Use Premium tier for critical production workloads
Impact:HighCategory:Scalability
APRL GUID:eb005943-40a8-194b-9db2-474d430046b7
Description:
Choose a service tier of Azure Container Registry to meet your performance needs. Premium offers the most bandwidth and highest rate of read and write operations for high-volume deployments. Use Basic to start, Standard for production, and Premium for hyper-scale performance and geo-replication.
Azure Container Registry's optional zone redundancy enhances resiliency and high availability for registries or replication resources in a specific region by distributing resources across multiple zones.
Create container registries with geo-replication enabled
Impact:HighCategory:Disaster Recovery
APRL GUID:36ea6c09-ef6e-d743-9cfb-bd0c928a430b
Description:
Use Azure Container Registry's geo-replication for multi-region deployments to simplify registry management and minimize latency. It enables serving global customers from local data centers and supports distributed development teams. Regional webhooks can notify of events in replicas.
Using repository namespaces allows a single registry to be shared across multiple groups and deployments within an organization, supporting nested namespaces for group isolation. However, repositories are managed independently, not hierarchically.
Click the Azure Resource Graph tab to view the query
//cannot-be-validated-with-arg
Disable anonymous pull access
Impact:MediumCategory:Security
APRL GUID:03f4a7d8-c5b4-7842-8e6e-14997a34842b
Description:
By default, Azure container registry requires authentication for pull/push actions. Enabling anonymous pull access exposes all content for public read actions. This applies to all repositories, potentially allowing unrestricted access if repository-scoped tokens are used.
Click the Azure Resource Graph tab to view the query
//cannot-be-validated-with-arg
Monitor Azure Container Registry with Azure Monitor
Impact:MediumCategory:Monitoring and Alerting
APRL GUID:d594cde6-4116-d143-a64a-25f63289a2f8
Description:
Monitoring Azure resources using Azure Monitor enhances their availability, performance, and operation. Azure Container Registry, a full-stack monitoring service, provides features for Azure and other cloud and on-premises resources.
Click the Azure Resource Graph tab to view the query
//cannot-be-validated-with-arg
Enable soft delete policy
Impact:LowCategory:Disaster Recovery
APRL GUID:e7f0fd54-fba0-054e-9ab8-e676f2851f88
Description:
Enabling soft delete preview feature in Azure Container Registry (ACR) allows for the management of deleted artifacts with a specified retention period. Users can list, filter, and restore these artifacts until automatically purged post-retention.