AzureDevops VMSS agent not able to connect to private ACR with private endpoint

Question

I have set-up private ACR set up with public access and admin credentials disabled.

It has a private endpoint approved ,setup with private connection,private dns zones configured.

The private endpoints reside in subnetEndpoint in virtualNetwork vNetApp I have setup a DevOps pipeline using agent pool. The agent makes use of a Virtual Machine scale set deployed in a virtual network agentSubnet in vNetApp. The agent makes use of Service Principal which i have assigned acrPush role

The pipeline executes a docker build and should push the image to the private ACR with private endpoint.

I create a service connection dockerConn for connecting the Docker task to ACR

I give dockerConn Acrpush role against the registry and pass it to the pipeline.

stage: Build
  pool:
    name: ${pool}
  jobs:
  - job: Build
    displayName: Build
    pool:
      vmImage: $(vmImageName)
    steps:
    - task: Docker@2
      displayName: Build and push an image to container registry
      inputs:
        command: buildAndPush
        repository: $(acrImageRepository)-$(Build.SourceBranchName)
        dockerfile: $(dockerfilePath)
        containerRegistry: $(dockerRegistryServiceConnection) //This is given acrPush role

When i run the pipeline the Docker task fails when the step comes to push the image to ACR.

518047573282: Waiting
denied: client with IP '2.413.62.52' is not allowed access. Refer https://aka.ms/acr/firewall to grant access.
##[debug]Exit code 1 received from tool '/usr/bin/docker'
##[debug]STDIO streams have closed for tool '/usr/bin/docker'
##[error]denied: client with IP '2.413.62.52' is not allowed access. Refer https://aka.ms/acr/firewall to grant access.
##[debug]Processed: ##vso[task.issue type=error;]denied: client with IP '2.413.62.52' is not allowed access. Refer https://aka.ms/acr/firewall to grant access.
##[debug]Trying to logout from registry: ***
####[debug]set DOCKER_CONFIG=
##[debug]Processed: ##vso[task.setvariable variable=DOCKER_CONFIG;isOutput=false;issecret=false;]
##[debug]task result: Failed
##[error]The process '/usr/bin/docker' failed with exit code 1

error message:

client with IP '2.413.62.52' is not allowed access. Refer https://aka.ms/acr/firewall to grant access

The virtual network has the correct DNS Zones set up Update:

also i created a vm in the same subnet as the VMSS . I was able to do confirming the private dns is setup correctly

nslookup myazurereg.azurecr.io
Server:127.0.0.53
Address:127.0.0.53#53

Non-authoritative answer:
myazurereg.azurecr.io
canonical name = myazurereg.privatelink.azurecr.io.
Name: myazurereg.privatelink.azurecr.io
Address: 12.101.3.5

Can anyone help here? Thanks

Answer 1

It looks like your vmss doesn't leverage 168.63.129.16 to resolve private endpoint URL. You may connect to your vm and append the line "nameserver 168.63.129.16" to the /etc/resolv.conf file.