App Service for Web App for Containers, Container Registry and Private Endpoints

Question

I have created in our Azure subscription an App Service (Web App for Containers, single container, App Service plan is P1v2) and a Container Registry (Premium). I have connected both the App Service and the ACR to a VNet using private endpoints. I have also configured VNet Integration for the App Service to the VNet.

When I set the Public Access of the ACR to disabled, I expect to force the App Service to pull its image from the ACR using only the networking of the VNet. Instead I get an error when trying to pull the image:

ERROR - DockerApiException: Docker API responded with status code=InternalServerError, response={"message":"Get https://my-acr.azurecr.io/v2/my-acr-repo/manifests/latest: denied: client with IP 'XX.XXX.XX.XXX' is not allowed access. Refer https://aka.ms/acr/firewall to grant access."}

If I then set the Public Access of the ACR to "Selected networks" and allow the IP address listed in the error above, it works.

My questions:

1. Is the private endpoint scenario above not supported (App Service for Containers accessing ACR)? If not, is it being worked on for support and when will it be supported?
2. If the above is not supported, how do I use Azure CLI to get the above IP address besides waiting for an error and pulling it from the text of the error? It's not the IP address associated with any of the virtual NICs nor the IP Address that nslookup resolves to when looking up the public host listed in the URL for the App Service.

Thanks for your help.

Answer 1

@specialsnowflake I had discussion internally and below is the response I got:

As noted earlier – the private link scenario isn’t supported yet on App Service. And beyond we’re working on it and hope to land it sometime between now and end of June, there is not a more specific ETA.

What the customer might be seeing is one of the pool of outbound IP addresses used the App Service scale unit where the app is running. You can adding all of the outbound IP addresses associated with the app to their address allow list in ACR.

When looking at your outbound addresses you will see that there are two sets. If you look in your app Properties you can see them or use the command line items referred above.

When you set up a firewall though, use the Additional Outbound IP Addresses or possibleOutboundAddresses, however it shows up. It is the superset of what is possible for your app to use. That way if you scale it up or down across SKUs, it will still work.

Hope it helps!!!

Please "Accept as Answer" if it helped so it can help others in community looking for help on similar topics

Answer 2

See this blog for solution:

https://azure.github.io/AppService/2021/07/03/Linux-container-from-ACR-with-private-endpoint.html

The WEBSITE_PULL_IMAGE_OVER_VNET setting is what you need.

Answer 3

Hi @specialsnowflake

Can you confirm if you use a Azure DNS Zones resolving IPs for yours Private Links inside a VNET?

To access a resource in Azure using a Private Link you need to integrate with a Azure DNS Zones or configure your DNS Servers like this documentation:
https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns#dns-configuration-scenarios

Answer 4

@specialsnowflake Apologies for the delay in response and all the inconvenience caused because of the issue.

I had discussion internally and got to know It is not supported yet. This indeed is on roadmap and our engineering team is working on same but currently I dont have an ETA to share.

Hope it helps!!!

Please "Accept as Answer" if it helped so it can help others in community looking for help on similar topics

Answer 5

@specialsnowflake not sure if you already found the answer. The outbound IP's of App Service can be found in Properties blade.