Dev Box Pools

Azure DevOps offers 1,800 free minutes per month for Microsoft-hosted build agents, making it an excellent starting point for small projects or initial experimentation. However, these agents operate on public infrastructure outside your Azure environment, which can pose challenges for organizations with stringent security needs, custom performance demands, or specialized software requirements. For instance, they provide limited disk space (typically 10 GB), lack direct access to private resources without complex configurations, and use dynamic, shared IP ranges that complicate firewall rules.

In the past, addressing these limitations required deploying self-hosted agents on custom virtual machines (VMs) or using Azure Virtual Machine Scale Sets (VMSS). While VMSS offered better scalability and automation, it still demanded significant effort, such as building and maintaining custom images (as seen in repositories like GitHub's actions/runner-images). This complexity often led to higher operational overhead and potential security gaps if not managed properly. It is also a barrier to implementation causing a lot of organisations to stay with custom virtual machine agents. From a security standpoint, build agents are just left alone, not maintained and definitely not monitored.

This landscape has evolved dramatically with the introduction of Managed DevOps Pools, a fully managed service that became generally available in November 2024. Managed DevOps Pools build on the foundation of VMSS agents but offload infrastructure management to Microsoft, allowing teams to create tailored agent pools with minimal effort. Agents run in Microsoft's Azure subscription, ensuring best-practice security and reliability, while offering customization options like prebuilt or custom images. This service empowers development teams to provision agents that are scalable, region-specific, and optimized for CI/CD workloads, supporting up to thousands of agents with automatic scaling.

From a security standpoint, several features stand out, enhancing control and compliance:

• Custom Virtual Networks (VNets): Although fully managed by Microsoft, these pools can be integrated into your existing Azure VNet, enabling secure access to private resources via private endpoints, ExpressRoute, or company-specific firewall rules. This isolation prevents exposure to the public internet, a common issue with hosted agents. To set this up, delegate a dedicated subnet to the Microsoft.DevOpsInfrastructure/pools service, ensuring it has sufficient IP space (accounting for Azure's 5 reserved IPs per subnet). The pool and VNet must reside in the same region to avoid errors.
  

• NAT Gateways and IP Control: By associating a NAT gateway with your VNet, you gain precise control over outbound IP addresses, facilitating allowlisting in external systems. As of September 30, 2025, new Managed DevOps Pools will include a NAT gateway by default, which may introduce additional Azure costs but simplifies secure outbound communications. Additionally, starting May 1, 2025, outbound access to Akamai IP ranges is required for Azure DevOps CDN assets, due to a transition to Akamai and Azure Front Door for improved delivery. Agent IP addresses are now visible in pipeline logs during the "Initialize job" step, aiding troubleshooting.
  

• Managed Identities: Each pool supports system-assigned managed identities, which can be granted Azure RBAC roles to securely access resources like Azure Key Vault for secrets or certificates. This eliminates the need for stored credentials on agents, adhering to least-privilege principles. Integration with Key Vault allows fetching trusted root certificates during provisioning, further bolstering security.
  

• Multiple Pools for Granular Access: You can create numerous pools, each configured for specific projects, teams, or environments (e.g., dev, staging, prod). This enables fine-grained control over resource access and permissions. As of April 2025, pools can be set to "open access" for all pipelines, simplifying authorization without explicit per-pipeline approvals. Pools can also be moved between resource groups or subscriptions for better organization.
  

Beyond security, Managed DevOps Pools introduce several enhancements for performance and usability. Agents can maintain state for up to seven days to leverage cache hits for faster builds, and they support long-running workflows up to two days (extendable via support request). Scaling is automatic, with options for stateless (fresh VM per job) or stateful configurations. Image options include mirroring Microsoft-hosted agents' software, using Azure Marketplace images, or custom ones from Azure Compute Gallery—now with Ubuntu 24.04 support added in late 2024. Proxy support routes traffic securely, and data disks can be attached for expanded storage without upsizing VM SKUs.

The creation process is remarkably streamlined through the Azure portal, bicep script or Terraform. Prerequisites include registering the Microsoft.DevOpsInfrastructure resource provider in your subscription to check region availability, which has expanded to include Sweden Central, Brazil South, Japan East, UAE North, Korea Central, and Norway East as of November 2024. For networking, grant the DevOpsInfrastructure service principal Reader and Network Contributor roles (or a custom role with specific permissions) on the VNet.

Looking ahead, the 2025 roadmap includes cost-saving features like Spot VM instances (up to 90% savings for non-critical pipelines), manual agent purging, project-level pool creation, and public static IPs. Log analytics integration for KQL-based monitoring is planned for September 2025, along with service tags for outbound traffic. In comparison to alternatives:

• Microsoft-Hosted Agents: Simple but limited in customization and security.

• Self-Hosted Agents: Fully controllable but high-maintenance.

• VMSS Agents: Scalable but require user-managed infrastructure; migration to Managed DevOps Pools is recommended for ease.
  

Overall, Managed DevOps Pools represent a pivotal advancement, reducing complexity while amplifying security and scalability for Azure DevOps users.