Welcome to our comprehensive guide dedicated to resolving challenges that arise when Azure App Services encounter difficulties pulling Docker images from the Azure Container Registry (ACR). Deploying applications seamlessly often hinges on a smooth image retrieval process, and encountering obstacles during this phase can disrupt the entire deployment workflow.
In this guide, we'll delve into a step-by-step checklist meticulously designed to diagnose and troubleshoot these issues effectively. From initial authentication, those include Admin Credentials, Managed Identity and access permissions to navigating complex network configurations for both Public and Private ingress on the ACR, this resource aims to be your go-to reference for untangling and resolving image pull issues within the Azure ecosystem.
Confirm that Image and Tag exist on the ACR and are spelled correctly:
Admin Credentials:
Managed Identity (System Assigned):
Managed Identity (User Assigned):
ACR Public Access:
ACR Private Endpoint is enabled:
Note: This section involves several steps related to Networking configuration, for which is highly advised to proceed with the analysis with your Cloud Management/Networking team.
Linux Container:
Windows Container:
For Windows Containers the SSH functionality will not be available if there is not a successfully running container. To do the above steps, please create a new Web App with the QuickStart image, under the same App Service Plan for the WebApp you are trying to configure (img 12).
Follow the same steps as above by browsing to the Windows Kudu Console URL: https://<MY_WEB_APP>.scm.azurewebsites.net/DebugConsole
Linux Container:
Use tcpping on Kudu console to connect to the ACR endpoint on port 443: tcpping <ACR_NAME>.azurecr.io 443
If failing please check for NSG Rules that could be blocking this connection on both Subnets (App Service Subnet and ACR Private Endpoint Subnet)
Windows Container:
For Windows Containers the SSH functionality will not be available if there is not a successfully running container. Similar to nslookup steps, please create a new Web App with the QuickStart image, under the same App Service Plan for the WebApp you are trying to configure (img 12).
Then you can use the command tcppingnative to connect to the ACR endpoint on port 443: tcppingnative <ACR_NAME>.azurecr.io 443
If failing please check for NSG Rules that could be blocking this connection on both Subnets (App Service Subnet and ACR Private Endpoint Subnet)
Side note: On Windows Containers depending if the base image is ServerCore or NanoServer the TCP connection troubleshooting command should be "tcpping" (for images that contain .NetFramework, like ServerCore) and "tcppingnative" (for images that does NOT contain .NetFramework, like NanoServer). Our default image from the QuickStart is using NanoServer so we need to use "tcppingnative".
Extra note:
In case you followed all of the checks mentioned on this guide and the issue still persists, please verify that your Image Manifest format is V2 schema 2 (Deprecated Engine Features | Docker Docs), since the V2 schema 1 is deprecated and when pulling image through Vnet it will fail.
To confirm the Manifest version of your image, please review the steps at the following page: docker manifest | Docker Docs
If you are still facing any unexpected constraints upon following the above configuration checks, please reach us out through a new Microsoft Support case, and we will gladly further assist you.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.