question

work-7334 avatar image
0 Votes"
work-7334 asked JohnAyoubWTW answered

Why does docker pull happen over public IP even when appservice is in a vnet

I have a azure app-service web app ( p1v2 asp plan) which is setup to pull a docker image from an azure container registry .

The app-service is inside a vnet and the azure container registry has a private link setup for it.

We are seeing that docker pull from the app-service is happening over a azure outbound IP instead of the vnet ip's . Here is a error log from the app-service :

2021-06-17T17:50:35.571Z ERROR - Pulling docker image xxxxxxxxxx.azurecr.io/frontend-api:latest failed:
2021-06-17T17:50:35.571Z INFO - Pulling image from Docker hub: xxxxxxxxx.azurecr.io/frontend-api:latest
2021-06-17T17:50:35.736Z ERROR - DockerApiException: Docker API responded with status code=InternalServerError, response={"message":"Get https://xxxxxxxx.azurecr.io/v2/frontend-api/manifests/latest: denied: client with IP '40.88.xxx.xxx' is not allowed access. Refer https://aka.ms/acr/firewall to grant access."}

If I add that outbound IP of app-service 40.88.xxx.xxxx to container registry whitelist then everything works. But it defeats the whole purpose of having a private link around ACR and vent around the app-service

Interestingly, if I ssh into app-service through kudu bash terminal and run "wget xxxxxxxxxx.azurecr.io" , it is able to make to make a connection to the registry. That might just prove that vnet to private-link integration actually works.

But why is the "docker pull" happening over app-service public outbound IP ?





azure-private-linkazure-container-registryazure-webapps-vnet
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JohnAyoubWTW avatar image
0 Votes"
JohnAyoubWTW answered

@ryanchill Is this available for windows containers now? if not, when do you think it will be available?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ryanchill avatar image
0 Votes"
ryanchill answered

Hi @work-7334, thanks for your question. I will find out from the team if this scenario will be addressed in a future update.

EDIT: This capability is in the process of being rolled out for Linux containers. To ensure it is enabled, make sure WEBSITE_VNET_ROUTE_ALL is set to true or 1. Another setting you'll need is WEBSITE_PULL_IMAGE_OVER_VNET set to true. Because this capability is currently being rolled out, our docs haven't been updated yet to reflect this setting. If your app service container(s) is running on Windows, this capability isn't supported just set.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.