You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/container-registry/tasks-agent-pools.md
+30-7Lines changed: 30 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -93,19 +93,41 @@ az acr agentpool update \
93
93
94
94
Task agent pools require access to the following Azure services. The following firewall rules must be added to any existing network security groups or user-defined routes.
95
95
96
-
| Direction | Protocol | Source | Source Port | Destination | Dest Port | Used |
| Outbound | TCP | VirtualNetwork | Any | AzureMonitor | 443,12000 | Default | Port 12000 is a unique port used for diagnostics |
103
103
104
104
> [!NOTE]
105
105
> If your tasks require additional resources from the public internet, add the corresponding rules. For example, additional rules are needed to run a docker build task that pulls the base images from Docker Hub, or restores a NuGet package.
106
106
107
107
Customers basing their deployments with MCR can refer to [MCR/MAR firewall rules.](https://github.com/microsoft/containerregistry/blob/main/docs/client-firewall-rules.md)
108
108
109
+
#### Advanced network configuration
110
+
111
+
If the standard Firewall/NSG (Network Security Group) rules are deemed too permissive, and more fine-grained control is required for outbound connections, consider the following approach:
112
+
113
+
- Enable service endpoints on the agent pool subnet. This grants the agent pool access to its service dependencies while maintaining a secure network posture.
114
+
- It's important to note that outbound Firewall/NSG rules are still necessary. These rules facilitate the Virtual Network's ability to switch the source IP from public to private, which is an additional step beyond enabling service endpoints.
115
+
116
+
More information on service endpoints is documented [here][az-vnet-svc-ep].
117
+
118
+
At minimum, the following service endpoints will be required
119
+
120
+
- Microsoft.AzureActiveDirectory
121
+
- Microsoft.ContainerRegistry
122
+
- Microsoft.EventHub
123
+
- Microsoft.KeyVault
124
+
- Microsoft.Storage (or the corresponding storage regions taking geo-replication into account)
125
+
126
+
> [!NOTE]
127
+
> Currently a service endpoint for Azure Monitor does not exist. If outbound traffic for Azure Monitor is not configured, the agent pool will be unable to emit diagnostic logs but may appear to still operate normally. In this case ACR will be unable to help fully troubleshoot any issues encountered so it is important that the network administrator take this into account when planning the network configuration.
128
+
129
+
Also, it is important to note that all of ACR Tasks have pre-cached images for some of the more common use cases. Tasks will only cache a single version at a time, meaning that if the full tagged image reference is used, then the build agent will attempt to pull the image. For example, a common use case is `cmd: mcr.microsoft.com/acr/acr-cli:<tag>`. However, the pre-cached version is frequently updated, which means the actual version on the machine will likely be higher. In this case, the network configuration must configure a route for outbound traffic to the target registry host which in the example above would be mcr.microsoft.com. The same rules would apply to any other external public registry (docker.io, quay.io, ghcr.io, etc.).
130
+
109
131
### Create pool in VNet
110
132
111
133
The following example creates an agent pool in the *mysubnet* subnet of network *myvnet*:
@@ -200,3 +222,4 @@ For more examples of container image builds and maintenance in the cloud, check
0 commit comments