Microsoft Azure — Azure Container Registry (ACR)
ACR, repositories, tasks, geo-replication, authentication with AKS, and image scanning..
20+ years shipping production infrastructure and CI/CD at scale. Lessons pulled from things that broke in production.
- ✓Azure subscription with contributor access, Azure CLI 2.50+, Docker Desktop 20.10+, kubectl 1.28+, Helm 3.8+ (optional), basic knowledge of containerization and Kubernetes concepts.
Azure is Microsoft's cloud computing platform offering over 200 services. This article covers azure container registry (acr) with production-ready configurations, best practices, and hands-on examples.
Why ACR Exists and When to Use It
Azure Container Registry (ACR) is a managed Docker registry service for storing and managing container images across all Azure deployment targets. Unlike Docker Hub, ACR integrates natively with Azure Active Directory, supports geo-replication for low-latency pulls, and provides advanced security features like image scanning and content trust. Use ACR when you need private, secure storage for your container images within the Azure ecosystem, especially for production workloads where you control access, retention, and compliance. Avoid ACR if you need a multi-cloud registry or prefer a vendor-neutral solution like Harbor. ACR shines in single-cloud Azure shops where tight integration with AKS, App Service, and Azure Pipelines reduces operational overhead.
Authentication and Authorization: Beyond admin keys
Never use admin keys in production. They are static, shared secrets that bypass Azure AD and cannot be rotated without downtime. Instead, use Azure AD authentication with managed identities or service principals. For AKS clusters, assign the AcrPull role to the cluster's managed identity. For CI/CD pipelines, use a service principal with AcrPush role scoped to the registry. This enables token-based authentication that can be rotated and audited. For third-party tools that don't support Azure AD, use repository-scoped tokens (preview) to limit access to specific repositories. Always enforce Azure AD authentication and disable admin user after initial setup.
Building and Pushing Images with ACR Tasks
ACR Tasks provides on-demand container image building directly in Azure, eliminating the need for a local Docker daemon. Use it for automated builds triggered by Git commits or base image updates. ACR Tasks supports multi-step workflows, parallel builds, and can build from any Dockerfile. For production, define tasks with YAML that include unit tests, linting, and security scanning. Use the acr build command for ad-hoc builds, but prefer task definitions for repeatability. ACR Tasks also caches layers across builds, speeding up subsequent runs. Integrate with Azure Pipelines or GitHub Actions for full CI/CD, but ACR Tasks alone can handle simple build pipelines.
Geo-Replication for Global Deployments
Geo-replication replicates your container images across multiple Azure regions, enabling fast pulls from any location and providing disaster recovery. Enable it on Premium SKU only. When you push an image to one region, it's asynchronously replicated to all enabled regions. AKS clusters in different regions pull from their local replica, reducing latency and avoiding single points of failure. Monitor replication status via Azure Monitor or CLI. Be aware of eventual consistency: a newly pushed image may not be immediately available in all regions. For critical deployments, wait for replication confirmation before rolling out. Geo-replication also helps with data sovereignty requirements.
az acr replication list to verify all replicas are up-to-date before proceeding.Security: Image Scanning and Content Trust
ACR integrates with Microsoft Defender for Cloud to scan images for vulnerabilities on push. Enable this for all repositories. Additionally, use content trust (Notary v1) to sign images and verify publisher identity. Content trust ensures only signed images are pulled, preventing tampering. For production, enforce that only signed images can be deployed by configuring AKS admission controllers or using Azure Policy. Also, enable quarantine: when a vulnerability is found, the image is marked as untrusted and cannot be pulled until resolved. Regularly review scan results and set up alerts for critical vulnerabilities. Rotate signing keys periodically.
Automated Cleanup and Retention Policies
Without cleanup, ACR repositories accumulate stale images, consuming storage and increasing costs. Use retention policies to automatically delete untagged manifests after a specified number of days. For tagged images, implement a custom cleanup strategy using ACR Tasks or Azure Automation. A common approach is to keep only the last N versions per repository. Use the acr purge command in a scheduled task to remove old images. Be careful not to delete images currently in use by running containers. Tag images with build numbers or dates to facilitate selective deletion. Monitor storage usage and set alerts for unexpected growth.
Integrating ACR with AKS for Seamless Deployments
The most common production pattern is ACR feeding images to AKS. Use the AKS cluster's managed identity to pull images from ACR (as shown earlier). For deployments, reference images by digest rather than tag to ensure immutability. Use Helm charts or Kustomize to manage deployments, and update the image digest in your CI/CD pipeline. For blue-green or canary deployments, leverage ACR's repository structure to separate versions. Monitor pull latency and set up Azure Monitor alerts for failed pulls. Consider using ACR Connected Registry for edge deployments where connectivity is intermittent.
Monitoring and Troubleshooting ACR
Monitor ACR health using Azure Monitor metrics: pull/push latency, storage usage, and authentication failures. Set up alerts for high latency or failed requests. Enable diagnostic logs to capture all registry operations, including authentication attempts and image pulls. Use Log Analytics to query logs for troubleshooting. Common issues: authentication failures (check role assignments), pull timeouts (check network latency or geo-replication status), and storage limits (monitor usage and set alerts). For slow pulls, ensure the AKS cluster is in the same region as the ACR replica. Use az acr check-health for a quick diagnostic.
az acr check-health regularly in your CI/CD pipeline to catch issues early. It checks connectivity, authentication, and Docker version compatibility.Cost Optimization and SKU Selection
ACR pricing is based on SKU, storage, and data transfer. Basic SKU is for development only (10 GB storage, no geo-replication). Standard SKU (100 GB) is for low-volume production. Premium SKU (500 GB) is for production with geo-replication, content trust, and higher throughput. Optimize costs by: using retention policies to delete unused images, choosing the right SKU based on storage needs, and minimizing cross-region data transfer by co-locating registries and compute. For high-volume pulls, consider using a content delivery network (CDN) or Azure Front Door to cache images. Monitor storage growth and scale up SKU only when needed.
Disaster Recovery and Backup Strategies
ACR geo-replication provides built-in disaster recovery for the registry itself. However, you also need to protect against accidental deletion of images or the entire registry. Enable soft delete (preview) to recover deleted images within a retention period. Export critical images to another Azure region or another cloud as a backup. Use Azure Backup for the registry metadata, but note that images themselves are not backed up by default. For compliance, export image manifests and layers to Azure Blob Storage periodically. Test your disaster recovery plan by simulating a regional failure and verifying that your AKS clusters can pull from the secondary replica.
Advanced: Connected Registry and Edge Deployments
ACR Connected Registry extends ACR to on-premises or edge environments with intermittent connectivity. It acts as a local cache that synchronizes images from the cloud registry. Use it for IoT, retail, or manufacturing scenarios where pulling from the cloud is slow or unreliable. Deploy the connected registry agent on a local server, configure synchronization rules, and manage it via Azure. The connected registry supports read-only (pull) and read-write (push) modes. For production, ensure the local cache has enough storage and monitor synchronization status. Failover to cloud registry if local cache is outdated.
Putting It All Together: Production CI/CD Pipeline
A production-grade CI/CD pipeline using ACR integrates source control, automated builds, security scanning, and deployment. Use Azure Pipelines or GitHub Actions to trigger ACR Tasks on commits. After build, scan the image with Defender for Cloud. If vulnerabilities are found, fail the pipeline. Sign the image with content trust. Then, update the Kubernetes deployment manifest with the new image digest and apply it to AKS. Use staged rollouts with canary deployments. Monitor the rollout with Azure Monitor and roll back if errors exceed thresholds. This end-to-end automation ensures only secure, signed images reach production.
| File | Command / Code | Purpose |
|---|---|---|
| create-acr.sh | az acr create \ | Why ACR Exists and When to Use It |
| auth-acr.sh | AKS_CLUSTER_NAME="my-aks" | Authentication and Authorization |
| acr-task.yaml | version: v1.1.0 | Building and Pushing Images with ACR Tasks |
| geo-replicate.sh | az acr replication create --registry myacr --location westeurope | Geo-Replication for Global Deployments |
| enable-scanning.sh | az acr update --name myacr --resource-group my-rg --enable-scanning true | Security |
| cleanup-task.yaml | version: v1.1.0 | Automated Cleanup and Retention Policies |
| deployment.yaml | apiVersion: apps/v1 | Integrating ACR with AKS for Seamless Deployments |
| diagnose.sh | az acr check-health --name myacr --yes | Monitoring and Troubleshooting ACR |
| cost-estimate.sh | az acr show-usage --name myacr --resource-group my-rg --output table | Cost Optimization and SKU Selection |
| backup-images.sh | az acr import \ | Disaster Recovery and Backup Strategies |
| connected-registry.sh | az acr connected-registry create \ | Advanced |
| azure-pipelines.yml | trigger: | Putting It All Together |
Key takeaways
Frequently Asked Questions
20+ years shipping production infrastructure and CI/CD at scale. Lessons pulled from things that broke in production.
That's Azure. Mark it forged?
4 min read · try the examples if you haven't