We need to set ACR to be available only to selected networks (not public access).
However, when we set this, ACI is not able to pull image from the ACR.
How to solve this?
EDIT:
ACI says:
Failed to pull image "<acrname>.azurecr.io/<imagae-name>:02b6d84d635c3d9ff4182ad1c50d16364695d3d5": rpc error: code Unknown desc Error response from daemon: Head "https://<acrname>.azurecr.io/v2/<image-name>/manifests/02b6d84d635c3d9ff4182ad1c50d16364695d3d5": denied: client with IP 'x.x.x.x' is not allowed access. Refer https://aka.ms/acr/firewall to grant access.
Found few relevent Document1 and Document2 which clearly stated that unfortunately we don't have this feature as of now to access the images from ACR through private network using ACI.
Only an Azure Kubernetes Service cluster or Azure virtual machine can be used as a host to access a container registry using a service endpoint. Other Azure services including Azure Container Instances aren't supported
If your purpose is to make the ACI only be accessible from the VNet, make the image public or accessible from the Internet and delpy the ACI into the VNet. But it doesn't mean your ACR will be public or your image need to be public image. You can have your private ACR and image but the images will access from the internet not from Selected Networks.