Merge pull request #227461 from norelina/norelina/acr-in-vnet-acr-private-endpoint

BCS2022 · web-flow · commit 7208033ceed6 · 2023-02-27T09:05:08.000-08:00
ACI deployment in vnet pulling from ACR behind private endpoint
diff --git a/articles/container-instances/container-instances-vnet.md b/articles/container-instances/container-instances-vnet.md
@@ -213,9 +213,11 @@ az network vnet delete --resource-group $RES_GROUP --name aci-vnet
 
 ## Next steps
 
-To deploy a new virtual network, subnet, network profile, and container group using a Resource Manager template, see [Create an Azure container group with VNet](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.containerinstance/aci-vnet
+* To deploy a new virtual network, subnet, network profile, and container group using a Resource Manager template, see [Create an Azure container group with VNet](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.containerinstance/aci-vnet
 ).
 
+* To deploy Azure Container Instances that can pull images from an Azure Container Registry through a private endpoint, see [Deploy to Azure Container Instances from Azure Container Registry using a managed identity](../container-instances/using-azure-container-registry-mi.md).
+
 <!-- IMAGES -->
 [aci-vnet-01]: ./media/container-instances-vnet/aci-vnet-01.png
 
diff --git a/articles/container-instances/using-azure-container-registry-mi.md b/articles/container-instances/using-azure-container-registry-mi.md
@@ -14,6 +14,8 @@ ms.custom: mvc, devx-track-azurecli
 
 [Azure Container Registry][acr-overview] (ACR) is an Azure-based, managed container registry service used to store private Docker container images. This article describes how to pull container images stored in an Azure container registry when deploying to container groups with Azure Container Instances. One way to configure registry access is to create an Azure Active Directory managed identity.
 
+When access to an Azure Container Registry (ACR) is [restricted using a private endpoint](../container-registry/container-registry-private-link.md), using a managed identity allows Azure Container Instances [deployed into a virtual network](container-instances-vnet.md) to access the container registry through the private endpoint.
+
 ## Prerequisites
 
 **Azure container registry**: You need a premium SKU Azure container registry with at least one image. If you need to create a registry, see [Create a container registry using the Azure CLI][acr-get-started]. Be sure to take note of the registry's `id` and `loginServer`
@@ -162,6 +164,66 @@ To deploy a container group using managed identity to authenticate image pulls v
 az container create --name my-containergroup --resource-group myResourceGroup --image <loginServer>/hello-world:v1 --acr-identity $userID --assign-identity $userID --ports 80 --dns-name-label <dns-label>
 ```
 
+## Deploy in a virtual network using the Azure CLI
+
+To deploy a container group to a virtual network using managed identity to authenticate image pulls from an ACR that runs behind a private endpoint via the Azure CLI, use the following command:
+
+```azurecli-interactive
+az container create --name my-containergroup --resource-group myResourceGroup --image <loginServer>/hello-world:v1 --acr-identity $userID --assign-identity $userID --vnet "/subscriptions/$SUBSCRIPTION_ID/resourceGroups/"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/myVNetResourceGroup/providers/ --subnet mySubnetName
+```
+
+For more info on how to deploy to a virtual network see [Deploy container instances into an Azure virtual network](./container-instances-vnet.md).
+
+## Deploy a multi-container group in a virtual network using YAML and the Azure CLI
+
+To deploy a multi-container group to a virtual network using managed identity to authenticate image pulls from an ACR that runs behind a private endpoint via the Azure CLI, you can specify the container group configuration in a YAML file. Then pass the YAML file as a parameter to the command.
+
+```yaml
+apiVersion: '2021-10-01'
+location: eastus
+type: Microsoft.ContainerInstance/containerGroups
+identity: 
+  type: UserAssigned
+  userAssignedIdentities: {
+    '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myACRId': {}
+    }
+properties:
+  osType: Linux
+  imageRegistryCredentials:
+  - server: myacr.azurecr.io
+    identity: '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myACRId'
+  subnetIds:
+  - id: '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/myVNetResourceGroup/providers/Microsoft.Network/virtualNetworks/myVNetName/subnets/mySubnetName'
+    name: mySubnetName
+  containers:
+  - name: myContainer-1
+    properties:
+      resources:
+        requests:
+          cpu: '.4'
+          memoryInGb: '1'
+      environmentVariables:
+        - name: CONTAINER
+          value: 1
+      image: 'myacr.azurecr.io/myimage:latest'
+  - name: myContainer-2
+    properties:
+      resources:
+        requests:
+          cpu: '.4'
+          memoryInGb: '1'
+      environmentVariables:
+        - name: CONTAINER
+          value: 2
+      image: 'myacr.azurecr.io/myimage:latest'
+```
+
+```azurecli-interactive
+az container create --name my-containergroup --resource-group myResourceGroup --file my-YAML-file.yaml
+```
+
+For more info on how to deploy to a multi-container group see [Deploy a multi-container group](./container-instances-multi-container-yaml.md).
+
 ## Clean up resources
 
 To remove all resources from your Azure subscription, delete the resource group:
diff --git a/articles/container-registry/container-registry-private-link.md b/articles/container-registry/container-registry-private-link.md
@@ -469,11 +469,13 @@ az group delete --name $RESOURCE_GROUP
 
 * To learn more about Private Link, see the [Azure Private Link](../private-link/private-link-overview.md) documentation.
 
-* To verify DNS settings in the virtual network that route to a private endpoint, run the [az acr check-health](/cli/azure/acr#az-acr-check-health) command with the `--vnet` parameter. For more information, see [Check the health of an Azure container registry](container-registry-check-health.md) 
+* To verify DNS settings in the virtual network that route to a private endpoint, run the [az acr check-health](/cli/azure/acr#az-acr-check-health) command with the `--vnet` parameter. For more information, see [Check the health of an Azure container registry](container-registry-check-health.md). 
 
 * If you need to set up registry access rules from behind a client firewall, see [Configure rules to access an Azure container registry behind a firewall](container-registry-firewall-access-rules.md).
 
-* [Troubleshoot Azure Private Endpoint connectivity problems](../private-link/troubleshoot-private-endpoint-connectivity.md)
+* [Troubleshoot Azure Private Endpoint connectivity problems](../private-link/troubleshoot-private-endpoint-connectivity.md).
+
+* If you need to deploy Azure Container Instances that can pull images from an ACR through a private endpoint, see [Deploy to Azure Container Instances from Azure Container Registry using a managed identity](../container-instances/using-azure-container-registry-mi.md).
 
 <!-- LINKS - external -->
 [docker-linux]: https://docs.docker.com/engine/installation/#supported-platforms
