Debugging Azure DevOps CI pipelines remotely can be difficult and time consuming. Sometimes it’s much easier to SSH into the pipeline agent, test your workflow manually and then modify azure-pipelines.yml. But unlike some 3rd party Github Actions (ex. SSH tunnel over ngrok), Azure DevOps does not offer this capability for Microsoft hosted agents.

Welcome Twingate!

Although it’s primary use is to replace outdated VPN services, we can also use it to connect to pipeline agents. Let’s get into it!

  • Create an “on premise” network in Twingate web interface:
  • Next move to setup connectors. You can see them once you click on the remote network you just created. There are two of them already visible and they have silly random names (ex. poised-jerboa). For our scenario, we only need one. So click on any of them, rename it to something logical and proceed to select a deployment method. We will choose “Linux” as we are going to be connecting to a linux pipeline agent.
  • Once you create a connector, you are going to have to generate tokens by pressing on the, well, “generate tokens” button. For this step you will be asked to reauthenticate.
  • After this step is finished, copy the generated bash command and put it aside. We will use this command in a minute to install the connector on our pipeline agent.
  • Next create resources in your network. Create a new one, add a label for it (ex. workers), choose the network it belongs to (in my case I named the network “Azure DevOps”) and add a CIDR range.
    I recommend adding as it seems that Azure DevOps agents are getting an IP address in that range. If you choose to add a single IP address instead, you will have to recreate the connector and modify your yml file before each execution.
  • Open the following repository: Connect to Azure DevOps hosted agents via ssh ( and copy the content of azure-pipelines.yml. While doing that replace all the string placeholders as follows:
    • <CONNECTOR_SERVICE_COMMAND> – Bash command that we mentioned above and you obtained it from Twingate after connector creation. It is used to install the connector on the Azure DevOps agent. 
    • <PUBLIC_KEY> – Your local user public SSH key 
    • <TIMEOUT_INTERVAL> – Timeout interval to close pipeline execution and with that – close the connection.

Once finished your azure-pipelines.yml file should look something like this:

Pipeline file performs three steps in total:

  1. Install the connector on the agent.
  2. Manually add your local public key to the agent as we do not know the default users (vsts) password and therefore can’t use ssh-copy-id.
  3. Find the IP address of the agents virtual machine (container) and print the proper ssh command for further usage.
  • Run your pipeline and check its execution log. In the last step you will see a string containing “CONNECT WITH: ssh ….” as in the following picture. Use the command to ssh into your pipeline agent.

Voila! Now you can connect, roam through the system and even gain sudo privileges.

Feel free to add a comment.

If you want to learn more about Twingate, what it is and what its capabilities are, there is an awesome video by Viktor Farcic which was published just today. At least today as in the day I’m writing this post.

Stop Using VPNs! Peer-to-Peer Zero-Trust Communication With Twingate


Gjoko Pargo


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.