Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Configure IP Network Rules for Container Registries

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)

To enhance security and compliance, configure IP network rules to grant your Microsoft Azure container registry the necessary access. This will help safeguard your container registry while minimizing security risks.

Security

Configuring IP network rules for your Microsoft Azure container registry is essential for securing access, ensuring that only trusted IP addresses or services can interact with the registry. This helps prevent unauthorized access, protects your container images, and supports compliance with security best practices.

Audit

To determine if there are any IP network rules configured for your Azure container registry, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Container registry, and choose Apply to list only the Microsoft Azure container registries available in the selected subscription.

05 Click on the name (link) of the Azure container registry that you want to examine.

06 In the navigation panel, under Settings, select Networking to access the networking configuration settings available for the selected container registry.

07 Select the Public access tab and check the Public network access configuration setting to determine the level of access configured for the selected container registry. If Public network access is set to All networks, all networks, including the Internet, can access your container registry, therefore, the Audit process ends here. If Public network access is set to Disabled, the registry's public endpoint is disabled and the Audit process ends here. If Public network access is set to Selected networks, continue the Audit process with the next step.

08 In the Firewall section, check the Address range list to determine if there are any IP network rules configured for your registry. If the Address range list is empty, there are no IP network rules configured for the selected Microsoft Azure container registry.

09 Repeat steps no. 5 – 8 for each Azure container registry available within the selected subscription.

10 Repeat steps no. 3 – 9 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run acr list command (Windows/macOS/Linux) with custom output filters to list the name and the associated resource group for each Azure container registry available in the current subscription: 

az acr list
  --output table
  --query '[*].{name:name, resourceGroup:resourceGroup}'

02 The command output should return the requested container registry identifiers: 

Name                        ResourceGroup
-------------------------   ------------------------------
Project5ContainerRegistry   cloud-shell-storage-westeurope
DevAIContainerRegistry      cloud-shell-storage-westeurope

03 Run acr show command (Windows/macOS/Linux) with the name of the Azure container registry that you want to examine as the identifier parameter and custom output filters to determine the level of access configured for the selected container registry: 

az acr show
  --name Project5ContainerRegistry
  --resource-group cloud-shell-storage-westeurope
  --query '{networkRuleSet:networkRuleSet.defaultAction,publicNetworkAccess:publicNetworkAccess}'

04 The command output should return the status of the default network access rule used by the selected registry (i.e. "networkRuleSet" value) and the status of the "publicNetworkAccess" setting configured for the registry: 

{
	"networkRuleSet": "Deny",
	"publicNetworkAccess": "Enabled"
}

If the acr show command output returns "Allow" or null for "networkRuleSet" and "Enabled" for "publicNetworkAccess", as shown in the example above, all networks, including the Internet, can access your resource, therefore, the Audit process ends here. If the command output returns "Deny" for "networkRuleSet" and "Disabled" for "publicNetworkAccess", the registry's public endpoint is disabled and the Audit process ends here. If the command output returns "Deny" for "networkRuleSet" and "Enabled" for "publicNetworkAccess", as shown in the example above, continue the Audit process with the next step.

05 Run acr show command (Windows/macOS/Linux) with the name of the Azure container registry that you want to examine as the identifier parameter, to determine if there are any IP network rules configured for the selected registry: 

az acr show
  --name Project5ContainerRegistry
  --resource-group cloud-shell-storage-westeurope
  --query '{ipRules:networkRuleSet.ipRules}'

06 The command output should return the IP network rules configured for your container registry: 

{
	"ipRules": []
}

If the acr show command output returns an empty array (i.e. []) for "ipRules" configuration attribute, as shown in the example above, there are no IP network rules configured for the selected Microsoft Azure container registry.

07 Repeat steps no. 3 - 6 for each Azure container registry available in the selected Azure subscription.

08 Repeat steps no. 1 – 7 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To configure IP network rules for your Microsoft Azure container registries, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Container registry, and choose Apply to list only the Microsoft Azure container registries available in the selected subscription.

05 Click on the name (link) of the Azure container registry that you want to configure.

06 In the navigation panel, under Settings, select Networking to access the networking configuration settings available for the selected container registry.

07 Select the Public access tab and perform the following actions:

  1. For Public network access choose Selected networks.
  2. Under Firewall, for Address range, provide a public IP address range or an individual IP address in the IP address or CIDR box, using CIDR notation. (Optional) You can also add your client IP address by checking the Add your client IP address ('xxx.xxx.xxx.xxx') setting checkbox.
  3. Choose Save to apply the configuration settings.

08 Repeat steps no. 5 - 7 for each Azure container registry that you want to configure, available within the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription available in your Microsoft Azure cloud account.

Using Azure CLI

01 Run acr update command (Windows/macOS/Linux) to change the network rule set default action to Deny. This ensures that accces is limited to trusted networks only: 

az acr update
  --name Project5ContainerRegistry
  --resource-group cloud-shell-storage-westeurope
  --default-action Deny

02 The command output should return the information available for the configured container registry: 

{
	"adminUserEnabled": false,
	"anonymousPullEnabled": false,
	"creationDate": "2024-08-15T13:55:00.004639+00:00",
	"dataEndpointEnabled": false,
	"dataEndpointHostNames": [],
	"encryption": {
		"keyVaultProperties": null,
		"status": "disabled"
	},
	"id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.ContainerRegistry/registries/Project5ContainerRegistry",
	"identity": null,
	"location": "westeurope",
	"loginServer": "project5containerregistry.azurecr.io",
	"metadataSearch": "Disabled",
	"name": "Project5ContainerRegistry",
	"networkRuleBypassOptions": "AzureServices",
	"networkRuleSet": {
		"defaultAction": "Deny",
		"ipRules": []
	},
	"policies": {
		"azureAdAuthenticationAsArmPolicy": {
			"status": "enabled"
		},
		"exportPolicy": {
			"status": "enabled"
		},
		"quarantinePolicy": {
			"status": "disabled"
		},
		"retentionPolicy": {
			"days": 7,
			"lastUpdatedTime": "2024-08-15T13:55:40.227209+00:00",
			"status": "disabled"
		},
		"softDeletePolicy": {
			"lastUpdatedTime": "2024-08-15T13:55:40.227261+00:00",
			"retentionDays": 7,
			"status": "disabled"
		},
		"trustPolicy": {
			"status": "disabled",
			"type": "Notary"
		}
	},
	"privateEndpointConnections": [],
	"provisioningState": "Succeeded",
	"publicNetworkAccess": "Disabled",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"sku": {
		"name": "Premium",
		"tier": "Premium"
	},
	"status": null,
	"tags": {},
	"type": "Microsoft.ContainerRegistry/registries",
	"zoneRedundancy": "Disabled"
}

03 To allow access from specific, trusted public IP addresses or IP ranges, run az acr network-rule add command (Windows/macOS/Linux) to add a network rule for an individual IPv4 address or IPv4 address range. Replace \<public-ip-address\> with your public IPv4 address or CIDR range: 

az acr network-rule add
  --name Project5ContainerRegistry
  --resource-group cloud-shell-storage-westeurope
  --ip-address <public-ip-address>

04 The command output should return the information available for the configured container registry: 

{
	"adminUserEnabled": false,
	"anonymousPullEnabled": false,
	"creationDate": "2024-08-15T13:55:00.004639+00:00",
	"dataEndpointEnabled": false,
	"dataEndpointHostNames": [],
	"encryption": {
		"keyVaultProperties": null,
		"status": "disabled"
	},
	"id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.ContainerRegistry/registries/Project5ContainerRegistry",
	"identity": null,
	"location": "westeurope",
	"loginServer": "project5containerregistry.azurecr.io",
	"metadataSearch": "Disabled",
	"name": "Project5ContainerRegistry",
	"networkRuleBypassOptions": "AzureServices",
	"networkRuleSet": {
		"defaultAction": "Deny",
		"ipRules": [
		{
			"action": "Allow",
			"ipAddressOrRange": "<public-ip-address>"
		}
		],
		"virtualNetworkRules": []
	},
	"policies": {
		"azureAdAuthenticationAsArmPolicy": {
			"status": "enabled"
		},
		"exportPolicy": {
			"status": "enabled"
		},
		"quarantinePolicy": {
			"status": "disabled"
		},
		"retentionPolicy": {
			"days": 7,
			"lastUpdatedTime": "2024-08-15T13:55:40.227209+00:00",
			"status": "disabled"
		},
		"softDeletePolicy": {
			"lastUpdatedTime": "2024-08-15T13:55:40.227261+00:00",
			"retentionDays": 7,
			"status": "disabled"
		},
		"trustPolicy": {
			"status": "disabled",
			"type": "Notary"
		}
	},
	"privateEndpointConnections": [],
	"provisioningState": "Succeeded",
	"publicNetworkAccess": "Disabled",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"sku": {
		"name": "Premium",
		"tier": "Premium"
	},
	"status": null,
	"tags": {},
	"type": "Microsoft.ContainerRegistry/registries",
	"zoneRedundancy": "Disabled"
}

05 Repeat steps no. 1 - 4 for each Azure container registry that you want to configure, available in the selected Azure subscription.

06 Repeat steps no. 1 – 5 for each subscription available in your Microsoft Azure cloud account.

References

Publication date Oct 23, 2024

Related ContainerRegistry rules