0

I have set-up private ACR set up with public access and admin credentials disabled. enter image description here

It has a private endpoint approved ,setup with private connection,private dns zones configured. enter image description here

The private endpoints reside in subnetEndpoint in virtualNetwork vNetApp I have setup a DevOps pipeline using agent pool. The agent makes use of a Virtual Machine scale set deployed in a virtual network agentSubnet in vNetApp. enter image description here The agent makes use of Service Principal which i have assigned acrPush role

The pipeline executes a docker build and should push the image to the private ACR with private endpoint.

I create a service connection dockerConn for connecting the Docker task to ACR enter image description here

I give dockerConn Acrpush role against the registry and pass it to the pipeline.

stage: Build
  pool:
    name: ${pool}
  jobs:
  - job: Build
    displayName: Build
    pool:
      vmImage: $(vmImageName)
    steps:
    - task: Docker@2
      displayName: Build and push an image to container registry
      inputs:
        command: buildAndPush
        repository: $(acrImageRepository)-$(Build.SourceBranchName)
        dockerfile: $(dockerfilePath)
        containerRegistry: $(dockerRegistryServiceConnection) //This is given acrPush role

When i run the pipeline the Docker task fails when the step comes to push the image to ACR.

518047573282: Waiting
denied: client with IP '2.413.62.52' is not allowed access. Refer https://aka.ms/acr/firewall to grant access.
##[debug]Exit code 1 received from tool '/usr/bin/docker'
##[debug]STDIO streams have closed for tool '/usr/bin/docker'
##[error]denied: client with IP '2.413.62.52' is not allowed access. Refer https://aka.ms/acr/firewall to grant access.
##[debug]Processed: ##vso[task.issue type=error;]denied: client with IP '2.413.62.52' is not allowed access. Refer https://aka.ms/acr/firewall to grant access.
##[debug]Trying to logout from registry: ***
####[debug]set DOCKER_CONFIG=
##[debug]Processed: ##vso[task.setvariable variable=DOCKER_CONFIG;isOutput=false;issecret=false;]
##[debug]task result: Failed
##[error]The process '/usr/bin/docker' failed with exit code 1

error message:

client with IP '2.413.62.52' is not allowed access. Refer https://aka.ms/acr/firewall to grant access

The virtual network has the correct DNS Zones set up enter image description here Update:

also i created a vm in the same subnet as the VMSS . I was able to do confirming the private dns is setup correctly

nslookup myazurereg.azurecr.io
Server:127.0.0.53
Address:127.0.0.53#53

Non-authoritative answer:
myazurereg.azurecr.io
canonical name = myazurereg.privatelink.azurecr.io.
Name: myazurereg.privatelink.azurecr.io
Address: 12.101.3.5

Can anyone help here? Thanks

Coder
  • 39
  • 6
  • Is the private DNS zone correctly linked to the VNet? Are the DNS servers of the VNet pointing to "Azure DNS" (instead of some custom DNS server). Looks like your VM is not resolving the ACR name to its private IP and thus you are seeing the connection from outside with its public IP – silent Jul 24 '23 at 18:17
  • Is your VM in private network? – Krzysztof Madej Jul 24 '23 at 23:30
  • 1
    @silent vnet is correctly connected to private DNS, added the screen shot – Coder Jul 25 '23 at 06:43
  • @KrzysztofMadej the acr is private, the vmss is also in private network, it is called from azure devops through a agent pool – Coder Jul 25 '23 at 08:37

0 Answers0