error whilst trying to deploy container image after introduction of private endpoint

Question

This command:

az container create 
    --resource-group MyRespourceGroup 
    --name AcrName 
    --image bla.azurecr.io/test3:latest 
    --cpu 1 
    --memory 1 
    --registry-login-server XXXX.azurecr.io 
    --registry-username XYZ 
    --registry-password XYZ 
    --dns-name-label test1234 
    --ports 80

used to work fine before IT introduced a private endpoint for the container registry to prevent exposing running images to the Internet (I just check this and created a registry without private endpoint and it worked). Now I get a pretty useless error message:

An error response is received from the docker registry 'AcrName'. Please retry later.

How can I further debug this or even deploy again? Maybe one can only create the private endpoint after deploying the ACI?

Thanks!

Answer 1

So I was able to replicate the issue on my end. This error shows up specifically when the private endpoint is enabled and when public access is disabled. You are trying to access the ACR over its public DNS name.

Private endpoint config:

Public access config:

For above setup, I get this:

An error response is received from the docker registry 'kumbernetesreg.azurecr.io'. Please retry later.

Then when public access is set to All networks I actually get a different error that's probably linked to the image I'm using:

The image 'xxxx.privatelink.azurecr.io/hello-world:latest' in container group 'mycont' is not accessible. Please check the image and registry credential.

The image 'xxxx.azurecr.io/hello-world:latest' in container group 'mycont' is not accessible. Please check the image and registry credential.

Creating the endpoint after creating the ACI could cause other issues later if the image needs to be pulled again from the ACR. You could check with IT on how to access the private endpoint using the private link DNS Zone xxxx.privatelink.azurecr.io.