I have azure function in .NET 8 Isolated function app, I want to deploy on Azure container plan. I have created Azure resources on Azure portal
Current CI/CD pipeline is resulting unable to connect private registry for IP address.
Now I need to create Azure DevOps CI/CD file to deploy azure function docker file to Azure Container Registry and Azure container app.
trigger:
branches:
include:
- main
pool:
vmImage: 'ubuntu-latest'
variables:
buildConfiguration: 'Release'
acrName: 'mycontainerregistry-ehbcbtcwhpeyf9c2'
containerAppName: 'myfunc-function-container-app'
resourceGroup: 'MyProdSub'
imageName: 'func-images:$(Build.BuildId)'
azureSubscription: 'MySubscription US (GUID)'
functionAppPath: '$(Build.SourcesDirectory)/FunctionApps/FuncImages'
stages:
- stage: BuildAndPush
displayName: 'Build and Push Image using ACR Tasks'
jobs:
- job: ACRBuild
steps:
- task: AzureCLI@2
displayName: 'Build and Push Docker Image inside ACR'
inputs:
azureSubscription: '$(azureSubscription)'
scriptType: bash
scriptLocation: inlineScript
inlineScript: |
echo "Building Docker image using ACR Tasks..."
az acr build \
--registry $(acrName) \
--image func-images:$(Build.BuildId) \
--image func-images:latest \
--file $(functionAppPath)/Dockerfile \
$(functionAppPath)
- stage: Deploy
displayName: 'Deploy to Azure Container App'
dependsOn: BuildAndPush
jobs:
- job: DeployApp
steps:
- task: AzureCLI@2
displayName: 'Deploy to Container App'
inputs:
azureSubscription: '$(azureSubscription)'
scriptType: bash
scriptLocation: inlineScript
inlineScript: |
echo "Deploying updated image to Container App..."
az containerapp update \
--name $(containerAppName) \
--resource-group $(resourceGroup) \
--image $(acrName).azurecr.io/func-images:$(Build.BuildId)
How to approach this problem?
The issue you are facing due to network connectivity and the error message Unable to connect to the private registry for IP address
is suggest your container app can’t access your acr due to network restrictions.
When you have enabled private access on your acr and place your container app in a virtual network Azure no longer allows public access b/w the services. This means the container app must either use a managed identity that has pull access to acr or directly integrated with the ACR using --registry-server
and credentials.
Azure container apps do not support full v-net injection so private acr access requires the right setup (acr + container app environment + managed identity + private dns zones if necessary).
Check the below steps to find out the root cause:
-Acr and container app are in same or peered v-nets
-Container app has system-assigned managed identity enabled
-AcrPull role is granted to managed identity
-Private DNS zone privatelink.azurecr.io
exists and is linked to your v-net
-Make sure the image reference in your pipeline is using the full registry FQDN like myacr.azurecr.io/func-images:<tag>
.
Doc:
https://learn.microsoft.com/en-us/azure/container-registry/container-registry-virtual-network
https://learn.microsoft.com/en-us/azure/container-apps/networking
Once the network connectivity is set up properly your app should be able to pull the images without issues. let me know if you need further help.