This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 76%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEG%3C/text%3E%3C/svg%3E)
hello guys,
This is a duplicate post with the same ID. For some reason, the original question I posted seems to have a bug that prevents me from viewing it.
I have a Linux-based web app with VNet integration enabled, configured with an IP address space and a /29 subnet for the IP range. Additionally, I have an Azure Container Registry (ACR) with private access enabled and a private endpoint established within a dedicated VNet also using /29 subnet. The web app is also configured to use a system-assigned identity, which has been granted the AcrPull permission to the ACR IAM.
The challenge arises when I try to connect to the ACR from the web app's Kudu Bash using the command curl -v https://nonprodacr.azurecr.io/v2/. The response shows that the ACR endpoint is resolvable, but further down, it indicates an 'unauthorized' error. I suspect this might be related to IDMS (Identity Management Service) access. However, to my understanding, the default IDMS server should automatically be accessible within Azure infrastructure. I haven’t encountered this issue before with other web apps that have VNet integration enabled.
To provide a clearer picture of the services, I am sharing some of the configurations and test results I performed. Any guidance or advice on resolving this issue would be greatly appreciated.
kudu bash result:
WebApp networking configuration:
IP restriction: enabled with specified IPs for internal access
VNet integration: below screenshot
NSGs configuration: screenshot
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 3%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESK%3C/text%3E%3C/svg%3E)
Hi Emmanuel Gaid,
Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.
The issue seems to be related to authentication between your Azure Web App and Azure Container Registry (ACR). Follow these steps to resolve it:
Make sure the system-assigned identity of the web app has the AcrPull role on the ACR.
Verify role assignment:
az role assignment list --assignee <web-app-client-id> --scope <acr-resource-id>
Assign role if missing:
az role assignment create --assignee <web-app-client-id> --role AcrPull --scope <acr-resource-id>
Verify the web app can access the IMDS endpoint:
curl -H Metadata:true "http://169.254.169.254/metadata/identity/oauth2/token?resource=https://management.azure.com&api-version=2019-08-01"
If this fails, check for NSGs or UDRs blocking access to 169.254.169.254.
Test ACR private endpoint DNS resolution from the web app:
nslookup <acr-private-endpoint-dns>
If it fails, ensure the private DNS zone for the ACR is linked to the web app's VNet.
Test authentication manually:
curl -H "Authorization: Bearer $(curl -H Metadata:true "http://169.254.169.254/metadata/identity/oauth2/token?resource=https://management.azure.com&api-version=2019-08-01" | jq -r '.access_token')" https://<acr-name>.azurecr.io/v2/
If this fails, recheck role assignments and IMDS access.
For more details, please refer to the below documentation:
Azure Instance Metadata Service
Azure Private Endpoint private DNS zone values
If the information is helpful, please consider by clicking the "Upvote" on the post.
Update: It's interesting that the Web App was able to consume the image from ACR, but I'm still encountering the same error on Kudu. It's quite puzzling. Do you guys have any idea why this might be happening and causing two different results?