Exercise - Configure Azure Container Registry for a secure connection with Azure Container Apps

  • 15 minutes

In this exercise, you configure a container registry instance for a secure connection from a container app.

The following Azure resources must be available in your Resource group named RG1:

  • A Container Registry instance that contains one image.
  • A Virtual Network with subnets.
  • Service Bus Namespace

Important

The previous unit (Prepare your app deployment tools and resources) includes a Setup section that describes how to configure the recourses for this guided project module. If necessary, go back and follow the Setup instructions.

You've been asked to configure your Azure resources to meet the following requirements:

  • Your resource group must include a user-assigned managed identity.
  • Your container registry must be able to use the managed identity to pull artifacts.
  • Access for the managed identity must be limited using the principle of least privilege.
  • Your container registry must be accessible from a private endpoint on VNET1/PESubnet.

You complete the following tasks during this exercise:

  1. Configure a user-assigned managed identity.

  2. Configure your container registry with AcrPull permissions for the managed identity.

  3. Configure your container registry with a private endpoint connection.

  4. Verify the configuration.

Note

Before continuing, ensure that you've completed the Setup section of the Prepare your app deployment tools and resources unit.

Configure a user-assigned managed identity

Complete the following steps to configure a user-assigned managed identity.

  1. Open your Azure portal.

  2. On the portal menu, select + Create a resource.

  3. On the Create a resource page, in the Search services and marketplace text box, enter managed identity

  4. In the filtered list of resources, select User Assigned Managed Identity.

  5. On the User Assigned Managed Identity page, select Create.

  6. On the Create User Assigned Managed Identity page, specify the following information:

    • Subscription: Specify the Azure subscription that you're using for this guided project.
    • Resource group: RG1
    • Region: Central US
    • Name: uai-az2003

  7. Select Review + create.

  8. Select Create.

Configure Container Registry with AcrPull permissions for the managed identity

Complete the following steps to configure Container Registry with AcrPull permissions for the managed identity.

  1. In the Azure portal, open your Container Registry resource.

  2. On the left-side menu, select Access Control (IAM).

  3. On the Access Control (IAM) page, select Add role assignment.

  4. Search for the AcrPull role, and then select AcrPull.

  5. Select Next.

  6. On the Members tab, to the right of Assign access to, select Managed identity.

  7. Select + Select members.

  8. On the Select managed identities page, under Managed identity, select User-assigned managed identity, and then select the user-assigned managed identity created for this project.

    For example: uai-az2003.

  9. On the Select managed identities page, select Select.

  10. On the Members tab of the Add role assignment page, select Review + assign.

  11. On the Review + assign tab, select Review + assign.

  12. Wait for the role assignment to be added.

Configure Container Registry with a private endpoint connection

  1. Ensure that your Container Registry resource is open in the portal.

  2. Under Settings, select Networking.

  3. On the Private access tab, select + Create a private endpoint connection.

  4. On the Basics tab, under Project details, specify the following information:

    • Subscription: Specify the Azure subscription that you're using for this guided project.
    • Resource group: RG1
    • Name: pe-acr-az2003
    • Region: Ensure that Central US is selected.

  5. Select Next: Resource.

  6. On the Resource tab, ensure the following information is displayed:

    • Subscription: Ensure that the Azure subscription that you're using for this guided project is selected.
    • Resource type: Ensure that Microsoft.ContainerRegistry/registries is selected.
    • Resource: Ensure that the name of your registry is selected.
    • Target sub-resource: Ensure that registry is selected.

  7. Select Next: Virtual Network.

  8. On the Virtual Network tab, under Networking, ensure the following information is displayed:

    • Virtual network: Ensure that VNET1 is selected
    • Subnet: Ensure that PESubnet is selected.

  9. Select Next: DNS.

  10. On the DNS tab, under Private DNS Integration, ensure the following information is displayed:

    • Integrate with private DNS zone: Ensure that Yes is selected.
    • Private DNS Zone: Notice that (new) privatelink.azurecr.io is specified.

  11. Select Next: Tags.

  12. Select Next: Review + create.

  13. On the Review + create tab, when you see the Validation passed message, select Create.

  14. Wait for the deployment to complete.

Check your work

In this task, you verify that your configuration meets the specified requirements.

  1. In the Azure portal, open your Container Registry resource.

  2. On the Access Control (IAM) page, select Role assignments.

  3. Verify that the role assignments list shows the AcrPull role assigned to the User-assigned Managed Identity resource.

  4. On the left-side menu, under Settings, select Networking.

  5. On the Networking page, select the Private access tab.

  6. Under Private endpoint, select the private endpoint that you created.

    For example, select per-acr-az2003

  7. On the Private endpoint page, under Settings, select DNS configuration.

  8. Verify the following DNS setting:

    • Private DNS zone: set to privatelink.azurecr.io.

  9. On the left-side menu, select Overview.

  10. Verify the following setting:

    • Virtual network/subnet: set to VNET1/PESubnet.