Dev Box Pools

Azure DevOps offers free Microsoft-hosted build minutes, which are an excellent starting point for small projects or experimentation. The limitation is that these agents run on public infrastructure outside your Azure environment, which creates issues for private resources, strict firewall rules, custom software, limited disk space, and specialised performance needs.

The old answer was to deploy self-hosted agents on custom VMs or Azure Virtual Machine Scale Sets. VMSS improved scaling and automation, but it still required teams to build and maintain images, patch agents, monitor them, and prevent them becoming forgotten security liabilities.

Managed DevOps Pools

Managed DevOps Pools became generally available in November 2024. They build on VMSS-style agents but offload infrastructure management to Microsoft. Teams can create tailored agent pools with prebuilt or custom images, region-specific configuration, automatic scaling, and enough control for real CI/CD workloads.

Agents run in Microsoft's Azure subscription, which reduces infrastructure ownership while still allowing teams to choose images, sizing, networking, and scaling behaviour. For teams that want the security profile of private agents without maintaining a fleet, this is a significant shift.

Security advantages

• Custom VNets: Pools can integrate with an existing Azure virtual network so agents can securely reach private endpoints, ExpressRoute, and internal resources. The delegated subnet needs enough IP space, and the pool and VNet must be in the same region.
• NAT gateways and IP control: Outbound IPs can be controlled for allowlisting and auditability. Agent IP addresses are also visible in pipeline logs during job initialisation, which helps with troubleshooting.
• Managed identities: Pools can use system-assigned identities and Azure RBAC rather than stored credentials, including access to Key Vault for secrets and certificates.
• Multiple pools: Separate pools can be configured for projects, teams, environments, or sensitivity levels, giving more granular access control.

Performance and usability

Agents can maintain state for cache hits, support long-running workflows, and run as stateless fresh VMs or stateful workers. Images can mirror Microsoft-hosted agents, use Azure Marketplace images, or come from Azure Compute Gallery. Data disks can be attached when workloads need more space without forcing larger VM SKUs.

Creation is available through the Azure portal, Bicep, or Terraform. Prerequisites include registering the Microsoft.DevOpsInfrastructure resource provider, checking regional availability, and granting the service principal the required network permissions.

Comparison with alternatives

The roadmap adds further operational value, including cost-saving features such as Spot VM support, manual agent purging, project-level pool creation, public static IPs, log analytics integration, and service tags for outbound traffic.

Summary

Managed DevOps Pools reduce the operational burden of self-hosted agents while improving security and scalability. They are a strong default when teams need the control of private agents without inheriting the maintenance debt of unmanaged VM fleets.