Deploying to Azure via a firewall

All the Azure steps in Octopus are executed from the VM where the Octopus Server is running. So to able to successfully deploy to the Microsoft cloud, you need to make sure your Octopus Server can reach it through the network.

To check you can reach Microsoft cloud through your network, run this script on the same machine using an account with the same permissions as your Octopus Server.

You might need to install Azure Powershell before running this script. For information, see Install the Azure PowerShell module.

$ErrorActionPreference = "Stop"

$OctopusAzureADTenantId = #Enter TenantId here
$OctopusAzureSubscriptionId = #Enter SubscriptionId here
$OctopusAzureADClientId = #Enter ClientId here
$OctopusAzureADPassword = #Enter Secret here
$OctopusAzureEnvironment = "AzureCloud"

$securePassword = ConvertTo-SecureString $OctopusAzureADPassword -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential ($OctopusAzureADClientId, $securePassword)
$AzureEnvironment = Get-AzEnvironment -Name $OctopusAzureEnvironment

Connect-AzAccount -Credential $creds -TenantId $OctopusAzureADTenantId -SubscriptionId $OctopusAzureSubscriptionId -Environment $AzureEnvironment -ServicePrincipal


If everything is working as expected, you will see output showing all the Azure Resource Groups you have access to:

Screenshot of Azure Resource Groups

If you need to add firewall exclusions to an allow list, here are a few things to take into consideration:

  • Figure out which Azure Data Centers you will be targeting.
  • Figure out which Azure services you will be targeting in those Data Centers.
  • Configure an allow list from the Octopus Server to the appropriate IP Address Ranges.

Download the latest list of IP Address Ranges from the Microsoft Download Center (updated weekly).

Learn more

Help us continuously improve

Please let us know if you have any feedback about this page.

Send feedback

Page updated on Sunday, January 1, 2023