Restrict network access to container registries#
Security · Container Registry · Rule · 2023_09
Limit network access of container registries to only trusted clients.
Description#
Azure Container Registry (ACR) allows you to restrict network access to trusted clients and networks instead of any client.
Container registries using the Premium SKU can limit network access by setting firewall rules or using private endpoints. Firewall and private endpoints are not supported when using the Basic or Standard SKU.
In general, network access should be restricted to harden against unauthorized access or exfiltration attempts. However may not be required when publishing and distributing public container images to external parties.
Recommendation#
Consider restricting network access to trusted clients to harden against unauthorized access or exfiltration attempts.
Examples#
Configure with Azure template#
To deploy Azure Container Registries that pass this rule:
- Set the
properties.publicNetworkAccessproperty toDisabled. OR - Set the
properties.networkRuleSet.defaultActionproperty toDeny.
For example:
{
"type": "Microsoft.ContainerRegistry/registries",
"apiVersion": "2023-01-01-preview",
"name": "[parameters('registryName')]",
"location": "[parameters('location')]",
"sku": {
"name": "Premium"
},
"properties": {
"publicNetworkAccess": "Enabled",
"networkRuleBypassOptions": "AzureServices",
"networkRuleSet": {
"defaultAction": "Deny",
"ipRules": [
{
"action": "Allow",
"value": "_PublicIPv4Address_"
}
]
}
}
}
Configure with Bicep#
To deploy Azure Container Registries that pass this rule:
- Set the
properties.publicNetworkAccessproperty toDisabled. OR - Set the
properties.networkRuleSet.defaultActionproperty toDeny.
For example:
resource acr 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' = {
name: registryName
location: location
sku: {
name: 'Premium'
}
properties: {
publicNetworkAccess: 'Enabled'
networkRuleBypassOptions: 'AzureServices'
networkRuleSet: {
defaultAction: 'Deny'
ipRules: [
{
action: 'Allow'
value: '_PublicIPv4Address_'
}
]
}
}
}
Notes#
Configuring firewall rules or using private endpoints is only available for the Premium SKU.
When used with Microsoft Defender for Containers, you must enable trusted Microsoft services for the vulnerability assessment feature to be able to scan the registry.
Links#
- Best practices for endpoint security on Azure
- Restrict access using private endpoint
- Restrict access using firewall rules
- Allow trusted services to securely access a network-restricted container registry
- Vulnerability assessments for Azure with Microsoft Defender Vulnerability Management
- Azure security baseline for Container Registry
- NS-2: Secure cloud services with network controls
- Azure deployment reference