azuredockernetwork-programmingazure-virtual-networkazure-container-registry

Azure Container Registry not accessible via private endpoint [403 Forbidden]


I've set up vnet A and vnet B. They're linked together with vnet peering. vnet A has two subnets = "vm-agents" and "private-endpoints". They don't have any nsg's. vnet B also has two subnets = "aks" and "private-endpoints".

In subnet "vm-agents" of vnet A, I've created a pipeline agent. In subnet "private-endpoints" of vnet B, I've created an ACR that's linked to a private endpoint. I've also set up private DNS zone that's linked to vnet A and B.

I already SSH'ed into my pipeline agent and checked if DNS resolving works properly using nslookup. It returns indeed the private endpoint IP address.

But the command docker login -u <token-name> -p <token-password> <my-own-acr>.azurecr.io returns the error Error response from daemon: login attempt to https://<my-own-acr>.azurecr.io/v2/ failed with status: 403 Forbidden.

When temporarily enabling public access for the ACR and testing the exact same command on my own PC results in a successful login. I'm using a token created in the ACR.

What could be going wrong here?


Solution

  • response from daemon: login attempt failed with status: 403 Forbidden. Error your facing due to below reasons. Follow the MS Doc for more details

    enter image description here

    If you are using a virtual network or private endpoint for the ACR, you can check the points mentioned in the MS DOC.

    enter image description here

    ACR Private Endpoint DNS Configuration

    enter image description here

    Private DNS zone record sets

    enter image description here

    When I tried to check the communication from VM-agents to ACR using the same configuration as yours, the connection was successful, as shown below

    Make sure to check that the VNet peering is approved and the Private DNS Zone is configured correctly

    enter image description here