{"id":680,"date":"2020-04-30T00:00:00","date_gmt":"2020-04-30T07:00:00","guid":{"rendered":"https:\/\/azure.microsoft.com\/blog\/azure-container-registry-mitigating-data-exfiltration-with-dedicated-data-endpoints"},"modified":"2025-06-29T23:24:06","modified_gmt":"2025-06-30T06:24:06","slug":"azure-container-registry-mitigating-data-exfiltration-with-dedicated-data-endpoints","status":"publish","type":"post","link":"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-container-registry-mitigating-data-exfiltration-with-dedicated-data-endpoints\/","title":{"rendered":"Azure Container Registry: Mitigating data exfiltration with dedicated data endpoints"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Azure Container Registry announces dedicated data endpoints, enabling tightly scoped client firewall rules to specific registries, minimizing data exfiltration concerns.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Pulling content from a registry involves two endpoints:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><strong>Registry endpoint<\/strong>, often referred to as the <strong>login URL<\/strong>, used for authentication and content discovery.<br>A command like <code>docker pull contoso.azurecr.io\/hello-world<\/code> makes a REST request which authenticates and negotiates the layers which represent the requested artifact.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Data endpoints<\/strong> serve blobs representing content layers.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image has-custom-border\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2020\/04\/65527b4a-84d5-4864-92e5-78da3ecba512.webp\" alt=\"Registry with two endpoints\" style=\"border-radius:0px\" title=\"\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"registry-managed-storage-accounts\">Registry managed storage accounts<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Azure Container Registry is a multi-tenant service, where the data endpoint storage accounts are managed by the registry service. There are many benefits for managed storage, such as load balancing, contentious content splitting, multiple copies for higher concurrent content delivery, and multi-region support <a href=\"https:\/\/aka.ms\/acr\/geo-replicatin\" target=\"_blank\" rel=\"noopener\">with geo-replication<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"azure-private-link-virtual-network-support\">Azure Private Link virtual network support<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Azure Container Registry recently announced <a href=\"https:\/\/aka.ms\/acr\/privatelink\" target=\"_blank\" rel=\"noopener\">Private Link support<\/a>, enabling private endpoints from Azure Virtual Networks to be placed on the managed registry service. In this case, both the registry and data endpoints are accessible from within the virtual network, using private IPs.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The public endpoint can then be removed, securing the managed registry and storage accounts to access from within the virtual network.<br><img loading=\"lazy\" decoding=\"async\" title=\"\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2020\/04\/33de79fd-7137-4f37-8a62-4261cd7f8dbc.webp\" alt=\"ACR with Private Link\" width=\"640\" height=\"288\"><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Unfortunately, virtual network connectivity isn\u2019t always an option.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"client-firewall-rules-and-data-exfiltration-risks\">Client firewall rules and data exfiltration risks<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">When connecting to a registry from on-prem hosts, IoT devices, custom build agents, or when Private Link may not be an option, client firewall rules may be applied, limiting access to specific resources.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><img loading=\"lazy\" decoding=\"async\" title=\"\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2020\/04\/55179d2f-38b2-4675-9d6b-9518deb6b4ab.webp\" alt=\"Client firewall rules, data exfiltration risk\" width=\"640\" height=\"214\">&nbsp;<br>As customers locked down their client firewall configurations, they realized they must create a rule with a wildcard for all storage accounts, raising concerns for data-exfiltration. A bad actor could deploy code that would be capable of writing to their storage account.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">To mitigate data-exfiltration concerns, Azure Container Registry is making dedicated data endpoints available.<\/p>\n\n\n\n<figure class=\"wp-block-image has-custom-border\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2020\/04\/d7a6b518-3270-429e-bdad-46716d44e5ed.webp\" alt=\"Client firewall rules, data exfiltration exploit\" style=\"border-radius:0px\" title=\"\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"dedicated-data-endpoints\">Dedicated data endpoints<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">When dedicated data endpoints are enabled, layers are retrieved from the Azure Container Registry service, with fully qualified domain names representing the registry domain. As any registry may become geo-replicated, a regional pattern is used:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><code>[registry].[region].data.azurecr.io.<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">For the Contoso example, multiple regional data endpoints are added supporting the local region with a nearby replica.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">With dedicated data endpoints, the bad actor is blocked from writing to other storage accounts.<\/p>\n\n\n\n<figure class=\"wp-block-image has-custom-border\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2020\/04\/1cd75a80-2553-4ee0-8573-f12240758069.webp\" alt=\"Dedicated data endpoints, data exfiltration risk mitigated\" style=\"border-radius:0px\" title=\"\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"enabling-dedicated-data-endpoints\">Enabling dedicated data endpoints<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Note<\/strong>: Switching to dedicated data-endpoints will impact clients that have configured firewall access to the existing *.blob.core.windows.net endpoints, causing pull failures. To assure clients have consistent access, add the new data-endpoints to the client firewall rules. Once completed, existing registries can enable dedicated data-endpoints through the <code>az cli<\/code>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Using <a href=\"https:\/\/docs.microsoft.com\/cli\/azure\/install-azure-cli?view=azure-cli-latest\" target=\"_blank\" rel=\"noopener\">az cli<\/a> version 2.4.0 or greater, run the <a href=\"https:\/\/docs.microsoft.com\/cli\/azure\/acr?view=azure-cli-latest#az-acr-update\" target=\"_blank\" rel=\"noopener\">az acr update<\/a> command:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; auto-links: false; gutter: false; title: ; quick-code: false; notranslate\" title=\"\">\naz acr update --name contoso --data-endpoint-enabled\n<\/pre><\/div>\n\n\n<p class=\"wp-block-paragraph\">To view the data endpoints, including regional endpoints for geo-replicated registries, use the az acr show-endpoints cli:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; auto-links: false; gutter: false; title: ; quick-code: false; notranslate\" title=\"\">\naz acr show-endpoints --name contoso\n<\/pre><\/div>\n\n\n<p class=\"wp-block-paragraph\">outputs:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; auto-links: false; gutter: false; title: ; quick-code: false; notranslate\" title=\"\">\n{\n\u00a0 \"loginServer\": \"contoso.azurecr.io\",\n\u00a0 \"dataEndpoints\": [\n\u00a0\u00a0\u00a0 {\n\u00a0\u00a0\u00a0\u00a0\u00a0 \"region\": \"eastus\",\n\u00a0\u00a0\u00a0\u00a0\u00a0 \"endpoint\": \"contoso.eastus.data.azurecr.io\",\n\u00a0\u00a0\u00a0 },\n\u00a0\u00a0\u00a0 {\n\u00a0\u00a0\u00a0\u00a0\u00a0 \"region\": \"westus\",\n\u00a0\u00a0\u00a0\u00a0\u00a0 \"endpoint\": \"contoso.westus.data.azurecr.io\",\n\u00a0\u00a0\u00a0 }\n\u00a0 ]\n}\n\n<\/pre><\/div>\n\n\n<h2 class=\"wp-block-heading\" id=\"security-with-azure-private-link\">Security with Azure Private Link<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/aka.ms\/acr\/privatelink\" target=\"_blank\" rel=\"noopener\">Azure Private Link<\/a> is the most secure way to control network access between clients and the registry as network traffic is limited to the Azure Virtual Network, using private IPs. When Private Link isn\u2019t an option, dedicated data endpoints can provide secure knowledge in what resources are accessible from each client.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"pricing-information\">Pricing information<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Dedicated data endpoints are a feature of premium registries.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">For more information on dedicated data endpoints, see the <a href=\"https:\/\/aka.ms\/acr\/pricing\" target=\"_blank\" rel=\"noopener\">pricing information here<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Azure Container Registry announces dedicated data-endpoints, enabling tightly scoped client firewall rules to specific registries, minimizing data exfiltration concerns.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ms_queue_id":[],"ep_exclude_from_search":false,"_classifai_error":"","_classifai_text_to_speech_error":"","_alt_title":"","footnotes":"","msx_community_cta_settings":[]},"categories":[1470],"tags":[],"audience":[3055,3056],"content-type":[1465],"product":[1625],"tech-community":[],"topic":[],"coauthors":[97],"class_list":["post-680","post","type-post","status-publish","format-standard","hentry","category-containers","audience-developers","audience-it-implementors","content-type-announcements","product-container-services","review-flag-1680286581-295","review-flag-2-1680286581-601","review-flag-4-1680286581-250","review-flag-alway-1680286580-106","review-flag-iot-1680286585-835","review-flag-new-1680286579-546","review-flag-on-pr-1680286585-789"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.2 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Azure Container Registry: Mitigating data exfiltration with dedicated data endpoints | Microsoft Azure Blog<\/title>\n<meta name=\"description\" content=\"Azure Container Registry announces dedicated data-endpoints, enabling tightly scoped client firewall rules to specific registries, minimizing data exfiltration concerns.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-container-registry-mitigating-data-exfiltration-with-dedicated-data-endpoints\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Azure Container Registry: Mitigating data exfiltration with dedicated data endpoints | Microsoft Azure Blog\" \/>\n<meta property=\"og:description\" content=\"Azure Container Registry announces dedicated data-endpoints, enabling tightly scoped client firewall rules to specific registries, minimizing data exfiltration concerns.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-container-registry-mitigating-data-exfiltration-with-dedicated-data-endpoints\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Azure Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/microsoftazure\" \/>\n<meta property=\"article:published_time\" content=\"2020-04-30T07:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-30T06:24:06+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2020\/04\/65527b4a-84d5-4864-92e5-78da3ecba512.webp\" \/>\n<meta name=\"author\" content=\"Microsoft Azure\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@azure\" \/>\n<meta name=\"twitter:site\" content=\"@azure\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Microsoft Azure\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-container-registry-mitigating-data-exfiltration-with-dedicated-data-endpoints\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-container-registry-mitigating-data-exfiltration-with-dedicated-data-endpoints\/\"},\"author\":[{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/author\/microsoft-azure\/\",\"@type\":\"Person\",\"@name\":\"Microsoft Azure\"}],\"headline\":\"Azure Container Registry: Mitigating data exfiltration with dedicated data endpoints\",\"datePublished\":\"2020-04-30T07:00:00+00:00\",\"dateModified\":\"2025-06-30T06:24:06+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-container-registry-mitigating-data-exfiltration-with-dedicated-data-endpoints\/\"},\"wordCount\":535,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-container-registry-mitigating-data-exfiltration-with-dedicated-data-endpoints\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2020\/04\/65527b4a-84d5-4864-92e5-78da3ecba512.webp\",\"articleSection\":[\"Containers\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-container-registry-mitigating-data-exfiltration-with-dedicated-data-endpoints\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-container-registry-mitigating-data-exfiltration-with-dedicated-data-endpoints\/\",\"url\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-container-registry-mitigating-data-exfiltration-with-dedicated-data-endpoints\/\",\"name\":\"Azure Container Registry: Mitigating data exfiltration with dedicated data endpoints | Microsoft Azure Blog\",\"isPartOf\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-container-registry-mitigating-data-exfiltration-with-dedicated-data-endpoints\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-container-registry-mitigating-data-exfiltration-with-dedicated-data-endpoints\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2020\/04\/65527b4a-84d5-4864-92e5-78da3ecba512.webp\",\"datePublished\":\"2020-04-30T07:00:00+00:00\",\"dateModified\":\"2025-06-30T06:24:06+00:00\",\"description\":\"Azure Container Registry announces dedicated data-endpoints, enabling tightly scoped client firewall rules to specific registries, minimizing data exfiltration concerns.\",\"breadcrumb\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-container-registry-mitigating-data-exfiltration-with-dedicated-data-endpoints\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-container-registry-mitigating-data-exfiltration-with-dedicated-data-endpoints\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-container-registry-mitigating-data-exfiltration-with-dedicated-data-endpoints\/#primaryimage\",\"url\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2020\/04\/65527b4a-84d5-4864-92e5-78da3ecba512.webp\",\"contentUrl\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2020\/04\/65527b4a-84d5-4864-92e5-78da3ecba512.webp\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-container-registry-mitigating-data-exfiltration-with-dedicated-data-endpoints\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog home\",\"item\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Containers\",\"item\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/category\/containers\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Azure Container Registry: Mitigating data exfiltration with dedicated data endpoints\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/#website\",\"url\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/\",\"name\":\"Microsoft Azure Blog\",\"description\":\"Get the latest Azure news, updates, and announcements from the Azure blog. From product updates to hot topics, hear from the Azure experts.\",\"publisher\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/#organization\",\"name\":\"Microsoft Azure Blog\",\"url\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/06\/microsoft_logo.webp\",\"contentUrl\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/06\/microsoft_logo.webp\",\"width\":512,\"height\":512,\"caption\":\"Microsoft Azure Blog\"},\"image\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/microsoftazure\",\"https:\/\/x.com\/azure\",\"https:\/\/www.instagram.com\/microsoftdeveloper\/\",\"https:\/\/www.linkedin.com\/company\/16188386\",\"https:\/\/www.youtube.com\/user\/windowsazure\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/#\/schema\/person\/c702e5edd662b328b49b7e1180cab117\",\"name\":\"shakir\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/9342c7c05bb16548741bc5cd3a3e3b7ee0c8e746844ad2cc582db5beb5514c6f?s=96&d=mm&r=g7664e653ea371ce16eaf75e9fa8952c4\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/9342c7c05bb16548741bc5cd3a3e3b7ee0c8e746844ad2cc582db5beb5514c6f?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/9342c7c05bb16548741bc5cd3a3e3b7ee0c8e746844ad2cc582db5beb5514c6f?s=96&d=mm&r=g\",\"caption\":\"shakir\"},\"sameAs\":[\"https:\/\/azure.microsoft.com\"],\"url\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/author\/shakir\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Azure Container Registry: Mitigating data exfiltration with dedicated data endpoints | Microsoft Azure Blog","description":"Azure Container Registry announces dedicated data-endpoints, enabling tightly scoped client firewall rules to specific registries, minimizing data exfiltration concerns.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-container-registry-mitigating-data-exfiltration-with-dedicated-data-endpoints\/","og_locale":"en_US","og_type":"article","og_title":"Azure Container Registry: Mitigating data exfiltration with dedicated data endpoints | Microsoft Azure Blog","og_description":"Azure Container Registry announces dedicated data-endpoints, enabling tightly scoped client firewall rules to specific registries, minimizing data exfiltration concerns.","og_url":"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-container-registry-mitigating-data-exfiltration-with-dedicated-data-endpoints\/","og_site_name":"Microsoft Azure Blog","article_publisher":"https:\/\/www.facebook.com\/microsoftazure","article_published_time":"2020-04-30T07:00:00+00:00","article_modified_time":"2025-06-30T06:24:06+00:00","og_image":[{"url":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2020\/04\/65527b4a-84d5-4864-92e5-78da3ecba512.webp","type":"","width":"","height":""}],"author":"Microsoft Azure","twitter_card":"summary_large_image","twitter_creator":"@azure","twitter_site":"@azure","twitter_misc":{"Written by":"Microsoft Azure","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-container-registry-mitigating-data-exfiltration-with-dedicated-data-endpoints\/#article","isPartOf":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-container-registry-mitigating-data-exfiltration-with-dedicated-data-endpoints\/"},"author":[{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/author\/microsoft-azure\/","@type":"Person","@name":"Microsoft Azure"}],"headline":"Azure Container Registry: Mitigating data exfiltration with dedicated data endpoints","datePublished":"2020-04-30T07:00:00+00:00","dateModified":"2025-06-30T06:24:06+00:00","mainEntityOfPage":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-container-registry-mitigating-data-exfiltration-with-dedicated-data-endpoints\/"},"wordCount":535,"commentCount":0,"publisher":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/#organization"},"image":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-container-registry-mitigating-data-exfiltration-with-dedicated-data-endpoints\/#primaryimage"},"thumbnailUrl":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2020\/04\/65527b4a-84d5-4864-92e5-78da3ecba512.webp","articleSection":["Containers"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/azure.microsoft.com\/en-us\/blog\/azure-container-registry-mitigating-data-exfiltration-with-dedicated-data-endpoints\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-container-registry-mitigating-data-exfiltration-with-dedicated-data-endpoints\/","url":"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-container-registry-mitigating-data-exfiltration-with-dedicated-data-endpoints\/","name":"Azure Container Registry: Mitigating data exfiltration with dedicated data endpoints | Microsoft Azure Blog","isPartOf":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-container-registry-mitigating-data-exfiltration-with-dedicated-data-endpoints\/#primaryimage"},"image":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-container-registry-mitigating-data-exfiltration-with-dedicated-data-endpoints\/#primaryimage"},"thumbnailUrl":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2020\/04\/65527b4a-84d5-4864-92e5-78da3ecba512.webp","datePublished":"2020-04-30T07:00:00+00:00","dateModified":"2025-06-30T06:24:06+00:00","description":"Azure Container Registry announces dedicated data-endpoints, enabling tightly scoped client firewall rules to specific registries, minimizing data exfiltration concerns.","breadcrumb":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-container-registry-mitigating-data-exfiltration-with-dedicated-data-endpoints\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/azure.microsoft.com\/en-us\/blog\/azure-container-registry-mitigating-data-exfiltration-with-dedicated-data-endpoints\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-container-registry-mitigating-data-exfiltration-with-dedicated-data-endpoints\/#primaryimage","url":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2020\/04\/65527b4a-84d5-4864-92e5-78da3ecba512.webp","contentUrl":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2020\/04\/65527b4a-84d5-4864-92e5-78da3ecba512.webp"},{"@type":"BreadcrumbList","@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-container-registry-mitigating-data-exfiltration-with-dedicated-data-endpoints\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog home","item":"https:\/\/azure.microsoft.com\/en-us\/blog\/"},{"@type":"ListItem","position":2,"name":"Containers","item":"https:\/\/azure.microsoft.com\/en-us\/blog\/category\/containers\/"},{"@type":"ListItem","position":3,"name":"Azure Container Registry: Mitigating data exfiltration with dedicated data endpoints"}]},{"@type":"WebSite","@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/#website","url":"https:\/\/azure.microsoft.com\/en-us\/blog\/","name":"Microsoft Azure Blog","description":"Get the latest Azure news, updates, and announcements from the Azure blog. From product updates to hot topics, hear from the Azure experts.","publisher":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/azure.microsoft.com\/en-us\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/#organization","name":"Microsoft Azure Blog","url":"https:\/\/azure.microsoft.com\/en-us\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/06\/microsoft_logo.webp","contentUrl":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/06\/microsoft_logo.webp","width":512,"height":512,"caption":"Microsoft Azure Blog"},"image":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/microsoftazure","https:\/\/x.com\/azure","https:\/\/www.instagram.com\/microsoftdeveloper\/","https:\/\/www.linkedin.com\/company\/16188386","https:\/\/www.youtube.com\/user\/windowsazure"]},{"@type":"Person","@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/#\/schema\/person\/c702e5edd662b328b49b7e1180cab117","name":"shakir","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/9342c7c05bb16548741bc5cd3a3e3b7ee0c8e746844ad2cc582db5beb5514c6f?s=96&d=mm&r=g7664e653ea371ce16eaf75e9fa8952c4","url":"https:\/\/secure.gravatar.com\/avatar\/9342c7c05bb16548741bc5cd3a3e3b7ee0c8e746844ad2cc582db5beb5514c6f?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/9342c7c05bb16548741bc5cd3a3e3b7ee0c8e746844ad2cc582db5beb5514c6f?s=96&d=mm&r=g","caption":"shakir"},"sameAs":["https:\/\/azure.microsoft.com"],"url":"https:\/\/azure.microsoft.com\/en-us\/blog\/author\/shakir\/"}]}},"msxcm_display_generated_audio":false,"msxcm_animated_featured_image":null,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Azure Blog","distributor_original_site_url":"https:\/\/azure.microsoft.com\/en-us\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/posts\/680","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/comments?post=680"}],"version-history":[{"count":1,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/posts\/680\/revisions"}],"predecessor-version":[{"id":44399,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/posts\/680\/revisions\/44399"}],"wp:attachment":[{"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/media?parent=680"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/categories?post=680"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/tags?post=680"},{"taxonomy":"audience","embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/audience?post=680"},{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/content-type?post=680"},{"taxonomy":"product","embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/product?post=680"},{"taxonomy":"tech-community","embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/tech-community?post=680"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/topic?post=680"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/coauthors?post=680"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}