Why does docker pull happen over public IP even when appservice is in a vnet

work 6 Reputation points
2021-06-17T18:31:40.867+00:00

I have a azure app-service web app ( p1v2 asp plan) which is setup to pull a docker image from an azure container registry .

The app-service is inside a vnet and the azure container registry has a private link setup for it.

We are seeing that docker pull from the app-service is happening over a azure outbound IP instead of the vnet ip's . Here is a error log from the app-service :

2021-06-17T17:50:35.571Z ERROR - Pulling docker image xxxxxxxxxx.azurecr.io/frontend-api:latest failed:
2021-06-17T17:50:35.571Z INFO - Pulling image from Docker hub: xxxxxxxxx.azurecr.io/frontend-api:latest
2021-06-17T17:50:35.736Z ERROR - DockerApiException: Docker API responded with status code=InternalServerError, response={"message":"Get https://xxxxxxxx.azurecr.io/v2/frontend-api/manifests/latest: denied: client with IP '40.88.xxx.xxx' is not allowed access. Refer https://aka.ms/acr/firewall to grant access."}

If I add that outbound IP of app-service 40.88.xxx.xxxx to container registry whitelist then everything works. But it defeats the whole purpose of having a private link around ACR and vent around the app-service

Interestingly, if I ssh into app-service through kudu bash terminal and run "wget xxxxxxxxxx.azurecr.io" , it is able to make to make a connection to the registry. That might just prove that vnet to private-link integration actually works.

But why is the "docker pull" happening over app-service public outbound IP ?

Azure Container Registry
Azure Container Registry
An Azure service that provides a registry of Docker and Open Container Initiative images.
398 questions
Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
470 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,951 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ryan Hill 26,136 Reputation points Microsoft Employee
    2021-06-18T19:40:08.04+00:00

    Hi @work , thanks for your question. I will find out from the team if this scenario will be addressed in a future update.

    EDIT: This capability is in the process of being rolled out for Linux containers. To ensure it is enabled, make sure WEBSITE_VNET_ROUTE_ALL is set to true or 1. Another setting you'll need is WEBSITE_PULL_IMAGE_OVER_VNET set to true. Because this capability is currently being rolled out, our docs haven't been updated yet to reflect this setting. If your app service container(s) is running on Windows, this capability isn't supported just set.

    ---
    EDIT 2022 September 14 Please see @Alok Pagariya comment down below. This should start rolling out this month.