Azure Proactive Resiliency Library v2
Tools Glossary GitHub GitHub Issues Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage

registries

Summary

RecommendationImpactCategoryAutomation AvailableIn Azure Advisor
Use Premium tier for critical production workloadsHighScalabilityYesNo
Enable zone redundancyMediumHigh AvailabilityYesNo
Create container registries with geo-replication enabledHighDisaster RecoveryYesNo
Use Repository namespacesMediumSecurityNoNo
Disable anonymous pull accessMediumSecurityYesNo
Configure Diagnostic Settings for all Azure Container RegistriesMediumMonitoring and AlertingNoNo
Monitor Azure Container Registry with Azure MonitorMediumMonitoring and AlertingNoNo
Enable soft delete policyLowDisaster RecoveryYesNo

Details


Use Premium tier for critical production workloads

Impact:  High Category:  Scalability

APRL GUID:  eb005943-40a8-194b-9db2-474d430046b7

Description:

Choose a service tier of Azure Container Registry to meet your performance needs. Premium offers the most bandwidth and highest rate of read and write operations for high-volume deployments. Use Basic to start, Standard for production, and Premium for hyper-scale performance and geo-replication.

Potential Benefits:

High-volume support and geo-replication
Learn More:
Container Registry Best Practices

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// Find all Container Registries that are not using the Premium tier
resources
| where type =~ "microsoft.containerregistry/registries"
| where sku.name != "Premium"
| project recommendationId = "eb005943-40a8-194b-9db2-474d430046b7", name, id, tags, param1=strcat("SkuName: ", tostring(sku.name))
| order by id asc



Enable zone redundancy

Impact:  Medium Category:  High Availability

APRL GUID:  63491f70-22e4-3b4a-8b0c-845450e46fac

Description:

Azure Container Registry's optional zone redundancy enhances resiliency and high availability for registries or replication resources in a specific region by distributing resources across multiple zones.

Potential Benefits:

Enhances resiliency and high availability
Learn More:
Registry best practices - Enable zone redundancy

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// Find all Container Registries that do not have zone redundancy enabled
resources
| where type =~ "microsoft.containerregistry/registries"
| where location in~ ("australiaeast", "brazilsouth", "canadacentral", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "germanywestcentral", "israelcentral", "italynorth", "japaneast", "japanwest", "koreacentral", "mexicocentral", "newzealandnorth", "northeurope", "norwayeast", "polandcentral", "qatarcentral", "southafricanorth", "southcentralus", "southeastasia", "spaincentral", "swedencentral", "switzerlandnorth", "uaenorth", "uksouth", "westeurope", "westus2", "westus3", "usgovvirginia", "chinanorth3")
| where properties.zoneRedundancy != "Enabled"
| project recommendationId = "63491f70-22e4-3b4a-8b0c-845450e46fac", name, id, tags, param1=strcat("zoneRedundancy: ", tostring(properties.zoneRedundancy))
| order by id asc



Create container registries with geo-replication enabled

Impact:  High Category:  Disaster Recovery

APRL GUID:  36ea6c09-ef6e-d743-9cfb-bd0c928a430b

Description:

Use Azure Container Registry's geo-replication for multi-region deployments to simplify registry management and minimize latency. It enables serving global customers from local data centers and supports distributed development teams. Regional webhooks can notify of events in replicas.

Potential Benefits:

Simplifies management, reduces latency
Learn More:
Registry best practices - Enable geo-replication
Geo-Replicate Container Registry

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// Find all Container Registries that do not have geo-replication enabled
resources
| where type =~ "microsoft.containerregistry/registries"
| project registryName = name, registryId = id, tags, primaryRegion = location
| join kind=leftouter (
    Resources
    | where type =~ "microsoft.containerregistry/registries/replications"
    | project replicationRegion=name, replicationId = id
    | extend registryId=strcat_array(array_slice(split(replicationId, '/'), 0, -3), '/')
    ) on registryId
| project-away registryId1, replicationId
| where isempty(replicationRegion)
| project recommendationId = "36ea6c09-ef6e-d743-9cfb-bd0c928a430b", name=registryName, id=registryId, tags
| order by id asc



Use Repository namespaces

Impact:  Medium Category:  Security

APRL GUID:  a5a0101a-a240-8742-90ba-81dbde9a0c0c

Description:

Using repository namespaces allows a single registry to be shared across multiple groups and deployments within an organization, supporting nested namespaces for group isolation. However, repositories are managed independently, not hierarchically.

Potential Benefits:

Enables sharing and group isolation
Learn More:
Registry best practices - use repository namespaces

ARG Query:

Click the Azure Resource Graph tab to view the query

// cannot-be-validated-with-arg



Disable anonymous pull access

Impact:  Medium Category:  Security

APRL GUID:  03f4a7d8-c5b4-7842-8e6e-14997a34842b

Description:

By default, Azure container registry requires authentication for pull/push actions. Enabling anonymous pull access exposes all content for public read actions. This applies to all repositories, potentially allowing unrestricted access if repository-scoped tokens are used.

Potential Benefits:

Enhanced security and controlled access
Learn More:
Enable anonymous pull access

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// Find all Container Registries that have anonymous pull access enabled
resources
| where type =~ "microsoft.containerregistry/registries"
| where properties.anonymousPullEnabled == "true"
| project recommendationId = "03f4a7d8-c5b4-7842-8e6e-14997a34842b", name, id, tags
| order by id asc



Configure Diagnostic Settings for all Azure Container Registries

Impact:  Medium Category:  Monitoring and Alerting

APRL GUID:  44107155-7a32-9348-89f3-d5aa7e7c5a1d

Description:

Resource Logs are not collected and stored until you create a diagnostic setting and route them to one or more locations.

Potential Benefits:

Enhanced tracking and debugging
Learn More:
Monitoring Azure Container Registry data reference - Resource Logs
Monitor Azure Container Registry - Enable diagnostic logs

ARG Query:

Click the Azure Resource Graph tab to view the query

// cannot-be-validated-with-arg



Monitor Azure Container Registry with Azure Monitor

Impact:  Medium Category:  Monitoring and Alerting

APRL GUID:  d594cde6-4116-d143-a64a-25f63289a2f8

Description:

Monitoring Azure resources using Azure Monitor enhances their availability, performance, and operation. Azure Container Registry, a full-stack monitoring service, provides features for Azure and other cloud and on-premises resources.

Potential Benefits:

Enhanced monitoring and operation
Learn More:
Monitoring Azure Container Registry data reference
Monitor Azure Container Registry

ARG Query:

Click the Azure Resource Graph tab to view the query

// cannot-be-validated-with-arg



Enable soft delete policy

Impact:  Low Category:  Disaster Recovery

APRL GUID:  e7f0fd54-fba0-054e-9ab8-e676f2851f88

Description:

Enabling soft delete preview feature in Azure Container Registry (ACR) allows for the management of deleted artifacts with a specified retention period. Users can list, filter, and restore these artifacts until automatically purged post-retention.

Potential Benefits:

Recovery of deleted artifacts
Learn More:
Enable soft delete policy

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// Provides a list of Azure Container Registry resources that do not have soft delete enabled
resources
| where type =~ "microsoft.containerregistry/registries"
| where properties.policies.softDeletePolicy.status == "disabled"
| project recommendationId = "e7f0fd54-fba0-054e-9ab8-e676f2851f88", name, id, tags
| order by id asc