question

HaraldReinmueller-1951 avatar image
0 Votes"
HaraldReinmueller-1951 asked SureshBettadapur-4155 commented

App Service in internal App Service Environment v3 pulls docker-image over public outbound IP of ASE

I have an internal ASEv3 provisioned into my VNet. An App Service deployed in the ASEv3 needs to pull the container-image from an ACR in the same VNet. The ACR has disabled all public network access and uses a private endpoint for communication. The App Service tries to pull the docker-image over the public outbound IP address of the ASE which results in the following error-message inside the "Deployment Center - Logs" of my App Service:

 ERROR - DockerApiException: Docker API responded with status code=InternalServerError, response={"message":"Get https://myregistryxxxyyy.azurecr.io/v2/my-app/manifests/2021.1.7-appinsightsx: denied: client with IP '20.xx.xxx.xx' is not allowed access. Refer https://aka.ms/acr/firewall to grant access."}

My current workaround is to allow this public IP inside the firewall settings of the ACR.

But how can I tell the App Service to communicate over my VNet only? I already set the env-variables WEBSITE_VNET_ROUTE_ALL=1 and WEBSITE_PULL_IMAGE_OVER_VNET=true.

azure-webappsazure-container-registryazure-webapps-vnet
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

ryanchill avatar image
0 Votes"
ryanchill answered SureshBettadapur-4155 commented

Hi @HaraldReinmueller-1951,

When using regional VNET routing, make sure you have the following app settings configured

  • DOCKER_REGISTRY_SERVER_URL

  • DOCKER_REGISTRY_SERVER_USERNAME

  • DOCKER_REGISTRY_SERVER_PASSWORD

Otherwise, it will fall back to public route.

EDIT: See https://azure.github.io/AppService/2021/07/03/Linux-container-from-ACR-with-private-endpoint.html. You need to use Azure DNS so that it properly resolves the private endpoint within the VNET.

· 11
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @ryanchill ,

Thanks for your answer. My App Service uses system-assigned managed identity to authenticate against Azure Container Registry (ACR) and perform a docker pull operation. So I have no admin username/password configured.

I'm using this command to enable acrUseManagedIdentityCreds.

 az resource update --ids  $(az webapp show -g my-group -n my-app --query id --output tsv)/config/web \
     --set properties.acrUseManagedIdentityCreds=True

How can I use acrUseManagedIdentityCreds=true and internal VNet routing?

Thanks, Harald

0 Votes 0 ·
ryanchill avatar image ryanchill HaraldReinmueller-1951 ·
0 Votes 0 ·

Hi @ryanchill

yes that is my current workaround, to allow access to the public outbound IP of the ASE inside the firewall settings of the ACR.
But thats just a workaround. I want ASE + App Service to go VNet internal only.

Thanks, Harald

0 Votes 0 ·
Show more comments