Using Spacelift with private Azure Storage Accounts and IP restrictions

When working with Azure Storage Accounts that have network access restrictions or private endpoints, you may encounter 403 errors when using Spacelift's public worker pool.

Understanding Spacelift IP addresses

The IP addresses returned by the spacelift_ips data source only include Spacelift's outgoing IPs from the "mothership" and do not cover the IPs of workers in the public worker pool. This means you cannot whitelist specific IP addresses for public workers to access your private Azure Storage Account.

Recommended solution: Private worker pools

If you need requests during your runs to come from a specific set of known IP addresses, the recommended approach is to set up a private worker pool. Private worker pools provide:

• More control over network configuration

• Isolation for your workloads

• Predictable IP addresses that can be whitelisted

• Better integration with private cloud resources

Limitations with public worker pools

Spacelift does not officially support or provide guidance for custom network configurations with public worker pools when accessing private cloud resources. This is outside the typical use case for public workers, and support for such custom configurations is limited.

Next steps

If you need to access private Azure Storage Accounts or other resources with network restrictions, consider migrating to a private worker pool setup. This will give you the network control and predictable IP addresses needed for your infrastructure requirements.