Azure Container Registry (ACR) is a Microsoft-managed Docker / OCI compatible container image registry. It's deeply integrated with Azure compute services like AKS, Container Apps, App Service, and Azure Functions, and is a core technology for container-based development and operations. This article comprehensively covers SKU selection, geo-replication, AKS integration, ACR Tasks, vulnerability scanning, and Private Endpoint.
| Item | Basic | Standard | Premium |
|---|---|---|---|
| Monthly fee (approx.) | ~700 yen | ~2,800 yen | ~7,000 yen |
| Storage Included | 10 GB | 100 GB | 500 GB |
| Geo-replication | × | × | ○ |
| Content Trust | × | × | ○ |
| Private Endpoint | × | × | ○ |
| Repository-scoped Tokens | × | × | ○ |
| Customer-Managed Key | × | × | ○ |
| SLA | 99.9% | 99.9% | 99.95% |
| Use case | Dev / PoC | Small production | Recommended for production |
For production, Premium is the standard. Enterprise features like geo-replication, Private Endpoint, and Trust Policy are Premium-only. Storage overage is billed separately (~1 yen/GB/month).
ACR Premium's geo-replication automatically replicates a single registry across multiple Azure regions.
| Method | How it works | Recommendation |
|---|---|---|
| ACR-AKS Integration | AcrPull auto-granted to system-assigned MI; fully automated | Most recommended |
| Managed Identity + manual pull secret | Manual MI setup + imagePullSecrets | Custom requirements |
| Service Principal + Pull Secret | Legacy; secret management overhead | Not recommended |
# 新規 AKS Cluster + ACR 統合 az aks create --resource-group myRG --name myCluster \ --attach-acr myAcr # 既存 AKS Cluster に ACR 追加 az aks update --resource-group myRG --name myCluster \ --attach-acr myAcr # ACR Detach az aks update --resource-group myRG --name myCluster \ --detach-acr myAcr
ACR Tasks is a managed service that automates container image build / push / test inside ACR.
| Task type | Use case | Trigger |
|---|---|---|
| Quick Task | One-shot build | az acr build command |
| Trigger-based Task | Auto build | Git push, base image update, schedule |
| Multi-step Task | Multi-step build / test / tag / push | YAML-based |
Useful as lightweight automation before building out CI/CD infrastructure; in production, GitHub Actions / Azure Pipelines + ACR is the standard combination.
Automatic vulnerability scanning for images inside ACR.
In production, this is the core function of DevSecOps — the last line of defense for container security.
With ACR Premium, you can fully isolate from the public network using Private Endpoint.
ACR Premium's Content Trust guarantees image provenance and tamper detection.
ACR stores not only Docker images but any OCI standard artifact.
What is Azure Container Registry (ACR)?
Azure Container Registry (ACR) is a Microsoft-managed Docker / OCI compatible container image registry. It stores and distributes container images, Helm charts, and OCI artifacts (any file). Deeply integrated with Azure compute services like AKS, Container Apps, App Service, and Azure Functions. Common use cases: 1) Image pull source for AKS clusters, 2) Build/push target for CI/CD pipelines, 3) Centralized organization-wide management of base images, 4) Global distribution via geo-replication, 5) Vulnerability scanning (Microsoft Defender for Containers integration), 6) Helm chart repository, 7) Quarantine (blocks images that have not completed vulnerability scanning). It has 3 SKUs (Basic, Standard, Premium); Premium is recommended for production. Tested heavily on AZ-204 / AZ-400 exams.
What are the differences between Basic / Standard / Premium SKUs?
ACR SKU comparison: Basic (dev/PoC, cheapest, ~700 yen/month, 10 GB storage included, no geo-replication, no Content Trust); Standard (general production, ~2,800 yen/month, 100 GB storage included, no geo-replication, webhooks supported); Premium (recommended for production, ~7,000 yen/month, 500 GB storage included, geo-replication, Content Trust, Private Endpoint, repository-scoped tokens, Trust Policy, Quarantine, multiple OCI artifacts, customer-managed key, diagnostic logs, 99.95% SLA). Premium is the standard for production — geo-replication / Private Endpoint / vulnerability scanning integration are Premium-only enterprise features. Storage overage is charged separately (~1 yen/GB/month); for projects pushing several GB of images daily, storage costs can become a major part of operational expenses.
How does geo-replication work?
ACR Premium's geo-replication automatically replicates a single registry across multiple Azure regions. Image pulls from the nearest regional registry reduce latency and bandwidth costs. Flow: 1) Image push to primary region, 2) ACR asynchronously replicates to other regions (minutes to tens of minutes), 3) AKS clusters (in each region) automatically pull from the nearest replica, 4) Geo-redundant: continues serving from other regions even during a regional outage. Typical setup: Japan East (Primary) + Japan West (DR) + US West (Global) + West Europe (Global) for 4-region replicas. Cost: each replica adds the Premium fee (4 regions = 4x cost). Geo-replication can shrink global distribution latency from 100ms to 10ms. Powerful for globally deployed SaaS, games, and microservices.
How does image pull authentication with AKS work?
There are 3 patterns for image pull authentication from AKS to ACR: 1) ACR-AKS Integration (recommended, easiest): Link ACR at AKS cluster creation or afterward. The AKS system-assigned managed identity automatically gets the AcrPull role and image pulls are fully automated. 2) Managed Identity + manual pull secret: Manually grant the AcrPull role to a system or user-assigned managed identity, create a pull secret with kubectl create secret docker-registry, reference it via the pod's imagePullSecrets. 3) Service Principal + pull secret: Legacy approach with secret management overhead; not recommended for new usage. ACR-AKS Integration is the only choice for production; az aks update --name myCluster --attach-acr myAcr applies it to an existing AKS cluster too. It's the standard pattern Microsoft continues to invest in, with the benefits of no secret management plus automatic managed identity rotation.
How do you use ACR Tasks?
ACR Tasks is a managed service that automates container image build/push/test inside ACR — a lightweight alternative to a full CI/CD pipeline. 3 task types: 1) Quick Task (one-shot build, az acr build command, alternative to GitHub Actions / Azure Pipelines), 2) Trigger-based Task (auto-build on Git source code push, base image update, schedule, or webhook), 3) Multi-step Task (YAML-based multi-step build/test/tag/push in a single task, docker-compose based). Typical use cases: 1) Auto-rebuild dependent apps when a base image (mcr.microsoft.com/dotnet/sdk) updates, 2) Auto-build on GitHub repository push then deploy to AKS, 3) Nightly scheduled vulnerability scanning of the latest image, 4) Multi-architecture build (amd64 + arm64) in parallel in a single task. Useful as lightweight automation before building out CI/CD infrastructure; in production, the standard is GitHub Actions / Azure Pipelines combined with ACR.
What is Microsoft Defender for Containers and how does vulnerability scanning work?
Microsoft Defender for Containers (formerly Defender for Container Registries) is automatic vulnerability scanning for images inside ACR. Flow: 1) Scan auto-starts on image push to ACR (minutes to tens of minutes), 2) Results appear in Microsoft Defender for Cloud security recommendations, 3) Provides CVSS score, fixed package version, exploitability, and recommended actions (base image update, package update), 4) High / Critical vulnerabilities send alerts to Microsoft Sentinel and trigger Logic App playbooks for Slack notification and GitHub issue creation. Continuous scan rescans images pulled in the last 30 days every day, with instant notification on new CVE discovery. Typical response flow: 1) Defender alert detects a high vulnerability, 2) Open GitHub issue, 3) Engineering updates and rebuilds the base image, 4) Push new image to ACR then auto-deploy to AKS, 5) Defender rescans and confirms clear. In production, this is the core function of DevSecOps and the last line of defense for container security.
How do Private Endpoint and network isolation work?
With ACR Premium, you can fully isolate from the public network using Private Endpoint. Flow: 1) Disable network access on ACR (completely block public access), 2) Create a Private Endpoint in the VNet (integrated with the privatelink.azurecr.io Private DNS Zone), 3) AKS / Container Apps / App Service pull images privately via VNet integration, 4) On-premises can also pull via VPN/ExpressRoute + Private Endpoint. Typical setups: 1) Production AKS handling sensitive data pulls from a fully private ACR, 2) GitHub Actions self-hosted runner (inside VNet) pushes images, 3) Defender for Containers vulnerability scanning still works privately (Microsoft trusted service). This is the standard pattern for compliance requirements (GDPR, HIPAA, PCI DSS) and for financial / government use; the modern best practice for production ACR is to disable the public endpoint and use a Private Endpoint.
Which related certifications cover this?
AZ-204 (Developer Associate; note retirement in July 2026) domain 1 (Compute 25-30%) tests ACR deeply — it's a major topic in this area (AKS deployment, image push patterns). AZ-400 (DevOps Engineer Expert) domain 3 covers CI/CD pipeline integration, ACR Tasks, and Defender for Containers. AZ-104 (Administrator) covers resource management basics. AZ-305 (Solutions Architect Expert) covers architecture decisions (ACR vs Docker Hub vs GHCR). SC-100 (Cybersecurity Architect Expert) covers container security strategy. Outside Microsoft: CKA (Kubernetes Administrator) and CKAD (Application Developer) cover registry concepts. As a core technology for container-based development and operations, this is an essential skill for AZ-204 / AZ-400 learners.
Related Articles & Technical Deep Dives
Azure Kubernetes Service (AKS) 入門ガイド|アーキテクチャ・Networking・Ingress・セキュリティ完全解説【2026 年版】
Azure Kubernetes Service (AKS) の入門ガイド。Control Plane と Node Pool の構造、Azure CNI Overlay vs Kubenet の選定、Application Gateway / NGINX Ingress 選定、Workload Identity (新方式)、Private Cluster・Microsoft Defender for Containers・Azure Policy のセキュリティ、関連認定試験 (AZ-104 / AZ-204 / AZ-400 / CKA) を日本語で網羅。
Azure Firewall 完全ガイド|Basic/Standard/Premium 選定・Rule 設計・Firewall Manager【2026 年版】
Azure Firewall の完全ガイド。Basic/Standard/Premium SKU 選定、Application Rule と Network Rule の使い分け、DNAT Rule、Firewall Manager と Firewall Policy、FQDN タグ、Forced Tunneling、NSG との使い分け、関連認定試験 (AZ-700 / SC-100) を日本語で網羅。
Microsoft Defender for Cloud 完全ガイド|CSPM・CWPP・Just-in-Time VM・マルチクラウド保護【2026 年版】
Microsoft Defender for Cloud (旧 Azure Security Center) の完全ガイド。Free Tier vs Defender Plans 選定、Microsoft Secure Score・Just-in-Time VM Access・Vulnerability Assessment・マルチクラウド (AWS/GCP) 対応・Microsoft Sentinel との連携・関連認定試験 (SC-200 / SC-100 / SC-500) を日本語で網羅。
Azure Files 完全ガイド|SMB/NFS・Standard/Premium・Entra Kerberos・Azure File Sync【2026 年版】
Azure Files の完全ガイド。Standard vs Premium ティア選定、SMB vs NFS プロトコル、Active Directory 認証 (オンプレ AD・Entra DS・Entra Kerberos)、Azure File Sync によるハイブリッド、AKS Persistent Volume 利用、セキュリティベストプラクティス、関連認定試験 (AZ-104 / AZ-800) を日本語で網羅。
Technical information in this article is based on the Azure Container Registry Documentation. This article is not an official Microsoft Corporation product and has no affiliation or sponsorship relationship. Microsoft and Azure are trademarks of the Microsoft group of companies. Docker is a trademark of Docker, Inc., and Kubernetes is a registered trademark of the Linux Foundation. Information is based on official public materials as of May 24, 2026. For the latest information, please check the official pages.
Practice with certification-focused question sets
View Azure Exam PrepNicheeLab Editorial Team
NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.
AZ-900 Azure Fundamentals: Complete Exam Guide (2026)
Pass AZ-900 — cloud concepts, Azure architecture, management...
Azure Certification Roadmap: Which Cert to Take Next (2026)
Choose your Azure certification path — Fundamentals, Associa...
AI-901 Azure AI Fundamentals (Beta): Complete Guide (2026)
Pass AI-901 — Microsoft Foundry, generative AI, responsible ...
Microsoft Entra ID Fundamentals for Azure Certs (2026)
Entra ID basics every cert candidate needs — tenants, identi...
DP-900 Azure Data Fundamentals: Complete Guide (2026)
Pass DP-900 — relational, non-relational, analytics, Power B...