Azure Container Registry
An Azure service that provides a registry of Docker and Open Container Initiative images.
250 questions
@Md Farman Khan I had discussion internally and below is response I got from our internal team :
We have run into a similar issue when using Azure Container Instances over Private Link with ACR and pulling images. Whilst not documented in the Private Endpoint docs in the Service Endpoint docs the following is mentioned:
• Only an Azure Kubernetes Service cluster or Azure virtual machine can be used as a host to access a container registry using a service endpoint. Other Azure services including Azure Container Instances aren't supported.
We have raised feedback to the Product Group on this as below:
For the customer they have a requirement to support dynamic testing or Azure pipelines and dynamic load testing for which they use Azure Container Instances to create/run/destroy. The images used to support these tests are deployed by a pipeline to an Azure Container Registry. The customer would like to make this registry completely private, using Private link to make access available from known Vnets. This is working successfully when Public Network access to the ACR is available but as soon as this is disabled the ability to pull images by ACI is lost. An "error" similar to the error below is returned:
The image 'remoteacrtest.azurecr.io/testing/alpine:v2' in container group 'alpineprivate1' is not accessible. Please check the image and registry credential.
The registry credentials are correct and the image can be accessed from a VM using docker pull or from an AKS deployment in the same Vnet.
In addition to the testing scenario the customer would like to make their connectivity component, used by external parties to connect to their global network, available from the Azure MarketPlace. To enable this an ACI instance is being used to deploy the application elements of the solution onto an AKS cluster within the target subscription. The desire is to have this as a wholly private deployment with the only dependency being the setup of Private Endpoint to ACR prior to the deployment commencing. At this time this is not possible as the image pull for ACI requires Public Access on ACR to be available.
This limitation is stated in the Azure Documentation for Container Registry Service Endpoints:
Only an Azure Kubernetes Service cluster or Azure virtual machine can be used as a host to access a container registry using a service endpoint. Other Azure services including Azure Container Instances aren't supported.
This is not mentioned for Private Endpoints.
The documentation ( How to guide ) for deployment of ACI from an Azure Container Registry states:
You can't pull images from Azure Container Registry deployed into an Azure Virtual Network at this time.
Feedback has been provided to internal Team on same and they are working on same. We dont have any ETA for same but rest assured it is worked upon.
Hope it helps.
Do let me know if you have any further queries.
Please 'Accept as answer' if it helped, so that it can help others in the community looking for help on similar topics
Thanks for your reply, but I don't think this link answers my query as it doesn't say anything about ACI container instance spin from a Private azure registry.
Though in one of the Microsoft site I found a note - "Instances of certain Azure services including Azure DevOps Services and Azure Container Instances are also unable to access a network-restricted container registry" - https://learn.microsoft.com/en-us/azure/container-registry/container-registry-private-link
Does the above statement means Azure doesn't support this feature? If it's true would you like to suggest some alternatives?
Thank you.