ImagePullFailure on App Service with Managed Identity

Question

ImagePullFailure on App Service with Managed Identity

Ian Branda 20

I have an App Service that is configured to deploy a Docker image from a private Azure Container Registry. I have seen the other three questions about this same problem and have gone through the proposed solutions and am still getting the ImagePullFailure in my App Service.

Relevant configuration:

Azure Container Registry
- No admin credentials
- No public access
- Private link/Private endpoint enabled
- Image and tag exist
- authentication-as-arm is enabled
App Service
- In the same vnet as the ACR private endpoint
- no outbound traffic restrictions
- uses managed identity to authenticate to ACR
Managed identity
- Has AcrPull role on the ACR resource
- Is assigned to the App Service

Steps I have taken to verify connection:

In the App Service's advanced tools I was able to resolve the dns and tcping the ACR, confirming that the App Service can reach the registry
The user assigned managed identity is also assigned to an ACR task that builds and pushes the image, and is given the AcrPush role as well. The task is successful in pushing the image, confirming that the managed identity permissions are working
I have manually removed and re-attached the container settings on the App Service

Silvia Wibowo 5,871 Reputation points Microsoft Employee Moderator

2025-05-07T04:28:04.3033333+00:00
HI @Ian Branda , please clarify:

You mentioned "App Service in the same vnet as ACR private endpoint"

What pricing tier did you use for your App Service (Basic, Standard, Premium, Premium v2, and Premium v3)?

Did you use vnet integration feature? Please make sure that "Container Image Pull" is ticked in the vnet integration configuration. Ref: Virtual network configuration

You mentioned "In the App Service's advanced tools I was able to resolve the dns"

Did you access your Azure Container Registry using private endpoint name (myregistry.privatelink.azurecr.io) or public endpoint name (myregistry.azurecr.io)? It's recommended to continue using public endpoint name.

Did it resolve the DNS to the private endpoint IP address?
Ian Branda 20 Reputation points

2025-05-07T14:41:45.3266667+00:00

Hi Silvia,

To answer your questions, my App Service plan is P0v3, I used vnet integration, and "Container Image Pull" is ticked. I did use the public endpoint name when resolving the DNS and it did resolve to the private endpoint IP address.
Laxman Reddy Revuri 4,405 Reputation points Microsoft External Staff Moderator

2025-05-08T04:29:52.15+00:00

Hi @Ian Branda ,
You mentioned that the managed identity has the AcrPull role. Just to double-check, ensure that this assignment exists directly on the ACR resource (not just on the ACR task or elsewhere). Make sure the image URL you are using in the App Service points to the right format, which should be myregistry.azurecr.io/image-name:tag. If you're using a private endpoint, make sure the DNS resolves correctly to the private IP of the ACR.
Since you're using P0v3, confirm that your App Service plan supports pulling images from ACR, especially with vNet integration enabled and functioning. Since your ACR is set up with a private endpoint, ensure that there's nothing blocking the managed identity from accessing the ACR.

1.The App Service and ACR are indeed in the same virtual network.

2.The private DNS configuration is set correctly, especially if you're using Azure Private DNS.
references:
https://learn.microsoft.com/en-us/azure/app-service/overview-vnet-integration#enable-container-image-pull-through-regional-vnet-integration
https://learn.microsoft.com/en-us/azure/container-registry/container-registry-private-link

Accepted answer

1 additional answer

Your answer

Silvia Wibowo 5,871 Reputation points Microsoft Employee Moderator

2025-05-07T04:28:04.3033333+00:00

HI @Ian Branda , please clarify:

You mentioned "App Service in the same vnet as ACR private endpoint"

What pricing tier did you use for your App Service (Basic, Standard, Premium, Premium v2, and Premium v3)?

Did you use vnet integration feature? Please make sure that "Container Image Pull" is ticked in the vnet integration configuration. Ref: Virtual network configuration

You mentioned "In the App Service's advanced tools I was able to resolve the dns"

Did you access your Azure Container Registry using private endpoint name (myregistry.privatelink.azurecr.io) or public endpoint name (myregistry.azurecr.io)? It's recommended to continue using public endpoint name.

Did it resolve the DNS to the private endpoint IP address?
Ian Branda 20 Reputation points

2025-05-07T14:41:45.3266667+00:00

Hi Silvia,

To answer your questions, my App Service plan is P0v3, I used vnet integration, and "Container Image Pull" is ticked. I did use the public endpoint name when resolving the DNS and it did resolve to the private endpoint IP address.
Laxman Reddy Revuri 4,405 Reputation points Microsoft External Staff Moderator

2025-05-08T04:29:52.15+00:00

Hi @Ian Branda ,
You mentioned that the managed identity has the AcrPull role. Just to double-check, ensure that this assignment exists directly on the ACR resource (not just on the ACR task or elsewhere). Make sure the image URL you are using in the App Service points to the right format, which should be myregistry.azurecr.io/image-name:tag. If you're using a private endpoint, make sure the DNS resolves correctly to the private IP of the ACR.
Since you're using P0v3, confirm that your App Service plan supports pulling images from ACR, especially with vNet integration enabled and functioning. Since your ACR is set up with a private endpoint, ensure that there's nothing blocking the managed identity from accessing the ACR.

1.The App Service and ACR are indeed in the same virtual network.

2.The private DNS configuration is set correctly, especially if you're using Azure Private DNS.
references:
https://learn.microsoft.com/en-us/azure/app-service/overview-vnet-integration#enable-container-image-pull-through-regional-vnet-integration
https://learn.microsoft.com/en-us/azure/container-registry/container-registry-private-link

Answer 1

Hi @Ian Branda ,
I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this!

Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

Issue: ImagePullFailure on App Service with Managed Identity

Solution:
I'm managing my infrastructure using Terraform and according to the documentation, A records for private DNS are handled automatically by Azure when creating private endpoints. The one caveat is that the data endpoint (<acr-name>.<region>.data.orivatelink.azurecr.io) DIDN'T have an automatically created A record, so even though I was able to ping and resolve the registry DNS, the pull was failing due to not having the A record for the data endpoint. I am now managing all of my A records explicitly in Terraform.

Please click Accept Answer and kindly upvote it so that other people who faces similar issue may get benefitted from it.

Laxman Reddy Revuri 4,405 Reputation points Microsoft External Staff Moderator

2025-05-09T15:43:46.6966667+00:00

Hi @Ian Branda ,
Thank you for posting your solution so that others experiencing the same thing can easily reference this!

Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

Answer 2

Hi Laxman,

I have confirmed all of the above multiple times. I actually finally found the problem and as I haven't seen it posted here, I'll post an answer for others to reference itn the future.

I'm managing my infrastructure using Terraform and according to the documentation, A records for private DNS are handled automatically by Azure when creating private endpoints. The one caveat is that the data endpoint (<acr-name>.<region>.data.orivatelink.azurecr.io) DIDN'T have an automatically created A record, so even though I was able to ping and resolve the registry DNS, the pull was failing due to not having the A record for the data endpoint. I am now managing all of my A records explicitly in Terraform.

Share via

ImagePullFailure on App Service with Managed Identity

1 additional answer

Your answer