Azure

Azure Container Registry (ACR) Complete Guide: SKUs, Geo-replication, ACR Tasks, Vulnerability Scanning

2026-05-24
NicheeLab Editorial Team

Azure Container Registry (ACR) is a Microsoft-managed Docker / OCI compatible container image registry. It's deeply integrated with Azure compute services like AKS, Container Apps, App Service, and Azure Functions, and is a core technology for container-based development and operations. This article comprehensively covers SKU selection, geo-replication, AKS integration, ACR Tasks, vulnerability scanning, and Private Endpoint.

SKU Comparison

ItemBasicStandardPremium
Monthly fee (approx.)~700 yen~2,800 yen~7,000 yen
Storage Included10 GB100 GB500 GB
Geo-replication××
Content Trust××
Private Endpoint××
Repository-scoped Tokens××
Customer-Managed Key××
SLA99.9%99.9%99.95%
Use caseDev / PoCSmall productionRecommended for production

For production, Premium is the standard. Enterprise features like geo-replication, Private Endpoint, and Trust Policy are Premium-only. Storage overage is billed separately (~1 yen/GB/month).

Geo-replication

ACR Premium's geo-replication automatically replicates a single registry across multiple Azure regions.

How it works

  1. Push image to the primary region
  2. ACR asynchronously replicates to other regions (minutes to tens of minutes)
  3. AKS clusters (in each region) automatically pull from the nearest replica
  4. Geo-redundant — keeps serving from other regions during a regional outage

Typical setup

  • Japan East (Primary) + Japan West (DR) + US West (Global) + West Europe (Global) — 4-region replicas

Cost and performance

  • Each replica adds the Premium fee (4 regions = 4x cost)
  • Geo-replication can shrink global distribution latency from 100ms to 10ms
  • Powerful for globally deployed SaaS, games, and microservices

Image Pull Authentication with AKS

MethodHow it worksRecommendation
ACR-AKS IntegrationAcrPull auto-granted to system-assigned MI; fully automatedMost recommended
Managed Identity + manual pull secretManual MI setup + imagePullSecretsCustom requirements
Service Principal + Pull SecretLegacy; secret management overheadNot recommended

ACR-AKS Integration commands

# 新規 AKS Cluster + ACR 統合
az aks create --resource-group myRG --name myCluster \
  --attach-acr myAcr

# 既存 AKS Cluster に ACR 追加
az aks update --resource-group myRG --name myCluster \
  --attach-acr myAcr

# ACR Detach
az aks update --resource-group myRG --name myCluster \
  --detach-acr myAcr

ACR Tasks

ACR Tasks is a managed service that automates container image build / push / test inside ACR.

3 task types

Task typeUse caseTrigger
Quick TaskOne-shot buildaz acr build command
Trigger-based TaskAuto buildGit push, base image update, schedule
Multi-step TaskMulti-step build / test / tag / pushYAML-based

Typical use cases

  • Auto-rebuild dependent apps when a base image (mcr.microsoft.com/dotnet/sdk) updates
  • Auto-build on GitHub repository push then deploy to AKS
  • Nightly scheduled vulnerability scanning of the latest image
  • Multi-architecture build (amd64 + arm64) in parallel in a single task

Useful as lightweight automation before building out CI/CD infrastructure; in production, GitHub Actions / Azure Pipelines + ACR is the standard combination.

Microsoft Defender for Containers

Automatic vulnerability scanning for images inside ACR.

How it works

  1. Scan auto-starts on image push to ACR (minutes to tens of minutes)
  2. Results appear in Microsoft Defender for Cloud security recommendations
  3. Provides CVSS score, fixed package version, exploitability, and recommended actions
  4. High / Critical vulnerabilities send alerts to Microsoft Sentinel
  5. Logic App playbooks send Slack notifications and create GitHub issues

Continuous Scan

  • Daily rescan of images pulled in the last 30 days
  • Instant notification when new CVEs are discovered

Typical response flow

  1. Defender alert detects a high vulnerability
  2. Open a GitHub issue
  3. Engineering updates the base image and rebuilds
  4. Push new image to ACR then auto-deploy to AKS
  5. Defender rescans and confirms clear

In production, this is the core function of DevSecOps — the last line of defense for container security.

Private Endpoint and Network Isolation

With ACR Premium, you can fully isolate from the public network using Private Endpoint.

Configuration

  1. Disable network access on ACR (completely block public access)
  2. Create a Private Endpoint in the VNet (integrated with the privatelink.azurecr.io Private DNS Zone)
  3. AKS / Container Apps / App Service pull images privately via VNet integration
  4. On-premises can also pull via VPN/ExpressRoute + Private Endpoint

Typical setups

  • Production AKS handling sensitive data pulls from a fully private ACR
  • GitHub Actions self-hosted runner (inside VNet) pushes images
  • Defender for Containers vulnerability scanning still works privately (Microsoft trusted service)

Content Trust and Image Signing

ACR Premium's Content Trust guarantees image provenance and tamper detection.

  • Based on Docker Notary v1 (Microsoft is driving migration to Sigstore / Notation)
  • Signed with the publisher key on image push
  • Signature verified on image pull (pull fails if tampered with)
  • AKS clusters enforce Trust Policy (only signed images can run)
  • Core function for supply chain security

OCI Artifacts

ACR stores not only Docker images but any OCI standard artifact.

Supported artifact examples

  • Helm Chart: Standard support in Helm 3.8+ as an OCI registry
  • WebAssembly (Wasm): Wasm modules for Spin Framework and others
  • SBOM (Software Bill of Materials): SPDX, CycloneDX
  • Cosign Signatures: Image signature data
  • Policy Bundles: OPA / Kyverno policies

Operational Best Practices

  1. Production requires the Premium SKU
  2. Reduce global distribution latency with geo-replication
  3. Use ACR-AKS Integration for fully automated authentication
  4. Use Microsoft Defender for Containers for continuous vulnerability scanning
  5. Private Endpoint + disable public access
  6. Encrypt images with customer-managed key
  7. Use Content Trust for supply chain security
  8. Use repository-scoped tokens for fine-grained access control
  9. Auto-delete old images with image cleanup policy (reduce storage cost)
  10. Send diagnostic logs to Microsoft Sentinel

Cost Optimization

  1. Delete images not pulled in 30+ days via image cleanup policy
  2. Monitor storage usage monthly via capacity metrics
  3. Limit geo-replicas to required regions only (4 regions = 4x cost)
  4. Reduce image size with multi-stage Docker builds
  5. Reduce 100MB to 50MB with distroless images / Alpine base
  6. Reduce GitHub Actions / Azure Pipelines cost with ACR Tasks (lightweight automation)
  7. No Reserved Capacity support — discounts are limited

Related Certifications

Frequently Asked Questions

What is Azure Container Registry (ACR)?

Azure Container Registry (ACR) is a Microsoft-managed Docker / OCI compatible container image registry. It stores and distributes container images, Helm charts, and OCI artifacts (any file). Deeply integrated with Azure compute services like AKS, Container Apps, App Service, and Azure Functions. Common use cases: 1) Image pull source for AKS clusters, 2) Build/push target for CI/CD pipelines, 3) Centralized organization-wide management of base images, 4) Global distribution via geo-replication, 5) Vulnerability scanning (Microsoft Defender for Containers integration), 6) Helm chart repository, 7) Quarantine (blocks images that have not completed vulnerability scanning). It has 3 SKUs (Basic, Standard, Premium); Premium is recommended for production. Tested heavily on AZ-204 / AZ-400 exams.

What are the differences between Basic / Standard / Premium SKUs?

ACR SKU comparison: Basic (dev/PoC, cheapest, ~700 yen/month, 10 GB storage included, no geo-replication, no Content Trust); Standard (general production, ~2,800 yen/month, 100 GB storage included, no geo-replication, webhooks supported); Premium (recommended for production, ~7,000 yen/month, 500 GB storage included, geo-replication, Content Trust, Private Endpoint, repository-scoped tokens, Trust Policy, Quarantine, multiple OCI artifacts, customer-managed key, diagnostic logs, 99.95% SLA). Premium is the standard for production — geo-replication / Private Endpoint / vulnerability scanning integration are Premium-only enterprise features. Storage overage is charged separately (~1 yen/GB/month); for projects pushing several GB of images daily, storage costs can become a major part of operational expenses.

How does geo-replication work?

ACR Premium's geo-replication automatically replicates a single registry across multiple Azure regions. Image pulls from the nearest regional registry reduce latency and bandwidth costs. Flow: 1) Image push to primary region, 2) ACR asynchronously replicates to other regions (minutes to tens of minutes), 3) AKS clusters (in each region) automatically pull from the nearest replica, 4) Geo-redundant: continues serving from other regions even during a regional outage. Typical setup: Japan East (Primary) + Japan West (DR) + US West (Global) + West Europe (Global) for 4-region replicas. Cost: each replica adds the Premium fee (4 regions = 4x cost). Geo-replication can shrink global distribution latency from 100ms to 10ms. Powerful for globally deployed SaaS, games, and microservices.

How does image pull authentication with AKS work?

There are 3 patterns for image pull authentication from AKS to ACR: 1) ACR-AKS Integration (recommended, easiest): Link ACR at AKS cluster creation or afterward. The AKS system-assigned managed identity automatically gets the AcrPull role and image pulls are fully automated. 2) Managed Identity + manual pull secret: Manually grant the AcrPull role to a system or user-assigned managed identity, create a pull secret with kubectl create secret docker-registry, reference it via the pod's imagePullSecrets. 3) Service Principal + pull secret: Legacy approach with secret management overhead; not recommended for new usage. ACR-AKS Integration is the only choice for production; az aks update --name myCluster --attach-acr myAcr applies it to an existing AKS cluster too. It's the standard pattern Microsoft continues to invest in, with the benefits of no secret management plus automatic managed identity rotation.

How do you use ACR Tasks?

ACR Tasks is a managed service that automates container image build/push/test inside ACR — a lightweight alternative to a full CI/CD pipeline. 3 task types: 1) Quick Task (one-shot build, az acr build command, alternative to GitHub Actions / Azure Pipelines), 2) Trigger-based Task (auto-build on Git source code push, base image update, schedule, or webhook), 3) Multi-step Task (YAML-based multi-step build/test/tag/push in a single task, docker-compose based). Typical use cases: 1) Auto-rebuild dependent apps when a base image (mcr.microsoft.com/dotnet/sdk) updates, 2) Auto-build on GitHub repository push then deploy to AKS, 3) Nightly scheduled vulnerability scanning of the latest image, 4) Multi-architecture build (amd64 + arm64) in parallel in a single task. Useful as lightweight automation before building out CI/CD infrastructure; in production, the standard is GitHub Actions / Azure Pipelines combined with ACR.

What is Microsoft Defender for Containers and how does vulnerability scanning work?

Microsoft Defender for Containers (formerly Defender for Container Registries) is automatic vulnerability scanning for images inside ACR. Flow: 1) Scan auto-starts on image push to ACR (minutes to tens of minutes), 2) Results appear in Microsoft Defender for Cloud security recommendations, 3) Provides CVSS score, fixed package version, exploitability, and recommended actions (base image update, package update), 4) High / Critical vulnerabilities send alerts to Microsoft Sentinel and trigger Logic App playbooks for Slack notification and GitHub issue creation. Continuous scan rescans images pulled in the last 30 days every day, with instant notification on new CVE discovery. Typical response flow: 1) Defender alert detects a high vulnerability, 2) Open GitHub issue, 3) Engineering updates and rebuilds the base image, 4) Push new image to ACR then auto-deploy to AKS, 5) Defender rescans and confirms clear. In production, this is the core function of DevSecOps and the last line of defense for container security.

How do Private Endpoint and network isolation work?

With ACR Premium, you can fully isolate from the public network using Private Endpoint. Flow: 1) Disable network access on ACR (completely block public access), 2) Create a Private Endpoint in the VNet (integrated with the privatelink.azurecr.io Private DNS Zone), 3) AKS / Container Apps / App Service pull images privately via VNet integration, 4) On-premises can also pull via VPN/ExpressRoute + Private Endpoint. Typical setups: 1) Production AKS handling sensitive data pulls from a fully private ACR, 2) GitHub Actions self-hosted runner (inside VNet) pushes images, 3) Defender for Containers vulnerability scanning still works privately (Microsoft trusted service). This is the standard pattern for compliance requirements (GDPR, HIPAA, PCI DSS) and for financial / government use; the modern best practice for production ACR is to disable the public endpoint and use a Private Endpoint.

Which related certifications cover this?

AZ-204 (Developer Associate; note retirement in July 2026) domain 1 (Compute 25-30%) tests ACR deeply — it's a major topic in this area (AKS deployment, image push patterns). AZ-400 (DevOps Engineer Expert) domain 3 covers CI/CD pipeline integration, ACR Tasks, and Defender for Containers. AZ-104 (Administrator) covers resource management basics. AZ-305 (Solutions Architect Expert) covers architecture decisions (ACR vs Docker Hub vs GHCR). SC-100 (Cybersecurity Architect Expert) covers container security strategy. Outside Microsoft: CKA (Kubernetes Administrator) and CKAD (Application Developer) cover registry concepts. As a core technology for container-based development and operations, this is an essential skill for AZ-204 / AZ-400 learners.

Related Articles & Technical Deep Dives

Azure Kubernetes Service (AKS) 入門ガイド|アーキテクチャ・Networking・Ingress・セキュリティ完全解説【2026 年版】

Azure Kubernetes Service (AKS) の入門ガイド。Control Plane と Node Pool の構造、Azure CNI Overlay vs Kubenet の選定、Application Gateway / NGINX Ingress 選定、Workload Identity (新方式)、Private Cluster・Microsoft Defender for Containers・Azure Policy のセキュリティ、関連認定試験 (AZ-104 / AZ-204 / AZ-400 / CKA) を日本語で網羅。

Azure Firewall 完全ガイド|Basic/Standard/Premium 選定・Rule 設計・Firewall Manager【2026 年版】

Azure Firewall の完全ガイド。Basic/Standard/Premium SKU 選定、Application Rule と Network Rule の使い分け、DNAT Rule、Firewall Manager と Firewall Policy、FQDN タグ、Forced Tunneling、NSG との使い分け、関連認定試験 (AZ-700 / SC-100) を日本語で網羅。

Microsoft Defender for Cloud 完全ガイド|CSPM・CWPP・Just-in-Time VM・マルチクラウド保護【2026 年版】

Microsoft Defender for Cloud (旧 Azure Security Center) の完全ガイド。Free Tier vs Defender Plans 選定、Microsoft Secure Score・Just-in-Time VM Access・Vulnerability Assessment・マルチクラウド (AWS/GCP) 対応・Microsoft Sentinel との連携・関連認定試験 (SC-200 / SC-100 / SC-500) を日本語で網羅。

Azure Files 完全ガイド|SMB/NFS・Standard/Premium・Entra Kerberos・Azure File Sync【2026 年版】

Azure Files の完全ガイド。Standard vs Premium ティア選定、SMB vs NFS プロトコル、Active Directory 認証 (オンプレ AD・Entra DS・Entra Kerberos)、Azure File Sync によるハイブリッド、AKS Persistent Volume 利用、セキュリティベストプラクティス、関連認定試験 (AZ-104 / AZ-800) を日本語で網羅。

Technical information in this article is based on the Azure Container Registry Documentation. This article is not an official Microsoft Corporation product and has no affiliation or sponsorship relationship. Microsoft and Azure are trademarks of the Microsoft group of companies. Docker is a trademark of Docker, Inc., and Kubernetes is a registered trademark of the Linux Foundation. Information is based on official public materials as of May 24, 2026. For the latest information, please check the official pages.

Check what you learned with practice questions

Practice with certification-focused question sets

View Azure Exam Prep
Author

NicheeLab Editorial Team

NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.


Related articles
Azure

AZ-900 Azure Fundamentals: Complete Exam Guide (2026)

Pass AZ-900 — cloud concepts, Azure architecture, management...

Azure

Azure Certification Roadmap: Which Cert to Take Next (2026)

Choose your Azure certification path — Fundamentals, Associa...

Azure

AI-901 Azure AI Fundamentals (Beta): Complete Guide (2026)

Pass AI-901 — Microsoft Foundry, generative AI, responsible ...

Azure

Microsoft Entra ID Fundamentals for Azure Certs (2026)

Entra ID basics every cert candidate needs — tenants, identi...

Azure

DP-900 Azure Data Fundamentals: Complete Guide (2026)

Pass DP-900 — relational, non-relational, analytics, Power B...

Browse all Azure articles (104)
© 2026 NicheeLab All rights reserved.