Understanding ACR Image Pull Errors
Azure Container Registry (ACR) image pull errors prevent containers from starting across AKS, App Service, Container Instances, and other compute services. The root cause is almost always authentication, network access, or the image simply not existing. This guide covers every image pull error scenario and its resolution.
Understanding the Root Cause
Resolving Image Pull Errors in Azure Container Registry requires more than applying a quick fix to suppress error messages. The underlying cause typically involves a mismatch between your application’s expectations and the service’s actual behavior or limits. Azure services enforce quotas, rate limits, and configuration constraints that are documented but often overlooked during initial development when traffic volumes are low and edge cases are rare.
When this issue appears in production, it usually indicates that the system has crossed a threshold that was not accounted for during capacity planning. This could be a throughput limit, a connection pool ceiling, a timeout boundary, or a resource quota. The error messages from Azure services are designed to be actionable, but they sometimes point to symptoms rather than the root cause. For example, a timeout error might actually be caused by a DNS resolution delay, a TLS handshake failure, or a downstream dependency that is itself throttled.
The resolution strategies in this guide are organized from least invasive to most invasive. Start with configuration adjustments that do not require code changes or redeployment. If those are insufficient, proceed to application-level changes such as retry policies, connection management, and request patterns. Only escalate to architectural changes like partitioning, sharding, or service tier upgrades when the simpler approaches cannot meet your requirements.
Impact Assessment
Before implementing any resolution, assess the blast radius of the current issue. Determine how many users, transactions, or dependent services are affected. Check whether the issue is intermittent or persistent, as this distinction changes the urgency and approach. Intermittent issues often indicate resource contention or throttling near a limit, while persistent failures typically point to misconfiguration or a hard limit being exceeded.
Review your Service Level Objectives (SLOs) to understand the business impact. If your composite SLA depends on this service’s availability, calculate the actual downtime or degradation window. This information is critical for incident prioritization and for justifying the engineering investment required for a permanent fix versus a temporary workaround.
Consider the cascading effects on downstream services and consumers. When Image Pull Errors in Azure Container Registry degrades, every service that depends on it may also experience failures or increased latency. Map out your service dependency graph to understand the full impact scope and prioritize the resolution accordingly.
Common Error Messages
ErrImagePull: Failed to pull image "myregistry.azurecr.io/myapp:latest"
ImagePullBackOff: Back-off pulling image "myregistry.azurecr.io/myapp:v1.0"
unauthorized: authentication required
denied: requested access to the resource is denied
manifest unknown: manifest tagged by "latest" is not found
Error response from daemon: Get "https://myregistry.azurecr.io/v2/": net/http: request canceledACR Health Check
# Run the built-in ACR health check
az acr check-health \
--name myregistry \
--yes
# Output checks:
# - DNS resolution
# - Internet connectivity
# - Docker CLI availability
# - Docker daemon status
# - Helm CLI availability
# - Azure CLI versionAuthentication Issues
RBAC Roles
| Role | Permissions | Use Case |
|---|---|---|
AcrPull |
Pull images | AKS nodes, App Service, CI/CD pull |
AcrPush |
Push and pull images | CI/CD pipelines |
AcrDelete |
Delete images | Image cleanup automation |
Contributor |
Full registry management | Registry administrators |
# Assign AcrPull role to a managed identity
az role assignment create \
--assignee "{managed-identity-principal-id}" \
--role AcrPull \
--scope "/subscriptions/{subId}/resourceGroups/myRG/providers/Microsoft.ContainerRegistry/registries/myregistry"
# Assign AcrPull to AKS kubelet identity
AKS_MI=$(az aks show --name myAKS --resource-group myRG --query "identityProfile.kubeletidentity.objectId" -o tsv)
ACR_ID=$(az acr show --name myregistry --resource-group myRG --query "id" -o tsv)
az role assignment create \
--assignee "$AKS_MI" \
--role AcrPull \
--scope "$ACR_ID"AKS + ACR Integration
# Attach ACR to AKS (recommended — handles RBAC automatically)
az aks update \
--name myAKS \
--resource-group myRG \
--attach-acr myregistry
# Verify the attachment
az aks check-acr \
--name myAKS \
--resource-group myRG \
--acr myregistry.azurecr.io
# Detach (if needed)
az aks update \
--name myAKS \
--resource-group myRG \
--detach-acr myregistryService Principal Authentication
# Create a service principal for ACR pull
ACR_ID=$(az acr show --name myregistry --query "id" -o tsv)
SP=$(az ad sp create-for-rbac --name acr-pull-sp --role AcrPull --scopes "$ACR_ID" --query "{appId:appId, password:password}" -o json)
# Check if SP credentials have expired
az ad sp credential list --id "{appId}" --query "[].{endDateTime:endDateTime}" -o tableKubernetes imagePullSecrets
# Create a Kubernetes secret for ACR authentication
kubectl create secret docker-registry acr-secret \
--docker-server=myregistry.azurecr.io \
--docker-username="{service-principal-id}" \
--docker-password="{service-principal-password}" \
--docker-email="user@example.com"# Reference the secret in your pod spec
apiVersion: v1
kind: Pod
metadata:
name: myapp
spec:
containers:
- name: myapp
image: myregistry.azurecr.io/myapp:v1.0
imagePullSecrets:
- name: acr-secret# Or set the default pull secret for all pods in a namespace
kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "acr-secret"}]}'Image Not Found
# List available tags for an image
az acr repository show-tags \
--name myregistry \
--repository myapp \
-o table
# Check if the manifest exists
az acr manifest show \
--registry myregistry \
--name myapp:v1.0
# List all repositories
az acr repository list \
--name myregistry \
-o table
# Common mistakes:
# - Using "latest" tag when no image was tagged as latest
# - Typo in repository name (case-sensitive)
# - Image was deleted by a retention policyResilience Patterns for Long-Term Prevention
Once you resolve the immediate issue, invest in resilience patterns that prevent recurrence. Azure’s cloud-native services provide building blocks for resilient architectures, but you must deliberately design your application to use them effectively.
Retry with Exponential Backoff: Transient failures are expected in distributed systems. Your application should automatically retry failed operations with increasing delays between attempts. The Azure SDK client libraries implement retry policies by default, but you may need to tune the parameters for your specific workload. Set maximum retry counts to prevent infinite retry loops, and implement jitter (randomized delay) to prevent thundering herd problems when many clients retry simultaneously.
Circuit Breaker Pattern: When a dependency consistently fails, continuing to send requests increases load on an already stressed service and delays recovery. Implement circuit breakers that stop forwarding requests after a configurable failure threshold, wait for a cooldown period, then tentatively send a single test request. If the test succeeds, the circuit closes and normal traffic resumes. If it fails, the circuit remains open. Azure API Management provides a built-in circuit breaker policy for backend services.
Bulkhead Isolation: Separate critical and non-critical workloads into different resource instances, connection pools, or service tiers. If a batch processing job triggers throttling or resource exhaustion, it should not impact the real-time API serving interactive users. Use separate Azure resource instances for workloads with different priority levels and different failure tolerance thresholds.
Queue-Based Load Leveling: When the incoming request rate exceeds what the backend can handle, use a message queue (Azure Service Bus or Azure Queue Storage) to absorb the burst. Workers process messages from the queue at the backend’s sustainable rate. This pattern is particularly effective for resolving throughput-related issues because it decouples the rate at which requests arrive from the rate at which they are processed.
Cache-Aside Pattern: For read-heavy workloads, cache frequently accessed data using Azure Cache for Redis to reduce the load on the primary data store. This is especially effective when the resolution involves reducing request rates to a service with strict throughput limits. Even a short cache TTL of 30 to 60 seconds can dramatically reduce the number of requests that reach the backend during traffic spikes.
Network Access Issues
# Check if the registry has network restrictions
az acr show \
--name myregistry \
--resource-group myRG \
--query "{publicAccess:publicNetworkAccess, networkRules:networkRuleSet}" -o json
# Allow public access (for debugging only)
az acr update \
--name myregistry \
--resource-group myRG \
--public-network-enabled true
# Add specific IP to allowed list
az acr network-rule add \
--name myregistry \
--resource-group myRG \
--ip-address 203.0.113.0/24
# For private registries, ensure Private Endpoint + DNS is configured
az acr show \
--name myregistry \
--resource-group myRG \
--query "privateEndpointConnections" -o jsonSKU Limits
| Feature | Basic | Standard | Premium |
|---|---|---|---|
| Storage (GiB) | 10 | 100 | 500 |
| Max image layers | Shared | Shared | Shared |
| Webhooks | 2 | 10 | 500 |
| Geo-replication | No | No | Yes |
| Private endpoints | No | No | Yes |
| Throughput (ReadOps/min) | 1,000 | 3,000 | 10,000 |
# Upgrade to Premium for private endpoints
az acr update \
--name myregistry \
--resource-group myRG \
--sku PremiumTroubleshooting AKS Pull Failures
# Check pod events for image pull errors
kubectl describe pod myapp-pod | grep -A 10 "Events:"
# Check AKS node connectivity to ACR
kubectl run test-acr --image=myregistry.azurecr.io/myapp:v1.0 --restart=Never
# Get detailed error from kubelet
kubectl get events --field-selector reason=Failed --sort-by='.metadata.creationTimestamp'
# Verify the kubelet identity has AcrPull role
az aks show --name myAKS --resource-group myRG \
--query "identityProfile.kubeletidentity.{clientId:clientId, objectId:objectId}" -o json
# Check role assignments
az role assignment list \
--assignee "$(az aks show --name myAKS --resource-group myRG --query 'identityProfile.kubeletidentity.objectId' -o tsv)" \
--scope "$(az acr show --name myregistry --query 'id' -o tsv)" \
-o tableUnderstanding Azure Service Limits and Quotas
Every Azure service operates within defined limits and quotas that govern the maximum throughput, connection count, request rate, and resource capacity available to your subscription. These limits exist to protect the multi-tenant platform from noisy-neighbor effects and to ensure fair resource allocation across all customers. When your workload approaches or exceeds these limits, the service enforces them through throttling (HTTP 429 responses), request rejection, or degraded performance.
Azure service limits fall into two categories: soft limits that can be increased through a support request, and hard limits that represent fundamental architectural constraints of the service. Before designing your architecture, review the published limits for every Azure service in your solution. Plan for the worst case: what happens when you hit the limit during a traffic spike? Your application should handle throttled responses gracefully rather than failing catastrophically.
Use Azure Monitor to track your current utilization as a percentage of your quota limits. Create dashboards that show utilization trends over time and set alerts at 70 percent and 90 percent of your limits. When you approach a soft limit, submit a quota increase request proactively rather than waiting for a production incident. Microsoft typically processes quota increase requests within a few business days, but during high-demand periods it may take longer.
For services that support multiple tiers or SKUs, evaluate whether upgrading to a higher tier provides the headroom you need. Compare the cost of the upgrade against the cost of engineering effort to work around the current limits. Sometimes, paying for a higher service tier is more cost-effective than building complex application-level sharding, caching, or load-balancing logic to stay within the lower tier’s constraints.
Disaster Recovery and Business Continuity
When resolving service issues, consider the broader disaster recovery and business continuity implications. If Image Pull Errors in Azure Container Registry is a critical dependency, your Recovery Time Objective (RTO) and Recovery Point Objective (RPO) determine how quickly you need to restore service and how much data loss is acceptable.
Implement a multi-region deployment strategy for business-critical services. Azure paired regions provide automatic data replication and prioritized recovery during regional outages. Configure your application to failover to the secondary region when the primary region is unavailable. Test your failover procedures regularly to ensure they work correctly and meet your RTO targets.
Maintain infrastructure-as-code templates for all your Azure resources so you can redeploy your entire environment in a new region if necessary. Store these templates in a geographically redundant source code repository. Document the manual steps required to complete a region failover, including DNS changes, connection string updates, and data synchronization verification.
Container Apps and App Service
# Container Apps: Configure ACR with managed identity
az containerapp update \
--name myContainerApp \
--resource-group myRG \
--registry-server myregistry.azurecr.io \
--registry-identity system
# App Service: Configure ACR access
az webapp config container set \
--name myWebApp \
--resource-group myRG \
--container-image-name myregistry.azurecr.io/myapp:v1.0 \
--container-registry-url https://myregistry.azurecr.io \
--container-registry-user "" \
--container-registry-password ""
# Enable managed identity for App Service ACR pull
az webapp identity assign --name myWebApp --resource-group myRG
az role assignment create \
--assignee "$(az webapp identity show --name myWebApp --resource-group myRG --query principalId -o tsv)" \
--role AcrPull \
--scope "$(az acr show --name myregistry --query id -o tsv)"Image Retention and Cleanup
# Check if images are being removed by retention policies
az acr config retention show \
--registry myregistry
# Prune untagged manifests manually
az acr run --cmd "acr purge --filter 'myapp:.*' --ago 30d --untagged --keep 5" --registry myregistry /dev/nullCapacity Planning and Forecasting
The most effective resolution is preventing the issue from recurring through proactive capacity planning. Establish a regular review cadence where you analyze growth trends in your service utilization metrics and project when you will approach limits.
Use Azure Monitor metrics to track the key capacity indicators for Image Pull Errors in Azure Container Registry over time. Create a capacity planning workbook that shows current utilization as a percentage of your provisioned limits, the growth rate over the past 30, 60, and 90 days, and projected dates when you will reach 80 percent and 100 percent of capacity. Share this workbook with your engineering leadership to support proactive scaling decisions.
Factor in planned events that will drive usage spikes. Product launches, marketing campaigns, seasonal traffic patterns, and batch processing schedules all create predictable demand increases that should be accounted for in your capacity plan. If your application serves a global audience, consider time-zone-based traffic distribution and scale accordingly.
Implement autoscaling where the service supports it. Azure autoscale rules can automatically adjust capacity based on real-time metrics. Configure scale-out rules that trigger before you reach limits (at 70 percent utilization) and scale-in rules that safely reduce capacity during low-traffic periods to optimize costs. Test your autoscale rules under load to verify that they respond quickly enough to protect against sudden traffic spikes.
Summary
ACR image pull errors come from three main sources: authentication (assign AcrPull role to the pulling identity, use az aks update --attach-acr for AKS), image not found (verify tag/repository with az acr repository show-tags), and network restrictions (check public access settings and Private Endpoint DNS). Always run az acr check-health as the first diagnostic step, verify RBAC assignments with az role assignment list, and use managed identity authentication instead of service principals where possible.
For more details, refer to the official documentation: Introduction to Azure Container Registry, Troubleshoot registry login, Troubleshoot registry performance.