Binaries, configuration files, web pages, and even virtual machines (VMs) and containers are parts of a DevOps build pipeline. In a contemporary application, they form the building blocks. Containers simplify the deployment process by including as many parts as possible.
However, this raises some questions:
How do you deploy those containers across a large-scale cloud application and manage them?
Every engineer wants to be able to easily manage services and applications. But which technology is best suited for the task? In this article, we’ll look at Microsoft’s Azure Container Registry in detail and examine why it may be the ideal option for your development team.
What we’ll cover:
- What is Azure Container Registry (ACR)?
- Azure Container Registry Key Concepts
- Azure Container Registry Features
- Azure Container Registry Use Cases and Best Practices
- Azure Container Registry Pricing and Tiers
- Learn Azure Container Registry on Cloud Academy
What is Azure Container Registry (ACR)?
Azure Container Registry (ACR) is a highly scalable and secure Docker registry service that lets you to deploy, manage, and store Docker container images to the Microsoft Azure cloud platform. It provides an easy way to use the same image across different environments, such as development, testing, and production.
ACR enables you to create private registries, which are only accessible by you and your team members, or public registries, which can be accessed by anyone with the registry’s name and a valid subscription ID.
ACR supports Docker image signing and can automatically build new images from commit messages. It lets you download your private photos for deployment into Kubernetes clusters or on-premises environments.
Use the Azure Container Registry client library to:
- Register pictures or relics.
- Obtain metadata for the repositories, tags, and photographs.
- On registry items, set the read/write/delete properties.
- Delete the repositories, designations, and artifacts.
Azure Container Registry Key Concepts
Here are some key concepts of Azure Container Registry:
You can store and distribute container images using Azure Container Registry, a hosted Docker registry service. Use it to store Docker images for later use, or use it as a private image repository for your applications.
Azure Container Registry is built on top of Azure Storage, so it has all the benefits of using Azure Storage, such as global availability and geo-replication supporting global distribution.
Each image in the registry has an associated tag that consists of a namespace and a name. You can either create new namespaces or use existing ones. The namespace could be used by you or someone else—it’s up to you!
A variety of content artifacts, such as Open Container Initiative (OCI) image formats and Helm charts, are supported by Azure Container Registry.
A repository is a container registry hosted by a Microsoft-hosted service (such as Azure Container Registry). Repositories are typically used for storing private images that you can share with other team members or applications within your organization.
Namespaces may also be included in repository names. By marking names with a forward slash, namespaces lets you identify linked repositories and artifact ownership inside your business. The registry controls each repository separately rather than in a hierarchical manner.
Artifacts are files that you’ve pushed to an ACR repository. These can be Dockerfile files, which contain instructions for creating a Docker image, or individual files placed inside the root directory of an image.
Azure Container Registry Features
Azure Container Registry uses docker distribution to store and distribute Docker images. The service includes features such as:
Registry Service Tiers
Azure Container Registry is available in two service tiers: Basic and Standard.
- The Basic tier provides an image repository with limited storage capacity and retention time.
- The Standard tier provides an image repository with unlimited storage capacity and retention time.
Security and Access
Access a registry with the Azure CLI or with the usual docker login command. Using TLS encryption, Azure Container Registry encrypts connections to clients and sends container images over HTTPS.
You can specify which users can access your registry with either principal service accounts or Managed Identity Access Policies (MIPS). Service principal accounts are credentials used by Azure services to authenticate with Azure resources. At the same time, MIPs allow users to show using their organizational accounts on-premises or inside the Azure portal in addition to their organizational accounts on-premises without having to manage new credentials.
A Premium service tier features content trust for image tag signing, firewalls, and virtual networks (preview) for controlling registry access. Microsoft Defender for Cloud may scan an image when pushed to Azure Container Registry.
Azure Container Registry stores your container images as a collection of layers that can be versioned independently. This allows you to control access by tagging layers with access control lists (ACLs) or to use permissions on specific tags.
Supported Images and Artifacts
Azure Container Registry supports images and artifacts. You can use the registry to store your container images and use it as a repository for your application image layers.
You can upload an image to the registry and then deploy that image to your Kubernetes cluster or another environment. You can also store artifacts, such as binaries or configuration files, in the registry. You can then download these artifacts from the registry to deploy them on-premises or in another cloud provider’s environment.
Use normal Docker commands for pushing or pulling images. Azure Container Registry supports associated material types, including Helm charts and ideas created for the Open Container Initiative and Docker Container Images (OCI).
Automated Image Builds
Azure Container Registry provides Automated Image Builds feature that allows you to build container images from source code on a schedule. The built images are stored in the same registries as they were built. This feature helps you to avoid manual steps of pushing images to the registry and enables you to have a single source of truth for your container images. Azure Container Registry Tasks (ACR Tasks) help to create, test, and deploy images faster. By shifting docker build operations to Azure, ACR Tasks allow you to virtualize your development process.
Azure Container Registry Use Cases and Best Practices
ACR also supports the use cases listed below.
Manage Registry Size
Limit the storage capacity of an Azure Container Registry by specifying an Azure Storage account for it. This will allow you to track how much storage is being used by your registry and control capacity usage within the account.
Authentication and Authorization
These are key aspects when using Azure Container Registry. If you don’t configure it correctly, it could lead to unintended consequences like unauthorized access or privilege escalation attacks.
Dedicated Resource Group
A registry should be located in its resource group since container registries are resources that several container hosts access.
Even while you might test out a certain host type, like Azure Container Instances, you should probably destroy the container instance once you’re done.
You might also wish to save the group of photos you uploaded to the Azure Container Registry. When you put your registry in its resource group, you reduce the chance that you’ll mistakenly delete the registry’s collection of photos when you delete the resource group for the container instance.
Azure Container Registry supports the ability to create a private repository that a single user or organization can use without requiring any network access to the registry server. This is accomplished by providing a tool in the Azure portal that allows you to generate an SSH key pair that will be used to authenticate your client with the registry server.
Azure Container Registry Pricing and Tiers
There are various service tiers (SKUs) for Azure Container Registry. These tiers offer predictable pricing and a range of choices for adjusting to your private Docker registry’s capacity and usage patterns in Azure.
Azure Container Registry Standard
Standard tier features, pricing, and limitations:
- Azure containers for network-closed deployment
- Privately stored Docker images
- Large-scale accessibility
- Quick access to information
Per day $0.667
|Included storage (GiB)||100|
|WriteOps per minute||500|
|Download bandwidth (Mbps)||60|
|Upload bandwidth (Mbps)||20|
Azure Container Registry Premium
Premium tier features, pricing, and limitations:
- Provides high-volume plans
- Content trust for image tag signing
- A private link with private endpoints restricting registry access
- Higher image throughput
- Geo-replication across multiple regions
Per day $1.667
|Included storage (GiB)||500|
|WriteOps per minute||2000|
|Download bandwidth (Mbps)||100|
|Upload bandwidth (Mbps)||50|
Which One do I Need?
All tiers offer the same programmatic features. Additionally, they all benefit from picture storage wholly handled by Azure. Higher-level tiers provide greater performance and scale.
You can start with Basic and upgrade to Standard and Premium as your registry usage grows if numerous service tiers are available.
Learn Azure Container Registry on Cloud Academy
If you’re looking for a private container registry, the Azure Container Registry is a good choice. It has all of the features you’d expect, like creating and managing images, and it’s easy to set up and manage the service to get your developers working quickly and effectively. You can save your container images in ACR, allowing for quick and scalable retrieval of container workloads.
If you’re looking to learn, Cloud Academy offers several Microsoft Azure Courses, learning paths, and labs where you can learn and gain hands-on experience on Azure Container Registry.