Container Registry does not replica images to a secondary region#
Reliability · Container Registry · Rule · 2025_09 · Important
Applications or infrastructure relying on a container image may fail if the registry is not available at the time they start.
Description#
A container registry is stored and maintained by default in a single region. Optionally geo-replication to one or more additional regions can be enabled to provide resilience against regional outages.
Geo-replicating container registries provides the following benefits:
- Single registry/ image/ tag names can be used across multiple regions.
- Network-close registry access within the region reduces latency.
- As images are pulled from a local replicated registry, each pull does not incur additional egress costs.
Recommendation#
Consider using a premium container registry and geo-replicating content to one or more additional regions.
Examples#
Configure with Bicep#
To deploy container registries that pass this rule:
- Set the
sku.nameproperty toPremiumof the container registry. - Add
replicationschild resource withlocationset to the region to replicate to.
For example:
resource registry 'Microsoft.ContainerRegistry/registries@2025-05-01-preview' = {
name: name
location: location
sku: {
name: 'Premium'
}
identity: {
type: 'SystemAssigned'
}
properties: {
adminUserEnabled: false
anonymousPullEnabled: false
publicNetworkAccess: 'Disabled'
zoneRedundancy: 'Enabled'
policies: {
quarantinePolicy: {
status: 'enabled'
}
retentionPolicy: {
days: 30
status: 'enabled'
}
softDeletePolicy: {
retentionDays: 90
status: 'enabled'
}
exportPolicy: {
status: 'disabled'
}
}
}
}
resource registryReplica 'Microsoft.ContainerRegistry/registries/replications@2025-04-01' = {
parent: registry
name: secondaryLocation
location: secondaryLocation
properties: {
regionEndpointEnabled: true
zoneRedundancy: 'Enabled'
}
}
Configure with Azure Verified Modules
A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:
To use the latest version:
Configure with Azure template#
To deploy container registries that pass this rule:
- Set the
sku.nameproperty toPremiumof the container registry. - Add
replicationschild resource withlocationset to the region to replicate to.
For example to configure a container registry:
{
"type": "Microsoft.ContainerRegistry/registries",
"apiVersion": "2025-05-01-preview",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"sku": {
"name": "Premium"
},
"identity": {
"type": "SystemAssigned"
},
"properties": {
"adminUserEnabled": false,
"anonymousPullEnabled": false,
"publicNetworkAccess": "Disabled",
"zoneRedundancy": "Enabled",
"policies": {
"quarantinePolicy": {
"status": "enabled"
},
"retentionPolicy": {
"days": 30,
"status": "enabled"
},
"softDeletePolicy": {
"retentionDays": 90,
"status": "enabled"
},
"exportPolicy": {
"status": "disabled"
}
}
}
}
For example to configure a container registry replica:
{
"type": "Microsoft.ContainerRegistry/registries/replications",
"apiVersion": "2025-04-01",
"name": "[format('{0}/{1}', parameters('name'), parameters('secondaryLocation'))]",
"location": "[parameters('secondaryLocation')]",
"properties": {
"regionEndpointEnabled": true,
"zoneRedundancy": "Enabled"
},
"dependsOn": [
"[resourceId('Microsoft.ContainerRegistry/registries', parameters('name'))]"
]
}
Notes#
Geo-replication of a Container Registry requires the Premium SKU.
Links#
- RE:05 High-availability multi-region design
- Geo-replicate multi-region deployments
- Geo-replication in Azure Container Registry
- Tutorial: Prepare a geo-replicated Azure container registry
- Azure deployment reference - container registry
- Azure deployment reference - container registry replication