Question 231274 in Azure Question posted in
The official documentation to get you started can be found here.

Azure App Service – on-premies Docker Registry

I have a simple problem. I need to configure my App Service to be able to connect to on-premies Artifactory.

In App Service, I set up Deployment Center as a screenshot (URL and the image name are changed)

Deployment Center settings

Additionally, I enabled VNet Integration to VNet which has access to on-premies env.
For example, VMs in the same subnet can pull a docker image from Artifactory but App Service can’t.
Below log with the error.

023-08-07T07:35:20.683Z INFO - Attempting to pull image *URL_ARTIFACTORY_ONPREMIES/IMAGE_NAME*:latest from VNET. 2023-08-07T07:35:52.219Z ERROR - Image pull for *URL_ARTIFACTORY_ONPREMIES/IMAGE_NAME*:latest failed. UnexpectedFaliure 2023-08-07T07:35:52.221Z ERROR - Pulling docker image *URL_ARTIFACTORY_ONPREMIES/IMAGE_NAME*:latest over VNET failed. 2023-08-07T07:35:52.222Z WARN - Image pull failed. Defaulting to local copy if present. 2023-08-07T07:35:52.906Z ERROR - Image pull failed: Verify docker image configuration and credentials (if using private repository)

I set up WEBSITE_PULL_IMAGE_OVER_VNET to True.

My question is: by default App Service try to connect by public ip addresses? (Outbound Traffic)

Networking tab

Please any hints or advice. Thanks.

Tags:

2

Answers


  1. 0

    by default App Service try to connect by public ip addresses? (Outbound Traffic)

    Azure App Service instance initiates outbound requests, it uses public IP addresses assigned to the Azure region’s outbound network infrastructure.

    • This issue is because of involving a combination of networking, connectivity, and authentication factors.

    2023-08-07T07:35:52.906Z ERROR – Image pull failed: Verify docker image configuration and credentials (if using private repository)

    Use the below format template upon selecting private registry:

    # Use a base image that supports your application (e.g., node, python, etc.)
FROM node:18

# Set the working directory
WORKDIR /app

# Install any dependencies your application needs
# For example, if you're using Node.js, you might copy package.json and run npm install
COPY package*.json ./
RUN npm install

# Set environment variables if needed
# ENV EXAMPLE_VARIABLE=value

# Specify the private repository's URL, image name, and tag
ARG REPOSITORY_URL=<REPOSITORY_URL>
ARG IMAGE_NAME=<IMAGE_NAME>
ARG IMAGE_TAG=<IMAGE_TAG>

# Authenticate to your private repository (if required)
# For example, if using a private Artifactory repository, you might use an authentication token
# RUN echo "<AUTH_TOKEN>" | docker login -u <USERNAME> --password-stdin <REPOSITORY_URL>

# Pull the image from the private repository
RUN docker pull ${REPOSITORY_URL}/${IMAGE_NAME}:${IMAGE_TAG}

# Copy your application's source code
COPY . .

# Start your application
CMD [ "npm", "start" ]

    • You enabled VNet Integration and set the WEBSITE_PULL_IMAGE_OVER_VNET app setting to True so by default Azure App Service uses public IP addresses for outbound traffic.

    • App Service will try to pull the image over the VNet. However, clear it from your end that whether the Artifactory is accessible through the VNet.

    enter image description here

    Check that you have selected network security groups as above and also in app service go to settings<Identity<System assigned should be "on."

    Login or Signup to reply.
  2. 0

    Yes, I think App Service by default tries to go through public network. You can go to the App Service Kudu debug console from App Service -> Development Tools -> Advanced Tools and try the command nslookup repositoryurlorendpoint if you are deploying to a Linux App Service.

    In our case this error (‘UnexpectedFaliure’) happened because it resolved to a public IP inside the App Service (as seen from Kudu), not a virtual network one (for example 10.x.x.x). I.e. the DNS settings were not correct (required custom DNS servers, not Default (Azure-provided) in vnet settings)

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search