Site icon

Build image with containerised self-hosted Azure DevOps agent and private Azure Container Registry

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Community Hub.


Containerization has revolutionized the way we deploy and manage software. By packaging applications and their dependencies into a container, we can ensure that our software will run consistently across different environments. This is particularly useful when it comes to setting up self-hosted agents for Azure Pipelines.

A self-hosted agent is an agent that you set up and manage on your own to run jobs. You can use self-hosted agents in Azure Pipelines or Git Hub Actions. Self-hosted agents give you more control to install dependent software needed for your builds and deployments.


Why use containerised self-hosted agent

As we have seen the benefit of running the workload in container including agility, portability, high density and more. By running your self-hosted agent in a container, you can take advantage of the benefits of containerization.


What is the challenge of using containerised self-hosted agent?

As part of CI/CD building workload container images is a key capability. It is possible to run Docker tasks on containerised selfhost agent however it does require access to the docker daemon at host level. This has critical security concerns.

A solution is to use Azure Container Registry (ACR) Task. With ACR Tasks, you can use Azure Container Registry to build container images for various platforms in the cloud. ACR Tasks also lets you automate the process of updating your Docker containers with OS and framework patches.

By default, Azure container registry accepts connections over the internet from hosts on any network. This opens an attack surface, and it is not normally in acceptable in enterprise environment. ACR Task use an agent running on Azure and required appropriated permission to able communicate with the Azure Container registry.


Proposed solution

There are a wide range of options to run containerized self-hosted agents on Azure from Azure Kubernetes Service to Azure Container App. This proof of concept Demonstrates the building of container images using self-hosted agent using Azure Container Instances with Azure Container Registry with private access only.  





Architecture Diagram



Proof of concept:

The proof of concept is all written in Bicep and can be found at GitHub repo (,). It provision the following:



ADO Organization and a PAT token for more details permission required please refer to Run a self-hosted agent in Docker - Azure Pipelines | Microsoft Learn

GitHub Repo and Token for more detail permission required please refer to Managing your personal access tokens - GitHub Docs


Deployment Steps:

1) Update the parameter file to include the correct parameters:


2) Run the command to deploy the resource:


3) To start the image build process, we can connect to self-host agent using Connect capability in Azure Container Registry


4) Run command to trigger build task.





5 ) From figure above you can see that self-host agent has successfully build the image and uploaded the image into the Azure Container Registry



If you are considering setting up a self-hosted agent for Azure Pipelines, it’s definitely worth considering running it in a container and using an Azure Container Registry with public access disabled for building images with ACR Tasks.



Related Content:

Run a self-hosted agent in Docker - Azure Pipelines | Microsoft Learn

Managing your personal access tokens - GitHub Docs

Run a self-hosted agent in Docker - Azure Pipelines | Microsoft Learn

ACR Tasks overview - Azure Container Registry | Microsoft Learn


Exit mobile version