.