Azure ACI with Private ACR and selected public network is not working

Md Farman Khan 36 Reputation points
2020-12-10T06:11:50.69+00:00

I have created a private Azure container registry with premium tier, there I have created a private endpoint in a V-net and uploaded a docker image. After that I went to the 'Public access' section and chosen 'Selected networks' instead of All networks and provided some selected public IPs here.

Now when I tried to create Azure container instance and group (in the same v-net) with that private registry image, I was not able to do so and got a failure message like the 'registry image is not accessible from the container instance group'.

While I am able to spin the container image successfully in ACI when I am choosing 'All networks' instead of 'Selected networks', but as I don't want everyone in the world to have access to my registry image, this solution is not secure for me.

Please suggest what I am missing here.

Azure Container Registry
Azure Container Registry
An Azure service that provides a registry of Docker and Open Container Initiative images.
414 questions
Azure Container Instances
Azure Container Instances
An Azure service that provides customers with a serverless container experience.
661 questions
{count} votes

Accepted answer
  1. prmanhas-MSFT 17,901 Reputation points Microsoft Employee
    2020-12-16T09:20:14.663+00:00

    @Md Farman Khan I had discussion internally and below is response I got from our internal team :

    We have run into a similar issue when using Azure Container Instances over Private Link with ACR and pulling images. Whilst not documented in the Private Endpoint docs in the Service Endpoint docs the following is mentioned:

    • Only an Azure Kubernetes Service cluster or Azure virtual machine can be used as a host to access a container registry using a service endpoint. Other Azure services including Azure Container Instances aren't supported.

    We have raised feedback to the Product Group on this as below:

    For the customer they have a requirement to support dynamic testing or Azure pipelines and dynamic load testing for which they use Azure Container Instances to create/run/destroy. The images used to support these tests are deployed by a pipeline to an Azure Container Registry. The customer would like to make this registry completely private, using Private link to make access available from known Vnets. This is working successfully when Public Network access to the ACR is available but as soon as this is disabled the ability to pull images by ACI is lost. An "error" similar to the error below is returned:
    The image 'remoteacrtest.azurecr.io/testing/alpine:v2' in container group 'alpineprivate1' is not accessible. Please check the image and registry credential.

    The registry credentials are correct and the image can be accessed from a VM using docker pull or from an AKS deployment in the same Vnet.

    In addition to the testing scenario the customer would like to make their connectivity component, used by external parties to connect to their global network, available from the Azure MarketPlace. To enable this an ACI instance is being used to deploy the application elements of the solution onto an AKS cluster within the target subscription. The desire is to have this as a wholly private deployment with the only dependency being the setup of Private Endpoint to ACR prior to the deployment commencing. At this time this is not possible as the image pull for ACI requires Public Access on ACR to be available.

    This limitation is stated in the Azure Documentation for Container Registry Service Endpoints:
    Only an Azure Kubernetes Service cluster or Azure virtual machine can be used as a host to access a container registry using a service endpoint. Other Azure services including Azure Container Instances aren't supported.

    This is not mentioned for Private Endpoints.

    The documentation ( How to guide ) for deployment of ACI from an Azure Container Registry states:
    You can't pull images from Azure Container Registry deployed into an Azure Virtual Network at this time.

    Feedback has been provided to internal Team on same and they are working on same. We dont have any ETA for same but rest assured it is worked upon.

    Hope it helps.

    Do let me know if you have any further queries.

    Please 'Accept as answer' if it helped, so that it can help others in the community looking for help on similar topics


3 additional answers

Sort by: Most helpful
  1. Vladimir Ryabtsev 6 Reputation points
    2023-03-03T22:38:33.1866667+00:00
    1 person found this answer helpful.
    0 comments No comments

  2. Aurélien Noisette 0 Reputation points
    2023-02-16T14:31:51.5666667+00:00

    I also find it a limitation. I lost a day trying to do deploy ACI using terraform from a private ACR. Using AKS is a workaround, but do you not think that it is like to kill a fly with a sledgehammer?

    0 comments No comments

  3. Vladimir Ryabtsev 6 Reputation points
    2023-03-03T22:40:22.78+00:00
    0 comments No comments