Stage 5 · Platform
Compute & Containers
Azure Container Registry
Build, store, scan, and replicate Docker images with ACR.
What Is ACR?
Azure Container Registry (ACR) is a managed Docker registry for storing and managing private container images and artifacts. It integrates with Azure RBAC, network policies, and Azure DevOps for CI/CD pipelines.
# Create a Basic SKU registry
az acr create \
--resource-group rg-aks-prod \
--name craksprodeastus \
--sku Basic \
--location eastus
# The login server is the registry name + .azurecr.io
# e.g., craksprodeastus.azurecr.ioACR names must be globally unique and contain only alphanumeric characters. The login server URL is used by Docker to push and pull images.
ACR Tiers and SKUs
| SKU | Features | Cost | Best For |
|---|---|---|---|
| Basic | Push/pull, 10 GB storage | ~$5/month | Dev/test |
| Standard | Basic + 100 GB, geo-replication | ~$20/month | Small production |
| Premium | Standard + 500 GB, private endpoints, retention | ~$170/month | Enterprise production |
Pushing Images
To push images, you must first authenticate with ACR. Use az acr login to get a Docker token, then tag your image with the ACR login server and push.
# Login to ACR
az acr login --name craksprodeastus
# Tag a local image for ACR
docker tag myapp:latest craksprodeastus.azurecr.io/myapp:v1.0.0
# Push the image
docker push craksprodeastus.azurecr.io/myapp:v1.0.0
# Verify the image exists
az acr repository list --name craksprodeastus --output tableThe az acr login command configures your Docker CLI with credentials that expire after 3 hours. Re-run it if you get authentication errors.
ACR Tasks build images directly in the cloud without a local Docker daemon. They can build on Linux, Windows, and multi-arch images, and trigger on source code changes or base image updates.
Image Scanning
ACR integrates with Microsoft Defender for Containers to scan images for vulnerabilities. It checks base images, dependencies, and OS packages against known CVE databases.
# Enable Defender for Containers on ACR
az security pricing create --name Containers --tier Standard
# Scan a specific image
az acr repository show-tags \
--name craksprodeastus \
--repository myapp \
--query "[].{tag:tag, updateTime:updateTime}" \
--output table
# View scan results in Defender for Cloud
az security sub-assessment list \
--assessed-resource-id "/subscriptions/{sub-id}/providers/Microsoft.ContainerRegistry/registries/craksprodeastus" \
--assessment-name "ca???" \
--query "value[].{status:statusDetails.code, severity:properties.status.severity, cve:properties.vulnerableAssessedResourceName}" \
--output tableDefender for Containers scans every image when it is pushed. It also continuously scans stored images as new vulnerabilities are discovered.
Geo-Replication
ACR geo-replication caches images in multiple Azure regions. When AKS pulls an image, it pulls from the closest replica, reducing latency and egress costs.
# Add a replica in West US 2
az acr replication create \
--registry craksprodeastus \
--location westus2 \
--resource-group rg-aks-prod
# Add a replica in Europe West
az acr replication create \
--registry craksprodeastus \
--location westeurope \
--resource-group rg-aks-prod
# List all replicas
az acr replication list --registry craksprodeastus --output tableGeo-replication requires Premium SKU. It is read-only — you push to the primary region and images are automatically replicated to all secondary regions.
Automating Image Builds
In production, images are built by CI/CD pipelines, not manually. ACR Tasks or external CI systems (Azure DevOps, GitHub Actions) build, scan, and push images automatically.
# Build an image from a GitHub repo
az acr task create \
--registry craksprodeastus \
--name build-myapp \
--image myapp:latest \
--image myapp:{{Run.ID}} \
--context https://github.com/myorg/myapp.git \
--file Dockerfile \
--git-access-token $GITHUB_TOKEN
# Trigger a manual run
az acr task run --registry craksprodeastus --name build-myapp
# List recent runs
az acr task run list --registry craksprodeastus --name build-myapp --query "[].{id:id, status:status, startTime:startTime}" --output tableACR Tasks support multi-stage builds, multi-platform images, and scheduled triggers. They are a cost-effective alternative to self-hosted build agents.
Use immutable digests (cr.azurecr.io/myapp@sha256:abc...) for production deployments, not mutable tags (myapp:latest). Tags can be overwritten; digests cannot.
Mark this lesson complete to store local progress and unlock a cleaner resume path the next time you visit.