Skip to content

Restrict network access to container registries#

Security · Container Registry · Rule · 2023_09 · Important

Limit network access of container registries to only trusted clients.

Description#

Azure Container Registry (ACR) allows you to restrict network access to trusted clients and networks instead of any client.

Container registries using the Premium SKU can limit network access by setting firewall rules or using private endpoints. Firewall and private endpoints are not supported when using the Basic or Standard SKU.

In general, network access should be restricted to harden against unauthorized access or exfiltration attempts. However may not be required when publishing and distributing public container images to external parties.

Recommendation#

Consider restricting network access to trusted clients to harden against unauthorized access or exfiltration attempts.

Examples#

Configure with Azure template#

To deploy Azure Container Registries that pass this rule:

  • Set the properties.publicNetworkAccess property to Disabled. OR
  • Set the properties.networkRuleSet.defaultAction property to Deny.

For example:

Azure Template snippet
{
  "type": "Microsoft.ContainerRegistry/registries",
  "apiVersion": "2023-01-01-preview",
  "name": "[parameters('registryName')]",
  "location": "[parameters('location')]",
  "sku": {
    "name": "Premium"
  },
  "properties": {
    "publicNetworkAccess": "Enabled",
    "networkRuleBypassOptions": "AzureServices",
    "networkRuleSet": {
      "defaultAction": "Deny",
      "ipRules": [
        {
          "action": "Allow",
          "value": "_PublicIPv4Address_"
        }
      ]
    }
  }
}

Configure with Bicep#

To deploy Azure Container Registries that pass this rule:

  • Set the properties.publicNetworkAccess property to Disabled. OR
  • Set the properties.networkRuleSet.defaultAction property to Deny.

For example:

Azure Bicep snippet
resource acr 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' = {
  name: registryName
  location: location
  sku: {
    name: 'Premium'
  }
  properties: {
    publicNetworkAccess: 'Enabled'
    networkRuleBypassOptions: 'AzureServices'
    networkRuleSet: {
      defaultAction: 'Deny'
      ipRules: [
        {
          action: 'Allow'
          value: '_PublicIPv4Address_'
        }
      ]
    }
  }
}

Notes#

Configuring firewall rules or using private endpoints is only available for the Premium SKU.

When used with Microsoft Defender for Containers, you must enable trusted Microsoft services for the vulnerability assessment feature to be able to scan the registry.

Comments