I'm looking to deploy an ACR (Azure Container Registry) repository that containers docker for python code. I want this ACR to run in a virtual network so I can securely access blob storage through my python code. I've created a virtual network and modified th private access of my container registry to use the VN as an endpoint: see here and configured the storage account to accept from this virtual network: storage account
ContainerGroup Containers:
[ { "name": "py-container-@{variables('Time')}", "properties": { "image": "filogixcontainerregistry.azurecr.io/my-python-app:latest", "resources": { "requests": { "memoryInGB": 1.5, "cpu": 1 }, "limits": { "memoryInGB": 1.5, "cpu": 1 } }, "environmentVariables": [ { "name": "AZURE_STORAGE_CONNECTION_STRING", "value": @{parameters('connection_string')} }, { "name": "BLOB_PATH", "value": @{variables('Path_name')} } ] } } ]
Here's what the request returns:
"content": "2024-07-03 15:53:47,274 - INFO - Starting the main function.\n2024-07-03 15:53:47,274 - INFO - Blob path: pdf/Filogix Display 1/Martin Application(1).pdf\n2024-07-03 15:53:47,274 - INFO - Parsed container name: pdf and blob name: x.pdf\n2024-07-03 15:53:47,275 - INFO - Connection string: DefaultEndpointsProtocol=https;AccountName=x;AccountKey=;EndpointSuffix=core.windows.net\n2024-07-03 15:53:47,282 - INFO - BlobServiceClient created successfully.\n2024-07-03 15:53:47,282 - INFO - Blob client for Filogix Display 1/Martin Application(1).pdf in container pdf created successfully.\n2024-07-03 15:53:47,286 - INFO - Request URL: 'https://x.blob.core.windows.net/pdf/Filogix%20Display%201/Martin%20Application%281%29.pdf'\nRequest method: 'GET'\nRequest headers:\n 'x-ms-range': 'REDACTED'\n 'x-ms-version': 'REDACTED'\n 'Accept': 'application/xml'\n 'User-Agent': 'azsdk-python-storage-blob/12.18.3 Python/3.11.4 (Linux-5.10.102.2-microsoft-standard-x86_64-with-glibc2.28)'\n 'x-ms-date': 'REDACTED'\n 'x-ms-client-request-id': '6eed53ae-3954-11ef-a5d0-00155d5660df'\n 'Authorization': 'REDACTED'\nNo body was attached to the request\n2024-07-03 15:53:47,337 - INFO - Response status: 403\nResponse headers:\n 'Content-Length': '246'\n 'Content-Type': 'application/xml'\n 'Server': 'Microsoft-HTTPAPI/2.0'\n 'x-ms-request-id': '3848c760-f01e-0010-2a61-cd0fd9000000'\n 'x-ms-client-request-id': '6eed53ae-3954-11ef-a5d0-00155d5660df'\n 'x-ms-error-code': 'AuthorizationFailure'\n 'Date': 'Wed, 03 Jul 2024 15:53:46 GMT'\n2024-07-03 15:53:47,339 - ERROR - An error occurred: This request is not authorized to perform this operation.\nRequestId:3848c760-f01e-0010-2a61-cd0fd9000000\nTime:2024-07-03T15:53:47.3409399Z\nErrorCode:AuthorizationFailure\nContent:
AuthorizationFailure
This request is not authorized to perform this operation.\nRequestId:3848c760-f01e-0010-2a61-cd0fd9000000\nTime:2024-07-03T15:53:47.3409399Z\n
When I try running the logic app after opening my storage app to all networks, I get no error. This shows me the virtual netowork isn't working, I'm guessing that I'm configuring the ACR wrong and it's not actually using the virtual network.
It seems that the ACR is not using the virtual network, which is causing the issue with blob storage access. You should check the ACR configuration and ensure that it is correctly using the virtual network. In order to correctly configure your ACR to use the virtual network you can first
create a vnet
az network vnet create \
--resource-group arkorg \
--name myVNet \
--address-prefix 10.0.0.0/16 \
--subnet-name mySubnet \
--subnet-prefix 10.0.1.0/24
then create an ACR with a private endpoint within this VNet
az acr create --resource-group arkorg --name arkoacr3 --sku Premium
az network private-endpoint create \ --resource-group arkorg \ --vnet-name myVNet \ --subnet mySubnet \ --name acrPrivateEndpoint \ --private-connection-resource-id $(az acr show --name arkoacr3 --resource-group arkorg --query "id" --output tsv) \ --group-id registry \ --connection-name acrConnection
az network private-dns zone create --resource-group arkorg --name privatelink.azurecr.io
az network private-dns link vnet create --resource-group arkorg --zone-name privatelink.azurecr.io --name acrDNSLink --virtual-network myVNet --registration-enabled false
az network private-endpoint dns-zone-group create --resource-group arkorg --endpoint-name acrPrivateEndpoint --name acrZoneGroup --private-dns-zone privatelink.azurecr.io --zone-name registry
Create a storage account and configure it with a private endpoint
az storage account create --name mystorageaccount123 --resource-group arkorg --location eastus --sku Standard_LRS
az network private-endpoint create \
--resource-group arkorg \
--vnet-name myVNet \
--subnet mySubnet \
--name storagePrivateEndpoint \
--private-connection-resource-id $(az storage account show --name mystorageaccount123 --resource-group arkorg --query "id" --output tsv) \
--group-id blob \
--connection-name storageConnection
az network private-dns zone create --resource-group arkorg --name privatelink.blob.core.windows.net
az network private-dns link vnet create --resource-group arkorg --zone-name privatelink.blob.core.windows.net --name storageDNSLink --virtual-network myVNet --registration-enabled false
az network private-endpoint dns-zone-group create --resource-group arkorg --endpoint-name storagePrivateEndpoint --name storageZoneGroup --private-dns-zone privatelink.blob.core.windows.net --zone-name blob
Done, now you should be able to deploy an ACR repository containing Python Docker code, ensuring that it runs within a VNet
Deploying an image from Azure Container Registry with Azure Logic Apps