-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
az acr login with private endpoint goes via public route #17137
Comments
Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @toddysm, @yugangw-msft. Issue DetailsDescribe the bugCommand Name Errors:
To Reproduce:Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.
Expected BehaviorLogin to the ACR's private endpoint via the connected VPN Environment Summary
Additional ContextI am logged into a VPN (Azure Virtual Network Gateway), I have made the necessary adjustments to the
The ACR is configured not to allow public access, but has a private endpoint configured which is known to work I can
|
route to appropriate team |
@r3-jerrysteele, sorry for missing this. The best way to diagnose this is to verify the DNS setting. If not resolving to the private ip, then the error is expected. Doc is here: Please let us know what you found out |
Hi. I have the exact same issue. Not sure if it's a CLI issue or user error, so I posted it on the Microsoft Q&A forum. https://docs.microsoft.com/en-us/answers/questions/632408/trying-to-access-an-azure-container-registry-with.html |
Good to know not just me then. I gave up. I had a back and forth with MS
support but just could not solve it. If anyone has a new ideas I would
be happy try :-)
…On May 16, 2022, fieldp ***@***.***> wrote:
I am facing the same issue.
The ACR DNS resolves to private IP address in the vnet -
however, az acr login throws this error -
—
Reply to this email directly, view it on GitHub
<#17137 (comment)-
1127842531>, or unsubscribe
<https://github.com/notifications/unsubscribe-
auth/AVIA2WUDOTQPC4MBITOADXTVKJVGHANCNFSM4YIZXCPQ>.
You are receiving this because you commented.Message ID: <Azure/azure-
***@***.***>
|
I have this same issue, I've created a Azure Resourse Manager Service Connection and While using Azure CLI command az acr build --image reponame:imagename --registry acrname --file Dockerfile . with self hosted agent, I'm getting the same error. |
I found that using docker login / docker build correctly uses the private endpoint. I created a token on the ACR with a PW Using this to login as example This to build as example |
I'm running private hosted devops agents. Login works but building the image using az acr login --name myreg.azurecr.io
az acr build --registry myreg.azurecr.io --image xxx:yyy .
The only way to get this working is building the image using az login --identity
az acr login --name myreg.azurecr.io
docker build -t foo:v1.0 .
docker tag foo:v1.0 myreg.azurecr.io/foo:v1.0
docker push myreg.azurecr.io/foo:v1.0 I believe this is a bug in |
Just want to add that I am also experiencing the same issue. Doing a nslookup or dig on the acr endpoint resolves to the private IP address but az acr build routes via the public endpoint. And because I am running the agent in an azure container instance I have had problems getting docker to run inside the container. So the workaround noted above is not as easy for me to deploy. |
I had found with a Microsoft Case that you need to whitelist those 2,3 public IPs on ACR(with private endpoints) which will appear with that error. Those IPs are somehow useful for build. |
@thedheerendra Unfortunately, when you turn off public access entirely you no longer are able to whitelist any public IPs. The |
I have the same issue. Are there any updates? |
|
We have the same issue. |
Any updates on this ? |
Changing the assignment to @northtyphoon and @terencet-dev for next steps. |
have same issue while running az cli on build agent and acr over private link Work around |
In my case it is |
This problem seems to still be present. This workaround did the trick for us. |
Did this ever get resolved? I am seeing the same exact problem as the original post. nslookup resolves the correct vnet address of the ACR, |
I have the same problem. The xxx.azurecr.io correctly resolves to xxx.privatelink.azurecr.io and goes through the internal endpoint to the ACR. However, upon running |
Describe the bug
Command Name
az acr login
Errors:
To Reproduce:
Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.
az acr login -n myregistryname --subscription mysubscription
Expected Behavior
Login to the ACR's private endpoint via the connected VPN
Environment Summary
Additional Context
I am logged into a VPN (Azure Virtual Network Gateway), I have made the necessary adjustments to the
/etc/resolv.conf
so that the ACR resolves to the Private Link IP:The ACR is configured not to allow public access, but has a private endpoint configured which is known to work
I can
curl
the URL of the ACR and get a 200 response (as it goes via the private address), it seems that the issue is withazure-cli
itself.ip route 10.x.x.x
also shows that the route goes via the VPN interfaceThe text was updated successfully, but these errors were encountered: