Azure container instance and a private container registry

Question

I’ve deployed an azure container registry with private link enabled and now I am trying to deploy an azure container instance which uses the container registry for an image. FYI I’ve enabled the setting “trust Microsoft services in the firewall setting” and I’ve linked the dns zone to all applicable vnets.

But the problem is still pointing to wrong credentials and/or image cannot be found even though that is not the case via az cli.

What I’ve tried are the following scenarios:

• the portal does not support many options but when i use the private registry setting and enter access key and secret key (I’ve enabled the admin setting) I’m getting all sorts of errors which are pointing to the fact that it cannot find the image or authentication problems, both error are in the same message. But I know this is not the case because I can access the same image with the same path and credentials via az cli.
• I’ve tried creating a user managed identity with proper role assignments and point to the uami in a custom arm deployment. Same error.
• I’ve tried it with a service principal. Same error.
• generated tokens. Same error.

What did work was when I opened up the registry (firewall wise) the deployment went right through. I have searched through the azure documentation but i cannot find anything that related to my problem unfortunately.

Hopefully you guys can help me out, Thanks in advance!

Answer 1

In order to deploy an azure container registry with private link enabled and then use the image to deploy an azure container instance, you can try the below steps- High level plan-

1. Create a private container instance within its own VNET
2. Create a Test VM within the same VNET as container instance
3. Test connection to container instance from Test VM using ping or nslookup
4. Configure Private End point for ACR but before that few things to keep in mind, private acr works only with premium plan, system will prompt you during setup and also make sure to enable admin user. Disable public access, allow trusted Microsoft services to access acr and setup private endpoints as shown below- |
5. Test connection to ACR from Test VM same using nslookup or ping, after that do a az acr login --name arkocr.azurecr.io to login to your acr, then pull your image and finally deploy your image.

• Confirm that the ACR has a private link set up correctly.
• Make sure the DNS zone is linked properly to the VNET expected to contain the ACI.

As a reference I used Setup Azure Kubernetes Service and Container Registry via Private End Point but instead of AKS I deployed ACI just during the setup process I kept the network private, and image source as my acr and used the private vnet which I created. Remaining process is similar as mentioned in this document excluding the Kubernetes section.