I've set up vnet A and vnet B. They're linked together with vnet peering. vnet A has two subnets = "vm-agents" and "private-endpoints". They don't have any nsg's. vnet B also has two subnets = "aks" and "private-endpoints".
In subnet "vm-agents" of vnet A, I've created a pipeline agent. In subnet "private-endpoints" of vnet B, I've created an ACR that's linked to a private endpoint. I've also set up private DNS zone that's linked to vnet A and B.
I already SSH'ed into my pipeline agent and checked if DNS resolving works properly using nslookup
. It returns indeed the private endpoint IP address.
But the command docker login -u <token-name> -p <token-password> <my-own-acr>.azurecr.io
returns the error Error response from daemon: login attempt to https://<my-own-acr>.azurecr.io/v2/ failed with status: 403 Forbidden
.
When temporarily enabling public access for the ACR and testing the exact same command on my own PC results in a successful login. I'm using a token created in the ACR.
What could be going wrong here?
response from daemon: login attempt failed with status: 403 Forbidden. Error your facing due to below reasons. Follow the MS Doc for more details
If you are using a virtual network or private endpoint for the ACR
, you can check the points mentioned in the MS DOC.
ACR Private Endpoint DNS Configuration
Private DNS zone record sets
When I tried to check the communication from VM-agents
to ACR using the same configuration as yours, the connection was successful, as shown below
Make sure to check that the VNet peering is approved and the Private DNS Zone is configured correctly