search

Azure / azure-cli

Azure Command-Line Interface
MIT License
3.96k stars 2.94k forks source link

Container Registry acr run fails because the Client IP of the agent is blocked by the firewall #27253

Closed RSBlek closed 1 year ago

RSBlek commented 1 year ago

Describe the bug

I can't run the "acr purge" command in a newly created Container Registry. The agent crashes with the error ...client with IP '52.138.231.5' is not allowed access....

I found "52.138.230.0/24" in the list of azure ip ranges. But i don't think that adding all possible ip ranges to the firewall is the correct solution.

The checkbox to allow trusted azure services is checked, but has no effect.

Related command

PURGE_CMD="acr purge --filter 'test/.*' --untagged --ago 1d --dry-run"
az acr run --cmd "$PURGE_CMD" --registry myregistryname /dev/null

Errors

Queued a run with ID: cg2
Waiting for an agent...
2023/08/24 12:43:22 Alias support enabled for version >= 1.1.0, please see https://aka.ms/acr/tasks/task-aliases for more information.
2023/08/24 12:43:22 Creating Docker network: acb_default_network, driver: 'bridge'
2023/08/24 12:43:22 Successfully set up Docker network: acb_default_network
2023/08/24 12:43:22 Setting up Docker configuration...
2023/08/24 12:43:23 Successfully set up Docker configuration
2023/08/24 12:43:23 Logging in to registry: myregistryname.azurecr.io
failed to login, ran out of retries: failed to set docker credentials: Error response from daemon: Get "https://myregistryname.azurecr.io/v2/": d
enied: client with IP '52.138.231.10' is not allowed access. Refer https://aka.ms/acr/firewall to grant access.
: exit status 1
Run ID: cg2 failed after 6s. Error: failed during run, err: exit status 1

Issue script & Debug output

Will add when needed

Expected behavior

The acr purge command finishes without errors and without adding the explicit ip range because the checkbox to trust azure services is active.

Environment Summary

{
  "azure-cli": "2.51.0",
  "azure-cli-core": "2.51.0",
  "azure-cli-telemetry": "1.1.0",
  "extensions": {
    "interactive": "0.5.3"
  }
}

Additional context

No response

yonzhan commented 1 year ago

Thank you for opening this issue, we will look into it.

navba-MSFT commented 1 year ago

@RSBlek Thanks for reaching out to us and reporting this issue. Could you please whitelist "52.138.230.0/23" IP address range instead and check the behavior of this issue ?

Also for the respective ACR region you have chosen, Could you ensure that you have added the right IP Address as specified here ? Awaiting you reply.

RSBlek commented 1 year ago

Hello @navba-MSFT Thanks for the reply.

After adding 52.138.230.0/23 everything works fine. Is this the way to go?

I thought that the Checkbox "Allow trusted Microsoft services to access this container registry" would have the same result.

navba-MSFT commented 1 year ago

@RSBlek Thanks for getting back. I am glad that whitelisting the IP address range fixes this issue. This IP Address range is mentioned in here for the ACR. The use case and limitation of Allow trusted Microsoft services to access this container registry are explained here.

jstoja commented 9 months ago

Hello @navba-MSFT, It seems your link for IP Address range for the ACR isn't working anymore and I fail to find the new one. Could you please help? Maybe that would be helpful to link it in the ACR documentation too, in the section about setting ACR Tasks. Best, Julien