Container Registry
The presented resiliency recommendations in this guidance include Container Registries and dependent resources and settings.
Summary of Recommendations
| Recommendation | Category | Impact | State | ARG Query Available |
|---|---|---|---|---|
| CR-1 - Use Premium tier for critical production workloads | System Efficiency | High | Preview | Yes |
| CR-2 - Enable zone redundancy | Availability | High | Preview | Yes |
| CR-3 - Enable geo-replication | Disaster Recovery | High | Preview | Yes |
| CR-5 - Use Repository namespaces | Access & Security | Low | Preview | No |
| CR-6 - Move Container Registry to a dedicated resource group | Governance | Low | Preview | Yes |
| CR-7 - Manage registry size | System Efficiency | Medium | Preview | No |
| CR-8 - Disable anonymous pull access | Access & Security | Medium | Preview | Yes |
| CR-10 - Configure Diagnostic Settings for all Azure Container Registries | Monitoring | Medium | Preview | No |
| CR-11 - Monitor Azure Container Registry with Azure Monitor | Monitoring | Medium | Preview | No |
| CR-12 - Enable soft delete policy | Disaster Recovery | Medium | Preview | Yes |
Recommendations Details
CR-1 - Use Premium tier for critical production workloads
Category: System Efficiency
Impact: High
Guidance
Choose a service tier of Azure Container Registry that meets your performance needs. The Premium tier provides the greatest bandwidth and highest rate of concurrent read and write operations when you have high-volume deployments. Use Basic for getting started, Standard for most production applications, and Premium for hyper-scale performance and geo-replication.
Resources
Resource Graph Query
// Azure Resource Graph Query
// Find all Container Registries that are not using the Premium tier
resources
| where type =~ "microsoft.containerregistry/registries"
| where sku.name != "Premium"
| project recommendationId = "cr-1", name, id, tags, param1=strcat("SkuName: ", tostring(sku.name))
| order by id asc
CR-2 - Enable zone redundancy
Category: Availability
Impact: High
Guidance
Azure Container Registry supports optional zone redundancy. Zone redundancy provides resiliency and high availability to a registry or replication resource (replica) in a specific region.
Resources
Resource Graph Query
// Azure Resource Graph Query
// Find all Container Registries that do not have zone redundancy enabled
resources
| where type =~ "microsoft.containerregistry/registries"
| where properties.zoneRedundancy != "Enabled"
| project recommendationId = "cr-2", name, id, tags, param1=strcat("zoneRedundancy: ", tostring(properties.zoneRedundancy))
| order by id asc
CR-3 - Enable geo-replication
Category: Disaster Recovery
Impact: High
Guidance
Use Azure Container Registry’s geo-replication feature if you’re deploying containers to multiple regions. Whether you’re serving global customers from local data centers or your development team is in different locations, you can simplify registry management and minimize latency by geo-replicating your registry. You can also configure regional webhooks to notify you of events in specific replicas such as when images are pushed.
Geo-replication is available with Premium registries.
Resources
Resource Graph Query
// Azure Resource Graph Query
// Find all Container Registries that do not have geo-replication enabled
resources
| where type =~ "microsoft.containerregistry/registries"
| project registryName = name, registryId = id, tags, primaryRegion = location
| join kind=leftouter (
Resources
| where type =~ "microsoft.containerregistry/registries/replications"
| project replicationRegion=name, replicationId = id
| extend registryId=strcat_array(array_slice(split(replicationId, '/'), 0, -3), '/')
) on registryId
| project-away registryId1, replicationId
| where isempty(replicationRegion)
| project recommendationId = "cr-3", name=registryName, id=registryId, tags
| order by id asc
CR-5 - Use Repository namespaces
Category: Access & Security
Impact: Low
Guidance
By using repository namespaces, you can allow sharing a single registry across multiple groups within your organization. Registries can be shared across deployments and teams. Azure Container Registry supports nested namespaces, enabling group isolation. However, the registry manages all repositories independently, not as a hierarchy.
Resources
Resource Graph Query
// cannot-be-validated-with-arg
CR-6 - Move Container Registry to a dedicated resource group
Category: Governance
Impact: Low
Guidance
Because container registries are resources that are used across multiple container hosts, a registry should reside in its own resource group.
Although you might experiment with a specific host type, such as Azure Container Instances, you’ll likely want to delete the container instance when you’re done. However, you might also want to keep the collection of images you pushed to Azure Container Registry. By placing your registry in its own resource group, you minimize the risk of accidentally deleting the collection of images in the registry when you delete the container instance resource group.
Resources
Resource Graph Query
// Azure Resource Graph Query
// List container registries that contain additional resources within the same resource group.
resources
| where type =~ "microsoft.containerregistry/registries"
| project registryName=name, registryId=id, registryTags=tags, resourceGroupId=strcat('/subscriptions/', subscriptionId, '/resourceGroups/', resourceGroup), resourceGroup, subscriptionId
| join kind=inner (
resources
| where not(type =~ "microsoft.containerregistry/registries")
| summarize recourceCount=count() by subscriptionId, resourceGroup
| where recourceCount != 0
) on resourceGroup, subscriptionId
| project recommendationId = "cr-6", name=registryName, id=registryId, tags=registryTags, param1=strcat('resourceGroupName:',resourceGroup), param2=strcat('resourceGroupId:',resourceGroupId)
CR-7 - Manage registry size
Category: System Efficiency
Impact: Medium
Guidance
The storage constraints of each container registry service tier are intended to align with a typical scenario: Basic for getting started, Standard for most production applications, and Premium for hyper-scale performance and geo-replication. Throughout the life of your registry, you should manage its size by periodically deleting unused content. Consider also enabling a retention policy to automatically delete untagged image manifests to free up storage space.
Resources
Resource Graph Query
// Azure Resource Graph Query
// Find all Container Registries that have their retention policy disabled
resources
| where type =~ "microsoft.containerregistry/registries"
| where properties.policies.retentionPolicy.status == "disabled"
| project recommendationId = "cr-7", name, id, tags, param1='retentionPolicy:disabled'
| order by id asc
CR-8 - Disable anonymous pull access
Category: Access & Security
Impact: Medium
Guidance
By default, access to pull or push content from an Azure container registry is only available to authenticated users. Enabling anonymous (unauthenticated) pull access makes all registry content publicly available for read (pull) actions. Warning: Anonymous pull access currently applies to all repositories in the registry. If you manage repository access using repository-scoped tokens, all users may pull from those repositories in a registry enabled for anonymous pull. We recommend deleting tokens when anonymous pull access is enabled.
Resources
Resource Graph Query
// Azure Resource Graph Query
// Find all Container Registries that have anonymous pull access enabled
resources
| where type =~ "microsoft.containerregistry/registries"
| where properties.anonymousPullEnabled == "true"
| project recommendationId = "cr-8", name, id, tags
| order by id asc
CR-10 - Configure Diagnostic Settings for all Azure Container Registries
Category: Monitoring
Impact: Medium
Guidance
Resource Logs are not collected and stored until you create a diagnostic setting and route them to one or more locations.
Resources
- Monitoring Azure Container Registry data reference - Resource Logs
- Monitor Azure Container Registry - Enable diagnostic logs
Resource Graph Query
// cannot-be-validated-with-arg
CR-11 - Monitor Azure Container Registry with Azure Monitor
Category: Monitoring
Impact: Medium
Guidance
When you have critical applications and business processes relying on Azure resources, you want to monitor those resources for their availability, performance, and operation. Azure Container Registry creates monitoring data using Azure Monitor, which is a full stack monitoring service in Azure that provides a complete set of features to monitor your Azure resources in addition to resources in other clouds and on-premises.
Resources
Resource Graph Query
// cannot-be-validated-with-arg
CR-12 - Enable soft delete policy
Category: Disaster Recovery
Impact: Medium
Guidance
Once you enable the soft delete policy, ACR manages the deleted artifacts as the soft deleted artifacts with a set retention period. Thereby you have ability to list, filter, and restore the soft deleted artifacts. Once the retention period is complete, all the soft deleted artifacts are auto-purged.
Resources
Resource Graph Query
// Azure Resource Graph Query
// Provides a list of Azure Container Registry resources that do not have soft delete enabled
resources
| where type =~ "microsoft.containerregistry/registries"
| where properties.policies.softDeletePolicy.status == "disabled"
| project recommendationId = "cr-12", name, id, tags
| order by id asc