Deploy a container registry containing a python docker code into azure logic apps using a virtual network
I'm looking to deploy an ACR (Azure Container Registry) repository that containers docker for python code. I want this ACR to run in a virtual network so I can securely access blob storage through my python code. I've created a virtual network and modified th private access of my container registry to use the VN as an endpoint: see here and configured the storage account to accept from this virtual network: storage account
ContainerGroup Containers:
[ { "name": "py-container-@{variables('Time')}", "properties": { "image": "filogixcontainerregistry.azurecr.io/my-python-app:latest", "resources": { "requests": { "memoryInGB": 1.5, "cpu": 1 }, "limits": { "memoryInGB": 1.5, "cpu": 1 } }, "environmentVariables": [ { "name": "AZURE_STORAGE_CONNECTION_STRING", "value": @{parameters('connection_string')} }, { "name": "BLOB_PATH", "value": @{variables('Path_name')} } ] } } ]
Here's what the request returns:
"content": "2024-07-03 15:53:47,274 - INFO - Starting the main function.\n2024-07-03 15:53:47,274 - INFO - Blob path: pdf/Filogix Display 1/Martin Application(1).pdf\n2024-07-03 15:53:47,274 - INFO - Parsed container name: pdf and blob name: x.pdf\n2024-07-03 15:53:47,275 - INFO - Connection string: DefaultEndpointsProtocol=https;AccountName=x;AccountKey=;EndpointSuffix=core.windows.net\n2024-07-03 15:53:47,282 - INFO - BlobServiceClient created successfully.\n2024-07-03 15:53:47,282 - INFO - Blob client for Filogix Display 1/Martin Application(1).pdf in container pdf created successfully.\n2024-07-03 15:53:47,286 - INFO - Request URL: 'https://x.blob.core.windows.net/pdf/Filogix%20Display%201/Martin%20Application%281%29.pdf'\nRequest method: 'GET'\nRequest headers:\n 'x-ms-range': 'REDACTED'\n 'x-ms-version': 'REDACTED'\n 'Accept': 'application/xml'\n 'User-Agent': 'azsdk-python-storage-blob/12.18.3 Python/3.11.4 (Linux-5.10.102.2-microsoft-standard-x86_64-with-glibc2.28)'\n 'x-ms-date': 'REDACTED'\n 'x-ms-client-request-id': '6eed53ae-3954-11ef-a5d0-00155d5660df'\n 'Authorization': 'REDACTED'\nNo body was attached to the request\n2024-07-03 15:53:47,337 - INFO - Response status: 403\nResponse headers:\n 'Content-Length': '246'\n 'Content-Type': 'application/xml'\n 'Server': 'Microsoft-HTTPAPI/2.0'\n 'x-ms-request-id': '3848c760-f01e-0010-2a61-cd0fd9000000'\n 'x-ms-client-request-id': '6eed53ae-3954-11ef-a5d0-00155d5660df'\n 'x-ms-error-code': 'AuthorizationFailure'\n 'Date': 'Wed, 03 Jul 2024 15:53:46 GMT'\n2024-07-03 15:53:47,339 - ERROR - An error occurred: This request is not authorized to perform this operation.\nRequestId:3848c760-f01e-0010-2a61-cd0fd9000000\nTime:2024-07-03T15:53:47.3409399Z\nErrorCode:AuthorizationFailure\nContent:
AuthorizationFailureThis request is not authorized to perform this operation.\nRequestId:3848c760-f01e-0010-2a61-cd0fd9000000\nTime:2024-07-03T15:53:47.3409399Z\n
When I try running the logic app after opening my storage app to all networks, I get no error. This shows me the virtual netowork isn't working, I'm guessing that I'm configuring the ACR wrong and it's not actually using the virtual network.
It seems that the ACR is not using the virtual network, which is causing the issue with blob storage access. You should check the ACR configuration and ensure that it is correctly using the virtual network. In order to correctly configure your ACR to use the virtual network you can first
create a vnet
az network vnet create \
--resource-group arkorg \
--name myVNet \
--address-prefix 10.0.0.0/16 \
--subnet-name mySubnet \
--subnet-prefix 10.0.1.0/24
then create an ACR with a private endpoint within this VNet
az acr create --resource-group arkorg --name arkoacr3 --sku Premium
az network private-endpoint create \ --resource-group arkorg \ --vnet-name myVNet \ --subnet mySubnet \ --name acrPrivateEndpoint \ --private-connection-resource-id $(az acr show --name arkoacr3 --resource-group arkorg --query "id" --output tsv) \ --group-id registry \ --connection-name acrConnection
az network private-dns zone create --resource-group arkorg --name privatelink.azurecr.io
az network private-dns link vnet create --resource-group arkorg --zone-name privatelink.azurecr.io --name acrDNSLink --virtual-network myVNet --registration-enabled false
az network private-endpoint dns-zone-group create --resource-group arkorg --endpoint-name acrPrivateEndpoint --name acrZoneGroup --private-dns-zone privatelink.azurecr.io --zone-name registry
Create a storage account and configure it with a private endpoint
az storage account create --name mystorageaccount123 --resource-group arkorg --location eastus --sku Standard_LRS
az network private-endpoint create \
--resource-group arkorg \
--vnet-name myVNet \
--subnet mySubnet \
--name storagePrivateEndpoint \
--private-connection-resource-id $(az storage account show --name mystorageaccount123 --resource-group arkorg --query "id" --output tsv) \
--group-id blob \
--connection-name storageConnection
az network private-dns zone create --resource-group arkorg --name privatelink.blob.core.windows.net
az network private-dns link vnet create --resource-group arkorg --zone-name privatelink.blob.core.windows.net --name storageDNSLink --virtual-network myVNet --registration-enabled false
az network private-endpoint dns-zone-group create --resource-group arkorg --endpoint-name storagePrivateEndpoint --name storageZoneGroup --private-dns-zone privatelink.blob.core.windows.net --zone-name blob
Done, now you should be able to deploy an ACR repository containing Python Docker code, ensuring that it runs within a VNet
Deploying an image from Azure Container Registry with Azure Logic Apps
- Is there a way to upload a file with metadata in a single request with SDK v12?
- Handle DNS timeout with call to blob_client.upload_blob
- Unable to generate a valid Azure Storage SAS token in Cpp
- Azure blob, controlling filename on download
- How do I store a picture in azure blob storage in asp.net mvc application?
- Ansible - Download an Azure Blob file
- Unzip file in Azure Blob storage from Databricks
- Get the list of blobs that match the metadata key and value from Azure Storage blob using C#
- Passing Variable Between Stages in Azure DevOps Pipeline
- Using AzureBlobFileSystem to Access Azure Blob Storage Fails with Import Error
- Azure Blob Storage (REST API): Cannot list blobs in container with curl using SAS token
- How can I use Azurite in a command line application?
- Azure blob-to-SQL automatic copy
- POST Method: Getting blank PDF using Download to Buffer from Blob Storage
- How to change Wiki JS favicon deployed in Azure Web App?
- Hitting a stubborn ClientAuthenticationError while attempting to use the ContainerClient class
- Azurite Shared key generation for PUT operation fails with 403
- Terraform: Error: retrieving static website properties for Storage Account (Subscription: *** : context deadline exceeded
- How to upload file to folder using BlockBlobClient
- Azure Redis import: "Not Found. There was no storage account called '<redacted>' in the Azure region 'Brazil South'"
- Uploading to Azure Blob Storage from AppService (Spring Boot) leads to Netty Out of Memory?
- Azure Blob Storage (REST API): Cannot download blob in container with curl using SAS token
- .NET & Azure Blob Storage - Force cache invalidation for same name image
- How to convert invalid blob type to a valid blob type?
- azcopy is failing to copy the blob whose size is less than 1000kb
- I'm using SSIS in ADF to move .csv from a blob container to another and then ingest into a Azure SQL database. I get an assembly error
- Use mounted Azure Blob Storage Container in Azure App Service
- Authentication failure when access storage blob from Azure Service
- How to check if a folder exist or not in Azure container using Python?
- List containers/folders/subfolders in Azure DataLake in Python