Azure Container Registry (ACR)

Azure Container Registry (ACR) is a managed, private container registry based on the open-source Docker Registry 2.0. It stores and manages container images, OCI artifacts, and Helm charts for all types of container deployments. ACR integrates deeply with the Azure ecosystem — from identity and networking to CI/CD pipelines and runtime services like AKS and Container Apps.

Why Use a Private Registry?

Public registries like Docker Hub are convenient, but they have limitations for production use:

Rate limits — Docker Hub throttles anonymous and free-tier pulls
Security — You need to trust that public images have not been tampered with
Compliance — Many organisations require images to be stored within their own cloud tenancy
Performance — Pulling from a registry in the same Azure region is significantly faster

ACR addresses all of these by providing a private, geo-replicated registry with integrated authentication and image scanning.

ACR Service Tiers

ACR offers three tiers, each adding more features and capacity:

Feature	Basic	Standard	Premium
Storage (GiB)	10	100	500
Throughput (read MBps)	30	60	100
Webhooks	2	10	500
Geo-replication	No	No	Yes
Private link	No	No	Yes
Customer-managed keys	No	No	Yes
Content trust (signing)	No	No	Yes
Availability zones	No	No	Yes

Recommendation: Start with Standard for development and move to Premium when you need geo-replication, private networking, or content trust.

Creating a Registry

You can create an ACR instance using the Azure CLI:

# Create a resource group
az group create --name rg-containers --location uksouth

# Create the registry (name must be globally unique, alphanumeric only)
az acr create \
  --resource-group rg-containers \
  --name mycompanyacr \
  --sku Standard

The registry URL will be mycompanyacr.azurecr.io.

Authentication Methods

ACR supports several authentication mechanisms:

Azure Entra ID (Recommended)

The most secure approach — use Azure Entra ID identities (users, service principals, or managed identities) to authenticate.

# Log in with your Azure identity
az acr login --name mycompanyacr

This command retrieves a short-lived OAuth token and configures your local Docker client.

Admin Account (Development Only)

Each registry has an optional admin account with a username and two passwords. This is convenient for quick testing but should never be used in production.

# Enable admin account
az acr update --name mycompanyacr --admin-enabled true

# Retrieve credentials
az acr credential show --name mycompanyacr

Service Principal

For CI/CD pipelines, create a service principal with the AcrPush or AcrPull role:

# Create a service principal with AcrPush role
az ad sp create-for-rbac \
  --name sp-acr-push \
  --scopes $(az acr show --name mycompanyacr --query id -o tsv) \
  --role AcrPush

Managed Identity

For Azure compute services (AKS, Container Apps, ACI), use a managed identity to pull images without managing credentials:

# Attach ACR to AKS using managed identity
az aks update \
  --resource-group rg-containers \
  --name my-aks-cluster \
  --attach-acr mycompanyacr

Azure Container Registry (ACR)

Azure Container Registry (ACR)

Why Use a Private Registry?

ACR Service Tiers

Creating a Registry

Authentication Methods

Azure Entra ID (Recommended)

Admin Account (Development Only)

Service Principal

Managed Identity

Building Images with ACR Tasks

More in Cloud