Azure DevOps Pipeline - build and push Docker Image to Azure container registry with restricted network access

0
votes

I have a Pipeline in Azure DevOps that should build and push a Docker image to an Azure Container Registry. Therefore I have a service connection (type: docker registry) in place in order to authorize the pipeline to push. If I remove the network restriction in the container registry everything goes just fine.

As soon as I want to restrict the network access it does not work anymore and I get a "denied" in the pipeline output of the docker task. I also tried to add the Azure DevOps IP ranges (13.107.43.0/24, 13.107.42.0/24, 13.107.9.0/24, 13.107.6.0/24).

Any idea what is wrong?

1
azuredockerazure-devopsazure-container-registry
Azure DevOps Server or Cloud? Azure Container Registry is in the public cloud? You probably need to add the ACR IP addresses to your restrictions if using ADO Server to push to the public cloud.Alexis Murray
Both are in the public cloud. Its the other way around, right. ADO addresses have to be added to ACR, but that is why I tried adding the mentioned IP ranges.Noah Ispas
Hi Noah Ispas, Did you get a chance to implement the solution that Charles suggested? Were you able to resolve?PatrickLu-MSFT
Will try it in the next daysNoah Ispas

1 Answers

1
votes

Actually, all the tasks run in the agents when you use the Pipeline. And the network of the agents, you can take a look here. As you see you need to allow the IP addresses of the agents, and the IP ranges vary over time. Every week you need to add the new IP addresses in the firewall rules for your organization region. So it's a little troublesome.

Compare with control the access IP address, I recommend you control the permission of the credential of the ACR. If a person does not have enough permission, he can't do the things required special permission even if he can access the ACR. Here are the details about the permission oo ACR.