azure docker azure-devops continuous-integration

Azure DevOps CI/CD Pipeline for private Azure Container Registry and Azure Container App

I have azure function in .NET 8 Isolated function app, I want to deploy on Azure container plan. I have created Azure resources on Azure portal

Current CI/CD pipeline is resulting unable to connect private registry for IP address.

Virtual network (2 range one for Azure container registry and one for Azure Container Apps)
Azure Container Registry (Private - Premium Plan)
Azure Container App

Now I need to create Azure DevOps CI/CD file to deploy azure function docker file to Azure Container Registry and Azure container app.

trigger:
  branches:
    include:
      - main

pool:
  vmImage: 'ubuntu-latest'

variables:
  buildConfiguration: 'Release'
  acrName: 'mycontainerregistry-ehbcbtcwhpeyf9c2'
  containerAppName: 'myfunc-function-container-app'
  resourceGroup: 'MyProdSub'
  imageName: 'func-images:$(Build.BuildId)'
  azureSubscription: 'MySubscription US (GUID)'
  functionAppPath: '$(Build.SourcesDirectory)/FunctionApps/FuncImages'

stages:
- stage: BuildAndPush
  displayName: 'Build and Push Image using ACR Tasks'
  jobs:
  - job: ACRBuild
    steps:
    - task: AzureCLI@2
      displayName: 'Build and Push Docker Image inside ACR'
      inputs:
        azureSubscription: '$(azureSubscription)'
        scriptType: bash
        scriptLocation: inlineScript
        inlineScript: |
          echo "Building Docker image using ACR Tasks..."

          az acr build \
            --registry $(acrName) \
            --image func-images:$(Build.BuildId) \
            --image func-images:latest \
            --file $(functionAppPath)/Dockerfile \
            $(functionAppPath)

- stage: Deploy
  displayName: 'Deploy to Azure Container App'
  dependsOn: BuildAndPush
  jobs:
  - job: DeployApp
    steps:
    - task: AzureCLI@2
      displayName: 'Deploy to Container App'
      inputs:
        azureSubscription: '$(azureSubscription)'
        scriptType: bash
        scriptLocation: inlineScript
        inlineScript: |
          echo "Deploying updated image to Container App..."

          az containerapp update \
            --name $(containerAppName) \
            --resource-group $(resourceGroup) \
            --image $(acrName).azurecr.io/func-images:$(Build.BuildId)

How to approach this problem?

Solution

The issue you are facing due to network connectivity and the error message Unable to connect to the private registry for IP address is suggest your container app can’t access your acr due to network restrictions.

When you have enabled private access on your acr and place your container app in a virtual network Azure no longer allows public access b/w the services. This means the container app must either use a managed identity that has pull access to acr or directly integrated with the ACR using --registry-server and credentials.

Azure container apps do not support full v-net injection so private acr access requires the right setup (acr + container app environment + managed identity + private dns zones if necessary).

Check the below steps to find out the root cause:
-Acr and container app are in same or peered v-nets
-Container app has system-assigned managed identity enabled
-AcrPull role is granted to managed identity
-Private DNS zone privatelink.azurecr.io exists and is linked to your v-net
-Make sure the image reference in your pipeline is using the full registry FQDN like myacr.azurecr.io/func-images:<tag>.

Doc:
https://learn.microsoft.com/en-us/azure/container-registry/container-registry-virtual-network https://learn.microsoft.com/en-us/azure/container-apps/networking

Once the network connectivity is set up properly your app should be able to pull the images without issues. let me know if you need further help.