3

I have ACR i.e., myregistry in production-network-group and I was creating container apps in dev-network-group, uat-network-group and prod-network-group.

Currently, I was trying to connect with myregistry from dev, uat networks using credentials as shown below,

enter image description here

How to use Azure container Registry as image source instead of Docker Hub or other registries? How to provide access of my ACR to all of the dev and uat container apps?

There is no issue for prod, I can use Azure Container Registry as image source as they both are in same network.

Any kind of workarounds to solve this issue are appreciable.

Gitarani Sharma
  • 735
  • 3
  • 4
Python coder
  • 743
  • 5
  • 18
  • Is there a private endpoint associated with your ACR? – simon-pearson Aug 23 '23 at 08:31
  • @simon-pearson No, there is no private endpoint and system assigned identity is also disabled in our ACR. – Python coder Aug 23 '23 at 08:44
  • What is the error message that you get? Also in you picture you used azreAcr.io for registry server, that is wrong, the correct domain is azurecr.io without "a". – zsolt Aug 25 '23 at 17:45
  • @zsolt I was not able to see my azure container registry when I selected `Azure container Registry` as image source instead of `Docker Hub or other registries`. That was typo, I was able to connect successfully, if I use `Docker Hub or other registries`. I want to remove dependency on credentials by selecting `Azure container Registry` but due network groups are different, it was not showing up. How to provide access? – Python coder Aug 25 '23 at 18:26
  • You can set up a private endpoint in your ACR for each VNet. Private endpoints allow you to access the ACR via a private IP address directly from your VNet. Did you try in that way? @Pythoncoder – Jahnavi Aug 26 '23 at 03:42
  • @Jahnavi No, I haven't tried that. Can you please steps to do this? – Python coder Aug 26 '23 at 03:58
  • @Jahnavi And, also want to know, is there any way using managed identity to fix this issue? – Python coder Aug 26 '23 at 04:03
  • You can do it by going to `Networking` under ACR. Choose selected networks and enable firewall by giving the required IP addresses. And then click on `allow access from trusted services` as shown [here](https://i.imgur.com/LE12bfP.png). @Pythoncoder – Jahnavi Aug 26 '23 at 10:16
  • Yes you can also use managed identity to fix it and it is detailed here in [MSDoc](https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/container-instances/using-azure-container-registry-mi.md). @Pythoncoder – Jahnavi Aug 26 '23 at 10:18

1 Answers1

1

How to provide access of ACR to Azure container apps which are not in same network group: -

You can create Private endpoints which allow you to access the container registry directly from your virtual network using a private IP address.

After a workaround on your issue, I found below approach to access ACR from other virtual networks.

Goto container registry >> Networking >> Choose selected networks and enable firewall by adding which IP addresses to block (if required) >> Enable allow access from trusted >> Click on save.

enter image description here

Alternatively, you can create a identity to the ACR and add the required permissions to the specific managed identity as shown in MSDoc.

I've created an identity and added permissions using AzCLI:

az identity create --resource-group <resourcegroup> --name newcrj
uid=$(az identity create --resource-group <resourcegroup> --name newcrj --query id --output tsv)
spid=$(az identity show --resource-group <resourcegroup> --name newcrj --query principalId --output tsv)
az role assignment create --assignee $spid --scope $uid --role acrpull

enter image description here

Update:

After a discussion and workaround on your issue, I found that there is no possibility of attaching ACR to the container app without using credentials if it is a private registry.

I tried with all the deployment methods and each deployment is prompting for user credentials for private registries.

Jahnavi
  • 3,076
  • 1
  • 3
  • 10
  • I have enabled `allow access from trusted`, but it is still not showing up in image source `Azure Container Registry` to create a container app. And the provide MSDoc is deploying on container instances, but not container apps. – Python coder Aug 28 '23 at 04:25
  • Is this [SO](https://stackoverflow.com/a/76859852/19785512) works for you? @Pythoncoder – Jahnavi Aug 28 '23 at 04:29
  • I see that, it is attaching ACR to AKS cluster, I am using azure container apps, how to attach ACR to other network, to see my ACR while creating a new container app? – Python coder Aug 28 '23 at 04:37
  • Can you try in [this](https://learn.microsoft.com/en-us/cli/azure/acr/network-rule?view=azure-cli-latest) way? @Pythoncoder – Jahnavi Aug 28 '23 at 04:51
  • You can also use [az containerapp update](https://learn.microsoft.com/en-us/cli/azure/containerapp?view=azure-cli-latest#az-containerapp-update-examples) to link it with the ACR after creating a container app. @Pythoncoder – Jahnavi Aug 28 '23 at 04:53
  • Do i need to link using credentials like username password? – Python coder Aug 28 '23 at 05:17
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/255082/discussion-between-jahnavi-and-python-coder). – Jahnavi Aug 28 '23 at 06:30