Share via

Managing ACR access via Azure Firewall Manager

Ian 0 Reputation points
2023-05-03T16:13:58.7866667+00:00

Hi,

I'm trying to create a solution where all Azure services (AKS, AKV, ASQL, ACR, etc.) can only be accessed if the client is connected using Azure VPN Gateway. I have already managed to connect AKS from a different VNET to only be accessed privately via VPN using DNATS. I'm just wondering why I cannot see the repositories of ACR if I'm connected via VPN (the ACR, Azure Firewall (premium), ASQL, AKV runs on the same subnet with the VPN). If I change the network settings to Selected IPs and list my ISP IP, I can now access ACR. Is there a way for me to manage this via Azure Firewall Manager? It seems hassle to have a separate firewall manager just for ACR.

Azure Container Registry
Azure Container Registry
An Azure service that provides a registry of Docker and Open Container Initiative images.
401 questions
Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,401 questions
Azure Firewall Manager
Azure Firewall Manager
An Azure service that provides central network security policy and route management for globally distributed, software-defined perimeters.
85 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. deherman-MSFT 34,021 Reputation points Microsoft Employee
    2023-05-04T15:19:17.0666667+00:00

    @Ian

    If you are connected via VPN Gateway you should be able to use Private Link to access ACR. Please set this up and see if it resolves your issue. If you are still having issues connecting let me know and we can work with you directly to investigate further.

    Create a private endpoint - existing registry

    In the portal, navigate to your container registry.

    Under Settings, select Networking.

    On the Private endpoints tab, select + Private endpoint. Add private endpoint to registry

    In the Basics tab, enter or select the following information:
    Project details
    Subscription Select your subscription.
    Resource group Enter the name of an existing group or create a new one.
    Instance details
    Name Enter a name.
    Region Select a region.

    Select Next: Resource.

    Enter or select the following information:
    Connection method For this example, select Connect to an Azure resource in my directory.
    Subscription Select your subscription.
    Resource type Select Microsoft.ContainerRegistry/registries.
    Resource Select the name of your registry
    Target subresource Select registry

    Select Next: Configuration.

    Enter or select the information:
    Networking
    Virtual network Select the virtual network for the private endpoint
    Subnet Select the subnet for the private endpoint
    Private DNS Integration
    Integrate with private DNS zone Select Yes.
    Private DNS Zone Select (New) privatelink.azurecr.io

    Select Review + create. You're taken to the Review + create page where Azure validates your configuration.

    1. When you see the Validation passed message, select Create.

    If you still have questions, please let us know in the "comments" and we would be happy to help you. Comment is the fastest way of notifying the experts.

    If the answer below has been helpful, we appreciate hearing from you and would love to help others who may have the same question. Accepting answers helps increase visibility of this question for other members of the Microsoft Q&A community.

    Thank you for helping to improve Microsoft Q&A!

    User's image

    0 comments