Skip to content

Container Registry service firewall is not restricted#

Security · Container Registry · Rule · 2023_09 · Important

Container Registry without restrictions can be accessed from any network location including the Internet.

Description#

Azure Container Registry (ACR) allows you to restrict network access to trusted clients and networks instead of any client.

Container registries using the Premium SKU can limit network access by setting firewall rules or using private endpoints. Firewall and private endpoints are not supported when using the Basic or Standard SKU.

In general, network access should be restricted to harden against unauthorized access or exfiltration attempts. However may not be required when publishing and distributing public container images to external parties.

Recommendation#

Consider restricting network access to trusted clients to harden against unauthorized access or exfiltration attempts.

Examples#

Configure with Azure template#

To deploy Azure Container Registries that pass this rule:

  • Set the properties.publicNetworkAccess property to Disabled. OR
  • Set the properties.networkRuleSet.defaultAction property to Deny.

For example:

Azure Template snippet
{
  "type": "Microsoft.ContainerRegistry/registries",
  "apiVersion": "2023-11-01-preview",
  "name": "[parameters('registryName')]",
  "location": "[parameters('location')]",
  "sku": {
    "name": "Premium"
  },
  "properties": {
    "publicNetworkAccess": "Enabled",
    "networkRuleBypassOptions": "AzureServices",
    "networkRuleSet": {
      "defaultAction": "Deny",
      "ipRules": [
        {
          "action": "Allow",
          "value": "_PublicIPv4Address_"
        }
      ]
    }
  }
}

Configure with Bicep#

To deploy Azure Container Registries that pass this rule:

  • Set the properties.publicNetworkAccess property to Disabled. OR
  • Set the properties.networkRuleSet.defaultAction property to Deny.

For example:

Azure Bicep snippet
resource acr 'Microsoft.ContainerRegistry/registries@2023-11-01-preview' = {
  name: registryName
  location: location
  sku: {
    name: 'Premium'
  }
  properties: {
    publicNetworkAccess: 'Enabled'
    networkRuleBypassOptions: 'AzureServices'
    networkRuleSet: {
      defaultAction: 'Deny'
      ipRules: [
        {
          action: 'Allow'
          value: '_PublicIPv4Address_'
        }
      ]
    }
  }
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/container-registry/registry:<version>

For example:

br/public:avm/res/container-registry/registry:0.5.1

To use the latest version:

br/public:avm/res/container-registry/registry:0.6.0

Notes#

Configuring firewall rules or using private endpoints is only available for the Premium SKU.

When used with Microsoft Defender for Containers, you must enable trusted Microsoft services for the vulnerability assessment feature to be able to scan the registry.

Comments