Push docker image with devops to private azure container registry

Question

So I have a private Azure container registry, which by its nature also sites on a private VNET (it has to).

I have configured my private container registry to:

"Allow trusted Microsoft services to access this container registry"

I have also in my VENT allow Microsoft Container registry as a service endpoint.

However, when I push my image in devops with the below code:

  variables:
  # Container registry service connection established during pipeline creation
  dockerRegistryServiceConnection: 'myacr'
  imageRepository: 'my-image-repo'
  containerRegistry: 'myacr.azurecr.io'
  dockerfilePath: '$(Build.SourcesDirectory)/Dockerfile'
  tag: '$(Build.BuildId)'
 steps:
- task: Docker@2
  displayName: Login to ACR
  inputs:
    command: login
    containerRegistry: $(dockerRegistryServiceConnection)
- task: Docker@2
  displayName: Build image with arguments
  inputs:
    command: build
    arguments: --build-arg git_personal_token=MYTOKEN
    repository: $(imageRepository)
    dockerfile: $(dockerfilePath)
    containerRegistry: $(dockerRegistryServiceConnection)
    tags: |
      $(tag)
- task: Docker@2
  displayName: push the image
  inputs:
    containerRegistry: $(dockerRegistryServiceConnection)
    repository: $(imageRepository)
    command: push
    tags: |
      $(tag)

I get the error:

denied: client with IP '51.145.2.107' is not allowed access. Refer https://aka.ms/acr/firewall to grant access.

However, I cannot set an IP address in the firewall, as the builder IP changes with each unique build that is generated. I thought I had allowed all microsoft services the correct access, have I missed something, or how can I debug this further?

Answer 1

If you have an Azure Container Registry where you have disabled public network access you will not be able to access it from a Microsoft Hosted Azure Devops Agent.

The Trusted services currently only contains a handful of service currently, but more may be added in the future:

• Azure Container Instances
• Microsoft Defender for Cloud
• ACR Tasks
• Machine Learning
• Azure Container Registry

However it is not likely that Azure DevOps (at least not the agents) will be added, since Microsoft has no control over what code executes in them (an thus they are not trusted). The same principle applies for the Azure DevOps service tag, which do not include the Microsoft Hosted agents.

If you really need your registry to be fully private, you will need to use a self hosted agent deployed in your own network that has access to the registry.