Azure Container Registry (ACR) is a managed Docker registry service that lets you store and manage private Docker container images and related artifacts. Think of it as your private, secure Docker Hub, but hosted on Azure.
Here’s ACR in action. Imagine you’re building a web application. Your build pipeline spins up a container, runs your tests, and then needs to push the resulting Docker image somewhere so your deployment system can pull it. That’s where ACR comes in.
First, you create an ACR instance in your Azure subscription. You can do this via the Azure portal, Azure CLI, or ARM templates.
az acr create --resource-group myResourceGroup --name myuniqueacrname --sku Basic --location eastus
Here, myuniqueacrname is the globally unique name for your registry. --sku Basic is the most cost-effective option for getting started, offering a single repository and limited storage. For higher throughput and more features, you’d choose Standard or Premium.
Once created, you need to log in to it from your local Docker client or your CI/CD agent.
az acr login --name myuniqueacrname
This command updates your Docker configuration to authenticate with your ACR instance. Now, when you build your Docker image, you tag it with your ACR’s login server name.
Let’s say your Dockerfile is in the current directory and you’re building an image named mywebapp.
docker build -t myuniqueacrname.azurecr.io/mywebapp:v1.0 .
Notice the myuniqueacrname.azurecr.io/ prefix. This tells Docker where to push the image. After building, you push it:
docker push myuniqueacrname.azurecr.io/mywebapp:v1.0
Now, your container image is securely stored in your private ACR. Your Kubernetes cluster, Azure Container Instances, or any other container orchestrator can be configured to pull from this registry. For example, to deploy this image to AKS, you’d grant your AKS cluster’s identity pull access to the ACR.
# Get the AKS cluster's service principal ID
AKS_SP_ID=$(az aks show --resource-group myResourceGroup --name myAKSCluster --query servicePrincipalProfile.clientId -o tsv)
# Assign the AcrPull role to the AKS service principal
az role assignment create --assignee $AKS_SP_ID --scope "/subscriptions/YOUR_SUBSCRIPTION_ID/resourceGroups/myResourceGroup/providers/Microsoft.ContainerRegistry/registries/myuniqueacrname" --role AcrPull
The core problem ACR solves is managing the lifecycle of your container images in a secure, scalable, and integrated way within the Azure ecosystem. Unlike public registries, ACR offers features like fine-grained access control via Azure Active Directory, geo-replication for high availability and low latency across regions, and vulnerability scanning with Microsoft Defender for Containers.
The most surprising thing about ACR is how seamlessly it integrates with other Azure services, not just for pulling images but also for building them. ACR Tasks, for example, can automatically build container images in Azure based on code changes in a Git repository, eliminating the need for local build agents and simplifying your CI pipeline significantly. You can define multi-step tasks that include building, testing, and pushing images, all triggered automatically.
# Example ACR Task YAML
version: v1.0.0
steps:
- build: -t myuniqueacrname.azurecr.io/mywebapp:{{.Run.ID}} -f Dockerfile .
- push: ["myuniqueacrname.azurecr.io/mywebapp:{{.Run.ID}}"]
when:
- baseImageTemplate:
image: myuniqueacrname.azurecr.io/mywebapp:latest
tag: {{.Run.ID}}
This task definition, when linked to a GitHub repository, would automatically build and push a new image tag every time a change is committed.
A common misconception is that ACR is just a place to dump images. In reality, it’s a foundational piece of a modern cloud-native deployment strategy, enabling advanced workflows like image promotion across different ACRs (e.g., dev, staging, prod) or leveraging content trust to ensure image integrity. You can also use ACR for storing Helm charts and other OCI-compliant artifacts, making it a versatile artifact repository.
The next step after mastering ACR is often exploring how to secure your container supply chain with image signing and scanning, or how to manage multiple ACRs for different environments.