Skip to content

Container Registry does not replica images to a secondary region#

Reliability · Container Registry · Rule · 2025_09 · Important

Applications or infrastructure relying on a container image may fail if the registry is not available at the time they start.

Description#

A container registry is stored and maintained by default in a single region. Optionally geo-replication to one or more additional regions can be enabled to provide resilience against regional outages.

Geo-replicating container registries provides the following benefits:

  • Single registry/ image/ tag names can be used across multiple regions.
  • Network-close registry access within the region reduces latency.
  • As images are pulled from a local replicated registry, each pull does not incur additional egress costs.

Recommendation#

Consider using a premium container registry and geo-replicating content to one or more additional regions.

Examples#

Configure with Bicep#

To deploy container registries that pass this rule:

  • Set the sku.name property to Premium of the container registry.
  • Add replications child resource with location set to the region to replicate to.

For example:

Azure Bicep snippet
resource registry 'Microsoft.ContainerRegistry/registries@2025-05-01-preview' = {
  name: name
  location: location
  sku: {
    name: 'Premium'
  }
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    adminUserEnabled: false
    anonymousPullEnabled: false
    publicNetworkAccess: 'Disabled'
    zoneRedundancy: 'Enabled'
    policies: {
      quarantinePolicy: {
        status: 'enabled'
      }
      retentionPolicy: {
        days: 30
        status: 'enabled'
      }
      softDeletePolicy: {
        retentionDays: 90
        status: 'enabled'
      }
      exportPolicy: {
        status: 'disabled'
      }
    }
  }
}

resource registryReplica 'Microsoft.ContainerRegistry/registries/replications@2025-04-01' = {
  parent: registry
  name: secondaryLocation
  location: secondaryLocation
  properties: {
    regionEndpointEnabled: true
    zoneRedundancy: 'Enabled'
  }
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/container-registry/registry:<version>

To use the latest version:

br/public:avm/res/container-registry/registry:0.9.1

Configure with Azure template#

To deploy container registries that pass this rule:

  • Set the sku.name property to Premium of the container registry.
  • Add replications child resource with location set to the region to replicate to.

For example to configure a container registry:

Azure Template snippet
{
  "type": "Microsoft.ContainerRegistry/registries",
  "apiVersion": "2025-05-01-preview",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "sku": {
    "name": "Premium"
  },
  "identity": {
    "type": "SystemAssigned"
  },
  "properties": {
    "adminUserEnabled": false,
    "anonymousPullEnabled": false,
    "publicNetworkAccess": "Disabled",
    "zoneRedundancy": "Enabled",
    "policies": {
      "quarantinePolicy": {
        "status": "enabled"
      },
      "retentionPolicy": {
        "days": 30,
        "status": "enabled"
      },
      "softDeletePolicy": {
        "retentionDays": 90,
        "status": "enabled"
      },
      "exportPolicy": {
        "status": "disabled"
      }
    }
  }
}

For example to configure a container registry replica:

Azure Template snippet
{
  "type": "Microsoft.ContainerRegistry/registries/replications",
  "apiVersion": "2025-04-01",
  "name": "[format('{0}/{1}', parameters('name'), parameters('secondaryLocation'))]",
  "location": "[parameters('secondaryLocation')]",
  "properties": {
    "regionEndpointEnabled": true,
    "zoneRedundancy": "Enabled"
  },
  "dependsOn": [
    "[resourceId('Microsoft.ContainerRegistry/registries', parameters('name'))]"
  ]
}

Notes#

Geo-replication of a Container Registry requires the Premium SKU.

Comments