Provision and manage containers in Azure
📘Microsoft Certified: Azure Administrator Associate (AZ-104)
1. What is Azure Container Registry?
- Definition: ACR is a managed service in Azure for storing and managing Docker container images and OCI (Open Container Initiative) images.
- Purpose: It allows IT teams to store container images privately rather than using public registries like Docker Hub.
- Use case in IT environment:
- A company builds a container image for a web application.
- Instead of storing it publicly, they push it to their private ACR.
- Developers and automated deployment pipelines can then pull the image securely to deploy it in Azure.
2. Key Concepts
To understand ACR for the exam, focus on these:
| Concept | Explanation |
|---|---|
| Registry | The ACR itself; the container image storage. |
| Repository | A group inside the registry that holds one or more versions of an image. Think of it as a folder for a specific app. |
| Image | A snapshot of a container. It includes the app code, dependencies, and configuration. |
| Tag | A label for an image version. For example, webapp:v1 or webapp:latest. |
| SKU (Pricing Tier) | Determines performance and features: Basic, Standard, Premium. |
Important SKUs:
- Basic: Small teams or development/testing.
- Standard: Most business use cases.
- Premium: Advanced features like geo-replication and higher throughput.
3. How to Create an Azure Container Registry
You can create ACR using Azure Portal, Azure CLI, or ARM templates.
Using Azure Portal:
- Go to Azure Portal → Search for Container Registries → Click Create.
- Fill in:
- Registry Name: Must be globally unique (like
mycompanyregistry). - Resource Group: The Azure group where it belongs.
- Location: Choose the Azure region.
- SKU: Select Basic, Standard, or Premium.
- Registry Name: Must be globally unique (like
- Click Review + Create → Then Create.
Using Azure CLI:
az acr create --resource-group MyResourceGroup --name MyRegistry --sku Standard
Explanation:
MyResourceGroup= the Azure resource group nameMyRegistry= your registry name--sku Standard= pricing tier
4. Push and Pull Container Images
Once the registry is ready, you can store (push) and retrieve (pull) images.
Steps to push an image:
- Log in to ACR:
az acr login --name MyRegistry
- Tag the local image for your registry:
docker tag myapp:latest myregistry.azurecr.io/myapp:v1
- Push the image to ACR:
docker push myregistry.azurecr.io/myapp:v1
Steps to pull an image:
docker pull myregistry.azurecr.io/myapp:v1
This allows deployment pipelines or AKS clusters to use the image.
5. Managing ACR
Common management tasks:
| Task | How it’s done |
|---|---|
| List registries | az acr list |
| Delete a registry | az acr delete --name MyRegistry --resource-group MyResourceGroup |
| Enable admin account (for testing) | az acr update --name MyRegistry --admin-enabled true |
| Check login server | az acr show --name MyRegistry --query loginServer |
6. Security Features
- Private access: Only authorized users or services can access images.
- Admin account: Optional; best for testing, not production.
- Azure AD authentication: Integrates with Azure Active Directory for secure login.
- Network rules: Restrict access by IP or virtual network.
- Content trust: Ensures images are signed and verified before deployment.
7. Advanced Features (Exam-Relevant)
- Geo-replication:
- Replicate your registry to multiple Azure regions.
- Useful for global teams or disaster recovery.
- Tasks / Task Runs:
- Automate build, test, and push container images.
- Can run on a schedule or when code changes in a repository.
- Webhooks:
- Trigger automated actions (like a deployment pipeline) when a new image is pushed.
8. Key Exam Points
- Understand what ACR is and why it is used.
- Know the SKU tiers and their differences.
- Be able to create a registry using portal or CLI.
- Know how to push, pull, and tag images.
- Understand security options (admin account, Azure AD, network rules).
- Recognize advanced features like geo-replication and webhooks.
✅ Tip for the Exam:
Microsoft loves scenario-based questions. Be ready for questions like:
“You need to deploy a web app container securely and ensure only your AKS cluster can access it. Which Azure service and features would you use?”
The answer: Azure Container Registry with Azure AD authentication + network rules.
