Deploy a container registry containing a python docker code into azure logic apps using a virtual network

Question

I'm looking to deploy an ACR (Azure Container Registry) repository that containers docker for python code. I want this ACR to run in a virtual network so I can securely access blob storage through my python code. I've created a virtual network and modified th private access of my container registry to use the VN as an endpoint: see here and configured the storage account to accept from this virtual network: storage account

ContainerGroup Containers:

[ { "name": "py-container-@{variables('Time')}", "properties": { "image": "filogixcontainerregistry.azurecr.io/my-python-app:latest", "resources": { "requests": { "memoryInGB": 1.5, "cpu": 1 }, "limits": { "memoryInGB": 1.5, "cpu": 1 } }, "environmentVariables": [ { "name": "AZURE_STORAGE_CONNECTION_STRING", "value": @{parameters('connection_string')} }, { "name": "BLOB_PATH", "value": @{variables('Path_name')} } ] } } ]

Here's what the request returns:

"content": "2024-07-03 15:53:47,274 - INFO - Starting the main function.\n2024-07-03 15:53:47,274 - INFO - Blob path: pdf/Filogix Display 1/Martin Application(1).pdf\n2024-07-03 15:53:47,274 - INFO - Parsed container name: pdf and blob name: x.pdf\n2024-07-03 15:53:47,275 - INFO - Connection string: DefaultEndpointsProtocol=https;AccountName=x;AccountKey=;EndpointSuffix=core.windows.net\n2024-07-03 15:53:47,282 - INFO - BlobServiceClient created successfully.\n2024-07-03 15:53:47,282 - INFO - Blob client for Filogix Display 1/Martin Application(1).pdf in container pdf created successfully.\n2024-07-03 15:53:47,286 - INFO - Request URL: 'https://x.blob.core.windows.net/pdf/Filogix%20Display%201/Martin%20Application%281%29.pdf'\nRequest method: 'GET'\nRequest headers:\n 'x-ms-range': 'REDACTED'\n 'x-ms-version': 'REDACTED'\n 'Accept': 'application/xml'\n 'User-Agent': 'azsdk-python-storage-blob/12.18.3 Python/3.11.4 (Linux-5.10.102.2-microsoft-standard-x86_64-with-glibc2.28)'\n 'x-ms-date': 'REDACTED'\n 'x-ms-client-request-id': '6eed53ae-3954-11ef-a5d0-00155d5660df'\n 'Authorization': 'REDACTED'\nNo body was attached to the request\n2024-07-03 15:53:47,337 - INFO - Response status: 403\nResponse headers:\n 'Content-Length': '246'\n 'Content-Type': 'application/xml'\n 'Server': 'Microsoft-HTTPAPI/2.0'\n 'x-ms-request-id': '3848c760-f01e-0010-2a61-cd0fd9000000'\n 'x-ms-client-request-id': '6eed53ae-3954-11ef-a5d0-00155d5660df'\n 'x-ms-error-code': 'AuthorizationFailure'\n 'Date': 'Wed, 03 Jul 2024 15:53:46 GMT'\n2024-07-03 15:53:47,339 - ERROR - An error occurred: This request is not authorized to perform this operation.\nRequestId:3848c760-f01e-0010-2a61-cd0fd9000000\nTime:2024-07-03T15:53:47.3409399Z\nErrorCode:AuthorizationFailure\nContent: AuthorizationFailureThis request is not authorized to perform this operation.\nRequestId:3848c760-f01e-0010-2a61-cd0fd9000000\nTime:2024-07-03T15:53:47.3409399Z\n

When I try running the logic app after opening my storage app to all networks, I get no error. This shows me the virtual netowork isn't working, I'm guessing that I'm configuring the ACR wrong and it's not actually using the virtual network.

Answer 1

It seems that the ACR is not using the virtual network, which is causing the issue with blob storage access. You should check the ACR configuration and ensure that it is correctly using the virtual network. In order to correctly configure your ACR to use the virtual network you can first

create a vnet

az network vnet create \
  --resource-group arkorg \
  --name myVNet \
  --address-prefix 10.0.0.0/16 \
  --subnet-name mySubnet \
  --subnet-prefix 10.0.1.0/24

then create an ACR with a private endpoint within this VNet

az acr create --resource-group arkorg --name arkoacr3 --sku Premium

az network private-endpoint create \ --resource-group arkorg \ --vnet-name myVNet \ --subnet mySubnet \ --name acrPrivateEndpoint \ --private-connection-resource-id $(az acr show --name arkoacr3 --resource-group arkorg --query "id" --output tsv) \ --group-id registry \ --connection-name acrConnection

    az network private-dns zone create --resource-group arkorg --name privatelink.azurecr.io

az network private-dns link vnet create --resource-group arkorg --zone-name privatelink.azurecr.io --name acrDNSLink --virtual-network myVNet --registration-enabled false

az network private-endpoint dns-zone-group create --resource-group arkorg --endpoint-name acrPrivateEndpoint --name acrZoneGroup --private-dns-zone privatelink.azurecr.io --zone-name registry

Create a storage account and configure it with a private endpoint

az storage account create --name mystorageaccount123 --resource-group arkorg --location eastus --sku Standard_LRS

az network private-endpoint create \
  --resource-group arkorg \
  --vnet-name myVNet \
  --subnet mySubnet \
  --name storagePrivateEndpoint \
  --private-connection-resource-id $(az storage account show --name mystorageaccount123 --resource-group arkorg --query "id" --output tsv) \
  --group-id blob \
  --connection-name storageConnection

az network private-dns zone create --resource-group arkorg --name privatelink.blob.core.windows.net

az network private-dns link vnet create --resource-group arkorg --zone-name privatelink.blob.core.windows.net --name storageDNSLink --virtual-network myVNet --registration-enabled false

az network private-endpoint dns-zone-group create --resource-group arkorg --endpoint-name storagePrivateEndpoint --name storageZoneGroup --private-dns-zone privatelink.blob.core.windows.net --zone-name blob

Done, now you should be able to deploy an ACR repository containing Python Docker code, ensuring that it runs within a VNet

Deploying an image from Azure Container Registry with Azure Logic Apps

Python Container Apps in Azure

Deploy a containerized Python app to App Service