Unable to connect to Private Registry from an App Service

Question

Unable to connect to Private Registry from an App Service

Dia 21

Ciao!

We are in a process of migrating an on-prem app to Azure. We have created an App Service running in Linux. The App Service Plan is running on B1 sku (while in Dev). We have the below variables configured. In the deployment center, we have it configured to point to the on-prem harbor container, have provided correct credentials, image name and tag. We have also attached a company's root certificate under the Public key certificate tab as the harbor container on-prem uses the same too. app service - env-variables

We can ping and resolve the harbor container from the app service.

We are using private endpoint and vNet is integrated.

Here are the errors:

2024-11-25T17:26:34.998Z INFO - Attempting to pull image harbor.xxxx.com/company-noncritical-apps/yyyy-app:1.7.10-f8 from VNET.

2024-11-25T17:26:39.571Z ERROR - Image pull for harbor.xxxx.com/company-noncritical-apps/yyyy-app:1.7.10-f8 failed. UnexpectedFaliure

2024-11-25T17:26:39.581Z ERROR - Pulling docker image harbor.xxxx.com/company-noncritical-apps/yyyy-app:1.7.10-f8 over VNET failed.

2024-11-25T17:26:39.589Z WARN - Image pull failed. Defaulting to local copy if present.

2024-11-25T17:26:39.599Z ERROR - Image pull failed: Verify docker image configuration and credentials (if using private repository)

2024-11-25T17:26:39.611Z INFO - Stopping site xxxxxx because it failed during startup.

Silvia Wibowo 6,046 Reputation points Microsoft Employee Volunteer Moderator

2024-11-25T21:25:16.13+00:00
Hi @Dia , please clarify:

How is Azure connected to your on-prem network: Express Route, VPN, else?

What DNS are you using on vnet? Does it have entry for your harbor server name?

When you say "we are using private endpoint" - what service is configured for the private endpoint? Is it to invoke the App Service?
Dia 21 Reputation points

2024-11-25T21:56:52.69+00:00

Hi Silvia!

We are connected to on-prem via VPN GW (Virtual WAN). DNS is working, we can resolve the IP from the app service. We have the DNS resolver with a rule to forward queries to on-prem DNS for anything in our on-prem domain.

All the traffic is going over private endpoint.

We suspect is a certificate related issue, but logs are limited to confirm that. Even thought we have a cert linked to the app service, I am not sure if it's being used to make that handshake with the on-prem container.
Dia 21 Reputation points

2024-11-25T23:11:56.5166667+00:00

Hi Silvia,

Not sure if my reply went to you as I don't see it.

Our Azure is connected via VPN GW (vWAN). We can resolve the harbor from App Service, so we know DNS is working. We have a DNS resolver with a rule to forward queries to on-prem DNS for anything in our on-prem domain.

The app service traffic is sent over a private endpoint.

I feel like it a cert issue, however the logs are very generic. I am not sure if the cert we imported in the app service can make a handshake with the harbor cert.

2 answers

Your answer

Silvia Wibowo 6,046 Reputation points Microsoft Employee Volunteer Moderator

2024-11-25T21:25:16.13+00:00

Hi @Dia , please clarify:

How is Azure connected to your on-prem network: Express Route, VPN, else?

What DNS are you using on vnet? Does it have entry for your harbor server name?

When you say "we are using private endpoint" - what service is configured for the private endpoint? Is it to invoke the App Service?
Dia 21 Reputation points

2024-11-25T21:56:52.69+00:00

Hi Silvia!

We are connected to on-prem via VPN GW (Virtual WAN). DNS is working, we can resolve the IP from the app service. We have the DNS resolver with a rule to forward queries to on-prem DNS for anything in our on-prem domain.

All the traffic is going over private endpoint.

We suspect is a certificate related issue, but logs are limited to confirm that. Even thought we have a cert linked to the app service, I am not sure if it's being used to make that handshake with the on-prem container.
Dia 21 Reputation points

2024-11-25T23:11:56.5166667+00:00

Hi Silvia,

Not sure if my reply went to you as I don't see it.

Our Azure is connected via VPN GW (vWAN). We can resolve the harbor from App Service, so we know DNS is working. We have a DNS resolver with a rule to forward queries to on-prem DNS for anything in our on-prem domain.

The app service traffic is sent over a private endpoint.

I feel like it a cert issue, however the logs are very generic. I am not sure if the cert we imported in the app service can make a handshake with the harbor cert.

Answer 1

Silvia Wibowo 6,046 Microsoft Employee Volunteer Moderator

Hi @Dia , please make sure these two settings:

Virtual Network integration of the App Service - tick the Container image pull:
Environment variable WEBSITE_PULL_IMAGE_OVER_VNET is set to TRUE:

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Dia 21 Reputation points

2024-12-09T16:59:48.6133333+00:00

Hi Silvia,

Thanks for your reply.

We had that configuration already in place.

Due to inability to make it work with existing container, we decided to use Azure container.
Shree Hima Bindu Maganti 4,925 Reputation points Microsoft External Staff Moderator

2024-12-17T17:54:15.3166667+00:00

Hi Dia,

Following up to see if you have chance to check my previous response and help us with requested information is helpful.
Shree Hima Bindu Maganti 4,925 Reputation points Microsoft External Staff Moderator

2024-12-18T18:54:52.5066667+00:00

Hi Dia,

Following up to see if you have chance to check my previous response and help us with requested information is helpful.

Answer 2

Hi Dia,
Thankyou for your Response.

Since you have already validated DNS and VNet integration, the issue could indeed be related to certificates.

Ensure the Harbor registry root certificate is uploaded under TLS/SSL Settings > Public Key Certificates in the App Service.

The App Service only trusts certificates from this store during TLS handshake.

Use Kudu Console to test the Harbor registry endpoint.

curl -v https://harbor.xxxx.com --cacert /path/to/certificate

Replace /path/to/certificate with the cert path in your container or App Service.

Confirm the Environment Variable WEBSITE_PULL_IMAGE_OVER_VNET is set to TRUE to enforce the private endpoint usage.

Use PowerShell/Kudu Console to validate connectivity to Harbor.

Test-NetConnection harbor.xxxx.com -Port 443
Any certificate errors will surface during this check.

Confirm no outbound NSG rules or routing misconfigurations are blocking traffic to the registry.
https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex%2CRBAC
https://learn.microsoft.com/en-us/azure/app-service/overview-private-endpoint
You can mark it 'Accept Answer' and 'Upvote' if this helped you

Share via

Unable to connect to Private Registry from an App Service

2 answers

Your answer