Azure Container Registry Private Link support preview for virtual networks

Publisert på 26 mars, 2020

Program Manager, Azure Container Registry

Azure Container Registry announces preview support for Azure Private Link, a means to limit network traffic of resources within the Azure network.

With Private Link, the registry endpoints are assigned private IP addresses, routing traffic within a customer-defined virtual network. Private network support has been one of the top customer asks, allowing customers to benefit from the Azure management of their registry while benefiting from tightly controlled network ingress and egress.
   Architecture diagram of Azure Container Registry connecting to a Virtual Network through Private Link

Private Links are available across a wide range of Azure resources with more coming soon, allowing a wide range of container workloads with the security of a private virtual network.

Private Endpoints and Public Endpoints

Private Link provides private endpoints to be available through private IPs. In the above case, the contoso.azurecr.io registry has a private IP of 10.0.0.6 which is only available to resources in contoso-aks-eastus-vnet. This allows the resources in this VNet to securely communicate. The other resources may be restricted to resources only within the VNet.

At the same time, the public endpoint for the contoso.azurecr.io registry may still be public for the development team. In a coming release, Azure Container Registry (ACR) Private Link will support disabling the public endpoint, limiting access to only private endpoints, configured under private link.

Cross tenant manual approval support

Customers looking to establish a private link between two Azure tenants, where an Azure container registry is in one tenant and while container hosts are in other tenants can use the Private Link Manual Approval workflow. This workflow enables many Azure services, including Azure Machine Learning, to securely interact with your registry. Development teams working in different subscriptions and tenants may also utilize private link manual approval to grant access.

Service Endpoints and Private Links

ACR Service Endpoint preview support was released in March 2019. Service Endpoints provide access from Azure VNets through IP tagging. All traffic to the service endpoint is limited to the Azure backbone network through routing. The public endpoint still exists; however, firewall rules limit public access. Private Link capabilities take this a step further by providing a private endpoint (IP address). As Private Links are more secure and a superset of capabilities of Service Endpoints, Private link support will replace Azure Container Registry Service Endpoint support. While both Service Endpoints and Private Link are currently in preview, we plan to release Private Link capabilities as generally available shortly. We encourage Service Endpoint customers to evaluate ACR Private Link capabilities.

Preview support and limitations

During the preview period, private link support is limited to registries that are not geo-replicated. The feature will move to general availability as we assess feedback and geo-replication support is complete.

We’ve heard clearly that customers requiring private networks also require production support. As such, all support requests will be honored through standard support channels.

Regional support and pricing

Azure Container Registry Private Link support is available across 28 regions through the premium tier.

Additional links: