GitHub Actions IP Ranges for whitelisting on Azure VM

[inspiroz-insights]

Why are you starting this discussion?

Question

What GitHub Actions topic or product is this about?

Actions Runner

Discussion Details

I have an Azure Ubuntu VM on which I have deployed my frontend as well as backend. In order to deploy the latest code from GitHub to Azure VM, I had to manually run some steps each time, which was a pain for me. So I wrote a yml file to automate this process with the help of GitHub Actions, but the script is unable to access the VM because the IP of GitHub Actions Runner changes everytime it runs. I found GitHub Actions IP Ranges on GitHub API. But after whitelisting 4000 IP Ranges, I hit the limit to add more IP Ranges, there are approximately 6000 IP Ranges listed. I want to know if there is any better way to implement this thing. If anyone could help me with this, it'll be really appreciated.

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬

[holograph]

I ended implementing this without an allow list:

• GitHub Actions runner runs using a dedicated service principal (=user managed identity);
• On Azure, set up a dedicated public IP, network interface and network security group with a null SSH inbound rule (I used an IP address from one of the test ranges to bootstrap this). Make sure you associate your VM with these;
• Add the GHA service principal as a Network Contributor scoped to the above network security group;
• On GHA, add a preliminary step to replace the placeholder rule with the runner's IP. Don't forget to add a concurrency marker so runners won't run each other over; it should be pretty easy to expand this to support multiple concurrent runners, but it wasn't necessary in my use case.

I ended up with a GHA workflow that includes roughly this:

concurrency:
  group: my-group
  cancel-in-progress: true

jobs:
  my-job:
    runs-on: ubuntu-latest
    steps:
      - name: Login to Azure
        uses: azure/login@v2
        with:
          # ...

      - name: Discover GitHub runner IP address
        id: ip
        uses: haythem/public-ip@v1.3

      - name: Add GitHub runner IP address to Bastion allowlist
        uses: azure/cli@v2
        with:
          inlineScript: |
            az network nsg rule update \
              --ids "${{ secrets.BASTION_NSG_RULE_ID }}" \
              --source-address-prefixes "${{ steps.ip.outputs.ipv4 }}/32"

[krishparmar22242]

Hey! I saw your post about the Azure VM and the 6,000 IP ranges. That is definitely the 'hard way' to do it! Whitelisting the entire GitHub IP range is a security risk and, as you saw, Azure blocks it anyway.
Here is the proper professional fix:
Switch to a 'Self-Hosted Runner'.
Instead of GitHub trying to 'talk' to your VM, you install a tiny GitHub agent on your Ubuntu VM that 'listens' for changes.
Go to Repo Settings > Actions > Runners and click 'New self-hosted runner'.
Run the commands they give you directly on your Azure VM.
Update your .yml file to say runs-on: self-hosted.
The Magic: Because the runner is now inside your VM, it doesn't need an IP whitelist at all. It just works instantly, and it’s way more secure because you can close those SSH ports to the public internet entirely.
If you absolutely must use GitHub-hosted runners, look into 'Azure Service Tags'—it's a single checkbox in Azure that whitelists GitHub's entire range automatically without you having to paste thousands of IPs! Hope that saves you some sanity!

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬