SonarQube as AWS EC2 connecting to Azure DevOps, how to configure networking?

Must-share information (formatted with Markdown):

  • which versions are you using: SonarQube * Enterprise Edition Version 9.9 (build 65466)
  • how is SonarQube deployed: zip
  • what are you trying to achieve: First time setup
  • what have you tried so far to achieve this: Followed SonarQube docs

Running SonarQube as a Azure DevOps pipeline task using the SonarQube extension uses a project-level Service Connection that I put in the server URL and a token generated in SonarQube. SonarQube server is an EC2 instance in our AWS account. I can make a successful connection from SonarQube to Azure DevOps, but Azure DevOps can’t talk back to SonarQube, which makes sense: how would Azure DevOps (an external internet-based app) be able to resolve an internal host (http://sonarqube.example.com:9000)? The configuration makes sense if Azure DevOps was also an on-prem app, but not as a cloud app. The docs don’t say anything about the proper network configuration for two way communication and searching on here has a lot of unanswered posts closed due to inactivity.

Hey there.

Azure DevOps doesn’t need to talk to SonarQube, but SonarQube needs to talk to Azure DevOps.

And, your build agents will need to get in touch with Azure DevOps. If you’re trying to use Azure DevOps hosted build agents to connect to your SonarQube server, you’ll more likely need to use self-hosted agents that can talk to internal resources.

When I originally trialed this app it was SonarCloud (and later decided to go with SonarQube) and everything was working smoothly but after spinning up SonarQube, the same task in the same pipeline is no longer working so there’s some issue somewhere that was introduced when I moved it internal. When configuring the Azure DevOps Service Connection it asks for the SonarQube URL and wouldn’t it need to talk from Azure DevOps back to SonarQube when running the task in the pipeline in order to trigger the scan and get the results for a pass/fail (and to use any other gates)? We’re using Azure DevOps hosted agents currently but I’m going to spin up self-hosted to see if that helps fix this issue but that isn’t the ideal solution as it would involve totally changing our current process.

Yes, because SonarCloud is available to Azure DevOps Hosted build agents, as opposed to your internal SonarQube server.

No, this is all handled by the build agent, or SonarQube getting in touch with Azure DevOps (not the other way around).