Configuring Azure Container Registry (ACR) for a secure connection with Azure Container Apps is a crucial step in ensuring that your containerized applications are deployed safely and efficiently. This process involves setting up permissions and authentication so Azure Container Apps can securely pull container images from ACR without exposing credentials. By integrating ACR with managed identities or workload identities, teams can streamline deployments, improve security, and maintain a clean, automated DevOps workflow.
Configure a user-assigned managed identity
Open your Azure portal.
On the portal menu, select + Create a resource.
On the Create a resource page, in the Search services and marketplace text box, enter managed identity
In the filtered list of resources, select User Assigned Managed Identity.
On the User Assigned Managed Identity page, select Create.
On the Create User Assigned Managed Identity page, specify the following information:
Subscription: Specify the Azure subscription that you're using for this guided project.
Resource group: RG1
Region: Central US
Name: uai-az2003
Select Review + create.
Select Create.
Configure Container Registry with AcrPull permissions for the managed identity
- In the Azure portal, open your Container Registry resource that was already create.
On the left-side menu, select Access Control (IAM).
On the Access Control (IAM) page, select Add role assignment.
Search for the AcrPull role, and then select AcrPull.
Note: This configuration can also be applied when assigning the AcrPush role.
Select Next.
On the Members tab, to the right of Assign access to, select Managed identity.
Select + Select members.
On the Select managed identities page, under Managed identity, select User-assigned managed identity, and then select the user-assigned managed identity created for this project.
For example: uai-az2003.
On the Select managed identities page, select Select.
On the Members tab of the Add role assignment page, select Review + assign.
On the Review + assign tab, select Review + assign.
Wait for the role assignment to be added.
Configure Container Registry with a private endpoint connection
Ensure that your Container Registry resource is open in the portal.
- Under Settings, select Networking.
On the Private access tab, select + Create a private endpoint connection.
On the Basics tab, under Project details, specify the following information:
Subscription: Specify the Azure subscription that you're using for this project.
Resource group: RG1
Name: pe-acr-az2003
Region: Ensure that Central US is selected.
Select Next: Resource.
- On the Resource tab, ensure the following information is displayed:
Subscription: Ensure that the Azure subscription that you're using for this project is selected.
Resource type: Ensure that Microsoft.ContainerRegistry/registries is selected.
Resource: Ensure that the name of your registry is selected.
Target sub-resource: Ensure that registry is selected.
Select Next: Virtual Network.
- On the Virtual Network tab, under Networking, ensure the following information is displayed:
Virtual network: Ensure that VNET1 is selected
Subnet: Ensure that PESubnet is selected.
Select Next: DNS.
- On the DNS tab, under Private DNS Integration, ensure the following information is displayed:
Integrate with private DNS zone: Ensure that Yes is selected.
Private DNS Zone: Notice that (new) privatelink.azurecr.io is specified.
Select Next: Tags and then Select Next: Review + create.
On the Review + create tab, when you see the Validation passed message, select Create.
Wait for the deployment to complete.
Verify your work
In this task, you verify that your configuration meets the specified requirements.
- In the Azure portal, open your Container Registry resource.
On the Access Control (IAM) page, select Role assignments.
Verify that the role assignments list shows the AcrPull role assigned to the User-assigned Managed Identity resource.On the left-side menu, under Settings, select Networking.
On the Networking page, select the Private access tab.
Under Private endpoint, select the private endpoint that you created.
For example, select per-acr-az2003
On the Private endpoint page, under Settings, select DNS configuration.
Verify the following DNS setting:
Private DNS zone: set to privatelink.azurecr.io.On the left-side menu, select Overview.
Verify the following setting:
Virtual network/subnet: set to VNET1/PESubnet.
To securely deploy containerized workloads in Azure Container Apps, you must establish a protected connection to Azure Container Registry (ACR), where container images are stored.
This configuration ensures that only authorized resources can pull images from the registry.
Top comments (0)