Container image unable to pull private azure container registry image (Code: InaccessibleImage))

Bernard Steyn 20 Reputation points
2023-05-21T21:35:23.2666667+00:00

Hey all,

I am having trouble creating an Azure container from my private azure image I have pushed to the azure container registry. The container I am trying to create is on a private subnet:

The image 'xxxxx.azurecr.io/test/xxxxx:latest' in container group 'xxxxx' is not accessible. Please check the image and registry credential. (Code: InaccessibleImage)

I have tried resolving this by adding a NAT gateway to the private subnet to give it an outgoing public IP address, which I then added to the "Networking" allowed IP's in the Azure container registry. Still, after this I get the above error and the container does not launch.

Any advice or assistance would be greatly appreciated!

Azure Container Registry
Azure Container Registry
An Azure service that provides a registry of Docker and Open Container Initiative images.
446 questions
Azure Container Instances
Azure Container Instances
An Azure service that provides customers with a serverless container experience.
690 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. vipullag-MSFT 26,211 Reputation points
    2023-05-22T03:33:13.68+00:00

    Hello Bernard Steyn

    Welcome to Microsoft Q&A Platform, thanks for posting your query here.

    Based on the issue description shared, seems like you are having trouble accessing your private Azure Container Registry image. The error message you received indicates that the image is not accessible. This could be due to incorrect registry credentials or incorrect image name.

    To troubleshoot this issue, you can try the following steps:

    1. Verify that the image name and tag are correct. You can check this by running the following command in the Azure CLI:
    az acr repository show-tags --name <registry-name> --repository <repository-name> 
    
    1. Verify that the registry credentials are correct. You can check this by running the following command in the Azure CLI:
    az acr login --name <registry-name>
    
    1. Ensure that the image you are trying to pull exists in your Azure Container Registry. You can use the following command to list the images in your registry:
    az acr repository list --name <registry-name> --output table
    
    1. Check if you have the correct permissions to access the image. You can use the following command to check the permissions:
    az acr repository show --name <registry-name> --repository <repository-name> --output table
    
    1. If you are using a private subnet, make sure that the subnet has access to the internet. You can do this by adding a NAT gateway to the subnet.
    2. Make sure that the IP address of the subnet is added to the "Networking" allowed IP's in the Azure Container Registry.
    3. Review the logs of the container group for any additional error messages or warnings that might provide more insights into the issue. You can check the logs using Azure Portal, Azure CLI, or Azure PowerShell.
    4. You can try pulling the container image manually from the private subnet using Docker or a container runtime tool to validate if the image is accessible within the subnet. If the image cannot be pulled manually, it indicates an issue with the network connectivity or the image itself.

    Hope this helps, you should be able to identify and resolve the issue preventing the Azure container from accessing the private Azure Container Registry image.

    1 person found this answer helpful.

  2. Bernard Steyn 20 Reputation points
    2023-05-22T13:11:47.69+00:00

    Hi again @vipullag-MSFT , the issue has been sorted. It seems that the image from the private azure container registry can not be pulled for containers via the web interface. A container registry identity was used and the following command worked to create the container via the azure cli:

    az container create --resource-group xxxxx-Test_group --name xxxxx --image xxxxx.azurecr.io/test/xxxxx:latest--cpu 1 --memory 1 --ip-address Private --ports 9042 --assign-identity /subscriptions/xxxxxxx/resourcegroups/xxxxx-Test_group/providers/Microsoft.ManagedIdentity/userAssignedIdentities/xxxxxIdentity --acr-identity xxxxxidentity --location southafricanorth --vnet xxxxxTestVN --subnet xxxxxSubnet

    Thank you again for your assistance! This can be closed.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.