search

Azure / azure-dev

A developer CLI that reduces the time it takes for you to get started on Azure. The Azure Developer CLI (azd) provides a set of developer-friendly commands that map to key stages in your workflow - code, build, deploy, monitor, repeat.
https://aka.ms/azd
MIT License
408 stars 196 forks source link

Azd deploy fails to access container registry in private network #4453

Open shankersumit opened 1 week ago

shankersumit commented 1 week ago

i am unable to deploy the microservice in container apps as "azd deploy" fails to access container registry in private network. Our infra is hosted in secure landing zone and mms standards doesnt allow us to keep the acr resource in public network.

ERROR: failed deploying service 'TradeService': remote build failed: 2024/10/17 11:46:31 Downloading source code... 2024/10/17 11:46:32 Finished downloading source code 2024/10/17 11:46:32 Using acb_vol_21368d0d-ab76-426f-8525-fc8abc186630 as the home volume 2024/10/17 11:46:32 Setting up Docker configuration... 2024/10/17 11:46:33 Successfully set up Docker configuration 2024/10/17 11:46:33 Logging in to registry: dmpdevwecontainerregistry.azurecr.io failed to login, ran out of retries: failed to set docker credentials: Error response from daemon: Get "https://dmpdevwecontainerregistry.azurecr.io/v2/": denied: client with IP '13.69.110.34' is not allowed access. Refer https://aka.ms/acr/firewall to grant access. : exit status 1 Run ID: cb9 failed after 7s. Error: failed during run, err: exit status 1

client with IP '13.69.110.34' seems to be from microsoft backbone network.

vhvb1989 commented 22 hours ago

It looks like you are trying to use remote build. Have you tried local build? IIRC, local build would use docker authentication to log in to the ACR, so as long as you can login docker to it, then azd should be able to.

@ellismg , is there anything we can do for remote build here? Would a proxy work?

shankersumit commented 10 hours ago

Hi @vhvb1989

My acr is in private network and I am using private endpoint to access the acr from my ado agent.

I have even tried removing the remote build, and tried accessing the acr via private endpoint and managed identity with acrPull role.

But no luck so far. It only works when acr is in public network.

For production grade application , specially in secure landing zone , we would like to access our acr using private endpoint only.

Please let me know if there is any environment variable which can help or any steps that you recommend ?

vhvb1989 commented 9 hours ago

Have you tried using Azure Bastion ?

In summary, you would create a VM inside your private network and then set up bastion as the way to connect to that VM. From that VM you would be able to run azd and access the ACR, as it would be inside the same private network.

Now, for running from Azure DevOps, you might need to use self-host to tell Azure DevOps to run pipelines in the VM which has access to the private network. I've never done this, but looks like some folks have tried it

shankersumit commented 8 hours ago

Hi @vhvb1989

Both Ado agent subnet and Acr private endpoint is part of the same vnet . So I don't think azure bastion is required in my case.

I just needed to know whether azd supports the connection to acr via private endpoint using managed identity with acrPull role as i have disabled public access and admin user in acr?

The ip mentioned above is part of microsoft service tag for ACR.