Updated docs to cover ACI deployment in vnet pulling from ACR behind private endpoint

norelina · norelina · commit e124bc244a63 · 2023-02-15T11:47:16.000-06:00
diff --git a/articles/container-instances/using-azure-container-registry-mi.md b/articles/container-instances/using-azure-container-registry-mi.md
@@ -14,6 +14,8 @@ ms.custom: mvc, devx-track-azurecli
 
 [Azure Container Registry][acr-overview] (ACR) is an Azure-based, managed container registry service used to store private Docker container images. This article describes how to pull container images stored in an Azure container registry when deploying to container groups with Azure Container Instances. One way to configure registry access is to create an Azure Active Directory managed identity.
 
+Managed identity can also be used to deploy an Azure Container instance or group in a virtual network and authenticate with an Azure Container Registry (ACR) instance that runs behind a private endpoint.
+
 ## Prerequisites
 
 **Azure container registry**: You need a premium SKU Azure container registry with at least one image. If you need to create a registry, see [Create a container registry using the Azure CLI][acr-get-started]. Be sure to take note of the registry's `id` and `loginServer`
@@ -162,6 +164,66 @@ To deploy a container group using managed identity to authenticate image pulls v
 az container create --name my-containergroup --resource-group myResourceGroup --image <loginServer>/hello-world:v1 --acr-identity $userID --assign-identity $userID --ports 80 --dns-name-label <dns-label>
 ```
 
+## Deploy in a virtual network using the Azure CLI
+
+To deploy a container group in a vnet using managed identity to authenticate image pulls from an ACR that runs behind a private endpoint via the Azure CLI, use the following command:
+
+```azurecli-interactive
+az container create --name my-containergroup --resource-group myResourceGroup --image <loginServer>/hello-world:v1 --acr-identity $userID --assign-identity $userID --vnet "/subscriptions/$SUBSCRIPTION_ID/resourceGroups/"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/myVnetResourceGroup/providers/ --subnet mySubnetName
+```
+
+For more info on how to deploy to a virtual network see [Deploy container instances into an Azure virtual network](./container-instances-vnet).
+
+## Deploy a multi-container group in a virtual network using YAML and the Azure CLI
+
+To deploy a multi-container group in a vnet using managed identity to authenticate image pulls from an ACR that runs behind a private endpoint via the Azure CLI, you can specify the container group configuration in a YAML file. Then pass the YAML file as a parameter to the command.
+
+```yaml
+apiVersion: '2021-10-01'
+location: eastus
+type: Microsoft.ContainerInstance/containerGroups
+identity: 
+  type: UserAssigned
+  userAssignedIdentities: {
+    '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myACRId': {}
+    }
+properties:
+  osType: Linux
+  imageRegistryCredentials:
+  - server: myacr.azurecr.io
+    identity: '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myACRId'
+  subnetIds:
+  - id: '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/myVnetResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnetName/subnets/mySubnetName'
+    name: mySubnetName
+  containers:
+  - name: myContainer-1
+    properties:
+      resources:
+        requests:
+          cpu: '.4'
+          memoryInGb: '1'
+      environmentVariables:
+        - name: CONTAINER
+          value: 1
+      image: 'myacr.azurecr.io/myimage:latest'
+  - name: myContainer-2
+    properties:
+      resources:
+        requests:
+          cpu: '.4'
+          memoryInGb: '1'
+      environmentVariables:
+        - name: CONTAINER
+          value: 2
+      image: 'myacr.azurecr.io/myimage:latest'
+```
+
+```azurecli-interactive
+az container create --name my-containergroup --resource-group myResourceGroup --file my-YAML-file.yaml
+```
+
+For more info on how to deploy to a multi-container group see [Deploy a multi-container group](./container-instances-multi-container-yaml).
+
 ## Clean up resources
 
 To remove all resources from your Azure subscription, delete the resource group:
diff --git a/articles/container-registry/container-registry-private-link.md b/articles/container-registry/container-registry-private-link.md
@@ -475,6 +475,8 @@ az group delete --name $RESOURCE_GROUP
 
 * [Troubleshoot Azure Private Endpoint connectivity problems](../private-link/troubleshoot-private-endpoint-connectivity.md)
 
+* If you need to deploy Azure Container Instances that can pull from an ACR that runs behind a private endpoint, see [Deploy to Azure Container Instances from Azure Container Registry using a managed identity](../container-instances/using-azure-container-registry-mi.md)
+
 <!-- LINKS - external -->
 [docker-linux]: https://docs.docker.com/engine/installation/#supported-platforms
 [docker-login]: https://docs.docker.com/engine/reference/commandline/login/
