Container Registry SKU is not suitable for production workloads

Reliability · Container Registry · Rule · 2020_06 · Important

The Basic SKU provides limited performance and features for production container registry workloads.

Description

Azure Container Registry (ACR) provides a range of different service tiers (also known as SKUs). These service tiers provide different levels of performance and features.

Three service tiers are available: Basic, Standard, and Premium. Basic container registries are only recommended for non-production deployments. Use a minimum of Standard for production container registries.

The Premium SKU provides higher image throughput and included storage, and is required for:

• Geo-replication
• Availability zones
• Private Endpoints
• Firewall restrictions
• Tokens and scope-maps

Recommendation

Consider using the Premium Container Registry SKU for production deployments.

Examples

Configure with Bicep

To deploy registries that pass this rule:

• Set the sku.name property to Premium or Standard.

For example:

Azure Bicep snippet

resource registry 'Microsoft.ContainerRegistry/registries@2025-05-01-preview' = {
  name: name
  location: location
  sku: {
    name: 'Premium'
  }
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    adminUserEnabled: false
    anonymousPullEnabled: false
    publicNetworkAccess: 'Disabled'
    zoneRedundancy: 'Enabled'
    policies: {
      quarantinePolicy: {
        status: 'enabled'
      }
      retentionPolicy: {
        days: 30
        status: 'enabled'
      }
      softDeletePolicy: {
        retentionDays: 90
        status: 'enabled'
      }
      exportPolicy: {
        status: 'disabled'
      }
    }
  }
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/container-registry/registry:<version>

To use the latest version:

br/public:avm/res/container-registry/registry:0.9.3

---

• What is Azure Verified Modules?
• Usage and parameters for this module

Configure with Azure template

To deploy registries that pass this rule:

• Set the sku.name property to Premium or Standard.

For example:

Azure Template snippet

{
  "type": "Microsoft.ContainerRegistry/registries",
  "apiVersion": "2025-05-01-preview",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "sku": {
    "name": "Premium"
  },
  "identity": {
    "type": "SystemAssigned"
  },
  "properties": {
    "adminUserEnabled": false,
    "anonymousPullEnabled": false,
    "publicNetworkAccess": "Disabled",
    "zoneRedundancy": "Enabled",
    "policies": {
      "quarantinePolicy": {
        "status": "enabled"
      },
      "retentionPolicy": {
        "days": 30,
        "status": "enabled"
      },
      "softDeletePolicy": {
        "retentionDays": 90,
        "status": "enabled"
      },
      "exportPolicy": {
        "status": "disabled"
      }
    }
  }
}

Links

• RE:04 Target metrics
• Azure Container Registry SKUs
• Geo-replication in Azure Container Registry
• Best practices for Azure Container Registry
• Azure deployment reference

Comments