registries
Summary
| Recommendation | Impact | Category | Automation Available | In Azure Advisor |
|---|---|---|---|---|
| Use Premium tier for critical production workloads | High | Scalability | Yes | No |
| Enable zone redundancy | High | High Availability | Yes | No |
| Enable geo-replication | High | Disaster Recovery | Yes | No |
| Use Repository namespaces | Low | Security | No | No |
| Move Container Registry to a dedicated resource group | Low | Governance | Yes | No |
| Manage registry size | Medium | Scalability | Yes | No |
| Disable anonymous pull access | Medium | Security | Yes | No |
| Configure Diagnostic Settings for all Azure Container Registries | Medium | Monitoring and Alerting | No | No |
| Monitor Azure Container Registry with Azure Monitor | Medium | Monitoring and Alerting | No | No |
| Enable soft delete policy | Medium | Disaster Recovery | Yes | No |
Details
Use Premium tier for critical production workloads
Impact: High Category: Scalability
APRL GUID: eb005943-40a8-194b-9db2-474d430046b7
Description:
Choose a service tier of Azure Container Registry to meet your performance needs. Premium offers the most bandwidth and highest rate of read and write operations for high-volume deployments. Use Basic to start, Standard for production, and Premium for hyper-scale performance and geo-replication.
Potential Benefits:
High-volume support and geo-replication
Learn More:
| Container Registry Best Practices |
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// Find all Container Registries that are not using the Premium tier
resources
| where type =~ "microsoft.containerregistry/registries"
| where sku.name != "Premium"
| project recommendationId = "eb005943-40a8-194b-9db2-474d430046b7", name, id, tags, param1=strcat("SkuName: ", tostring(sku.name))
| order by id asc
Enable zone redundancy
Impact: High Category: High Availability
APRL GUID: 63491f70-22e4-3b4a-8b0c-845450e46fac
Description:
Azure Container Registry's optional zone redundancy enhances resiliency and high availability for registries or replication resources in a specific region by distributing resources across multiple zones.
Potential Benefits:
Enhances resiliency and high availability
Learn More:
| Registry best practices - Enable zone redundancy |
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// Find all Container Registries that do not have zone redundancy enabled
resources
| where type =~ "microsoft.containerregistry/registries"
| where location in~ ("australiaeast", "brazilsouth", "canadacentral", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "germanywestcentral", "israelcentral", "italynorth", "japaneast", "japanwest", "koreacentral", "mexicocentral", "newzealandnorth", "northeurope", "norwayeast", "polandcentral", "qatarcentral", "southafricanorth", "southcentralus", "southeastasia", "spaincentral", "swedencentral", "switzerlandnorth", "uaenorth", "uksouth", "westeurope", "westus2", "westus3", "usgovvirginia", "chinanorth3")
| where properties.zoneRedundancy != "Enabled"
| project recommendationId = "63491f70-22e4-3b4a-8b0c-845450e46fac", name, id, tags, param1=strcat("zoneRedundancy: ", tostring(properties.zoneRedundancy))
| order by id asc
Enable geo-replication
Impact: High Category: Disaster Recovery
APRL GUID: 36ea6c09-ef6e-d743-9cfb-bd0c928a430b
Description:
Use Azure Container Registry's geo-replication for multi-region deployments to simplify registry management and minimize latency. It enables serving global customers from local data centers and supports distributed development teams. Regional webhooks can notify of events in replicas.
Potential Benefits:
Simplifies management, reduces latency
Learn More:
| Registry best practices - Enable geo-replication |
| Geo-Replicate Container Registry |
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// Find all Container Registries that do not have geo-replication enabled
resources
| where type =~ "microsoft.containerregistry/registries"
| project registryName = name, registryId = id, tags, primaryRegion = location
| join kind=leftouter (
Resources
| where type =~ "microsoft.containerregistry/registries/replications"
| project replicationRegion=name, replicationId = id
| extend registryId=strcat_array(array_slice(split(replicationId, '/'), 0, -3), '/')
) on registryId
| project-away registryId1, replicationId
| where isempty(replicationRegion)
| project recommendationId = "36ea6c09-ef6e-d743-9cfb-bd0c928a430b", name=registryName, id=registryId, tags
| order by id asc
Use Repository namespaces
Impact: Low Category: Security
APRL GUID: a5a0101a-a240-8742-90ba-81dbde9a0c0c
Description:
Using repository namespaces allows a single registry to be shared across multiple groups and deployments within an organization, supporting nested namespaces for group isolation. However, repositories are managed independently, not hierarchically.
Potential Benefits:
Enables sharing and group isolation
Learn More:
| Registry best practices - use repository namespaces |
ARG Query:
Click the Azure Resource Graph tab to view the query
// cannot-be-validated-with-arg
Move Container Registry to a dedicated resource group
Impact: Low Category: Governance
APRL GUID: 8e389532-5db5-7e4c-9d4d-443b3e55ae82
Description:
Container registries, used across multiple hosts, should be in their own resource group to prevent accidental deletion of images when container instances are deleted, preserving the image collection while experimenting with hosts.
Potential Benefits:
Safeguards image collection
Learn More:
| Registry best practices - Use dedicated resource group |
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// List container registries that contain additional resources within the same resource group.
resources
| where type =~ "microsoft.containerregistry/registries"
| project registryName=name, registryId=id, registryTags=tags, resourceGroupId=strcat('/subscriptions/', subscriptionId, '/resourceGroups/', resourceGroup), resourceGroup, subscriptionId
| join kind=inner (
resources
| where not(type =~ "microsoft.containerregistry/registries")
| summarize recourceCount=count() by subscriptionId, resourceGroup
| where recourceCount != 0
) on resourceGroup, subscriptionId
| project recommendationId = "8e389532-5db5-7e4c-9d4d-443b3e55ae82", name=registryName, id=registryId, tags=registryTags, param1=strcat('resourceGroupName:',resourceGroup), param2=strcat('resourceGroupId:',resourceGroupId)
Manage registry size
Impact: Medium Category: Scalability
APRL GUID: 3ef86f16-f65b-c645-9901-7830d6dc3a1b
Description:
The storage constraints of Azure Container Registry's service tiers align with usage scenarios: Basic for starters, Standard for production, and Premium for high-scale performance and geo-replication.
Potential Benefits:
Reduce costs, optimize storage
Learn More:
| Registry best practices - Manage registry size |
| Retention Policy |
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// Find all Container Registries that have their retention policy disabled
resources
| where type =~ "microsoft.containerregistry/registries"
| where properties.policies.retentionPolicy.status == "disabled"
| project recommendationId = "3ef86f16-f65b-c645-9901-7830d6dc3a1b", name, id, tags, param1='retentionPolicy:disabled'
| order by id asc
Disable anonymous pull access
Impact: Medium Category: Security
APRL GUID: 03f4a7d8-c5b4-7842-8e6e-14997a34842b
Description:
By default, Azure container registry requires authentication for pull/push actions. Enabling anonymous pull access exposes all content for public read actions. This applies to all repositories, potentially allowing unrestricted access if repository-scoped tokens are used.
Potential Benefits:
Enhanced security and controlled access
Learn More:
| Enable anonymous pull access |
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// Find all Container Registries that have anonymous pull access enabled
resources
| where type =~ "microsoft.containerregistry/registries"
| where properties.anonymousPullEnabled == "true"
| project recommendationId = "03f4a7d8-c5b4-7842-8e6e-14997a34842b", name, id, tags
| order by id asc
Configure Diagnostic Settings for all Azure Container Registries
Impact: Medium Category: Monitoring and Alerting
APRL GUID: 44107155-7a32-9348-89f3-d5aa7e7c5a1d
Description:
Resource Logs are not collected and stored until you create a diagnostic setting and route them to one or more locations.
Potential Benefits:
Enhanced tracking and debugging
Learn More:
| Monitoring Azure Container Registry data reference - Resource Logs |
| Monitor Azure Container Registry - Enable diagnostic logs |
ARG Query:
Click the Azure Resource Graph tab to view the query
// cannot-be-validated-with-arg
Monitor Azure Container Registry with Azure Monitor
Impact: Medium Category: Monitoring and Alerting
APRL GUID: d594cde6-4116-d143-a64a-25f63289a2f8
Description:
Monitoring Azure resources using Azure Monitor enhances their availability, performance, and operation. Azure Container Registry, a full-stack monitoring service, provides features for Azure and other cloud and on-premises resources.
Potential Benefits:
Enhanced monitoring and operation
Learn More:
| Monitoring Azure Container Registry data reference |
| Monitor Azure Container Registry |
ARG Query:
Click the Azure Resource Graph tab to view the query
// cannot-be-validated-with-arg
Enable soft delete policy
Impact: Medium Category: Disaster Recovery
APRL GUID: e7f0fd54-fba0-054e-9ab8-e676f2851f88
Description:
Enabling soft delete in Azure Container Registry (ACR) allows for the management of deleted artifacts with a specified retention period. Users can list, filter, and restore these artifacts until automatically purged post-retention.
Potential Benefits:
Recovery of deleted artifacts
Learn More:
| Enable soft delete policy |
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// Provides a list of Azure Container Registry resources that do not have soft delete enabled
resources
| where type =~ "microsoft.containerregistry/registries"
| where properties.policies.softDeletePolicy.status == "disabled"
| project recommendationId = "e7f0fd54-fba0-054e-9ab8-e676f2851f88", name, id, tags
| order by id asc