I have a azure app-service web app ( p1v2 asp plan) which is setup to pull a docker image from an azure container registry .
The app-service is inside a vnet and the azure container registry has a private link setup for it.
We are seeing that docker pull from the app-service is happening over a azure outbound IP instead of the vnet ip's . Here is a error log from the app-service :
2021-06-17T17:50:35.571Z ERROR - Pulling docker image xxxxxxxxxx.azurecr.io/frontend-api:latest failed:
2021-06-17T17:50:35.571Z INFO - Pulling image from Docker hub: xxxxxxxxx.azurecr.io/frontend-api:latest
2021-06-17T17:50:35.736Z ERROR - DockerApiException: Docker API responded with status code=InternalServerError, response={"message":"Get https://xxxxxxxx.azurecr.io/v2/frontend-api/manifests/latest: denied: client with IP '40.88.xxx.xxx' is not allowed access. Refer https://aka.ms/acr/firewall to grant access."}
If I add that outbound IP of app-service 40.88.xxx.xxxx to container registry whitelist then everything works. But it defeats the whole purpose of having a private link around ACR and vent around the app-service
Interestingly, if I ssh into app-service through kudu bash terminal and run "wget xxxxxxxxxx.azurecr.io" , it is able to make to make a connection to the registry. That might just prove that vnet to private-link integration actually works.
But why is the "docker pull" happening over app-service public outbound IP ?