- Knowledge Base
- Microsoft Azure
- Container Registry
- Disable Public Network Access to Container Registries
Ensure that public network access (i.e. all network access) to Microsoft Azure container registries is disabled in order to enhance security by preventing unauthorized access.
Security When an Azure container registry is publicly accessible, all hosts and networks, including the Internet, can access the instance, increasing the risk of unauthorized access, potential security breaches, and compliance violations. To limit access to selected, trusted networks, you must configure network access rules for your container registries. This allows traffic from trusted IP addresses only, preventing unauthorized access attempts and protecting your sensitive container images and associated data.
Audit
To determine whether public network access to your Azure container registries is disabled, perform the following operations:
Using Azure Console
01 Sign in to the Azure Management Console.
02 Navigate to All resources blade at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.
03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.
04 From the Type equalls all filter box, choose Equals, select Container registry, and choose Apply to list only the Microsoft Azure container registries available in the selected subscription.
05 Click on the name (link) of the Azure container registry that you want to examine.
06 In the navigation panel, under Settings, select Networking to access the networking configuration settings available for the selected container registry.
07 Select the Public access tab and check the Public network access configuration setting to determine the level of access configured for the selected container registry. If Public network access is set to All networks, all networks, including the Internet, can access your resource, therefore, the public network access to the selected Microsoft Azure container registry is not disabled.
08 Repeat steps no. 5 – 7 for each Azure container registry available within the selected subscription.
09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.
Using Azure CLI
01 Run acr list command (Windows/macOS/Linux) with custom output filters to list the name and the associated resource group for each Azure container registry available in the current subscription:
az acr list
--output table
--query '[*].{name:name, resourceGroup:resourceGroup}'
02 The command output should return the requested container registry identifiers:
Name ResourceGroup ------------------------- ------------------------------ Project5ContainerRegistry cloud-shell-storage-westeurope DevAIContainerRegistry cloud-shell-storage-westeurope
03 Run acr show command (Windows/macOS/Linux) with the name of the Azure container registry that you want to examine as the identifier parameter and custom output filters to determine if the public network access to the selected container registry is disabled:
az acr show
--name Project5ContainerRegistry
--resource-group cloud-shell-storage-westeurope
--query '{networkRuleSet:networkRuleSet.defaultAction,publicNetworkAccess:publicNetworkAccess}'
04 The command output should return the status of the default network access rule used by the selected registry (i.e. "networkRuleSet" value) and the status of the "publicNetworkAccess" setting configured for the registry:
{
"networkRuleSet": "Allow",
"publicNetworkAccess": "Enabled"
}
If the acr show command output returns "Allow" or null for "networkRuleSet" and "Enabled" for "publicNetworkAccess", as shown in the example above, all networks, including the Internet, can access your resource, therefore, the public network access to the selected Microsoft Azure container registry is not disabled.
05 Repeat step no. 3 and 4 for each Azure container registry available in the selected Azure subscription.
06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.
Remediation / Resolution
To disable public network access to your Microsoft Azure container registries, perform the following operations:
Using Azure Console
01 Sign in to the Azure Management Console.
02 Navigate to All resources blade at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.
03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.
04 From the Type equalls all filter box, choose Equals, select Container registry, and choose Apply to list only the Microsoft Azure container registries available in the selected subscription.
05 Click on the name (link) of the Azure container registry that you want to configure.
06 In the navigation panel, under Settings, select Networking to access the networking configuration settings available for the selected container registry.
07 Select the Public access tab and perform the following actions:
- For Public network access choose Selected networks.
- Under Firewall, for Address range, provide a public IP address range or an individual IP address in the IP address or CIDR box, using CIDR notation. (Optional) You can also add your client IP address by checking the Add your client IP address ('xxx.xxx.xxx.xxx') setting checkbox.
- Under Firewall exception, ensure that Allow trusted Microsoft services to access this container registry checkbox is selected to allow trusted services to access your container registry.
- Choose Save to apply the configuration settings.
08 Repeat steps no. 5 - 7 for each Azure container registry that you want to configure, available within the selected Azure subscription.
09 Repeat steps no. 3 – 8 for each subscription available in your Microsoft Azure cloud account.
Using Azure CLI
01 Run acr update command (Windows/macOS/Linux) with the name of the Azure container registry that you want to configure as the identifier parameter, to disable public network access to the selected container registry. To disable public network access to the registry endpoint set --public-network-enabled to false. To limit access to trusted networks only, change the default action to deny access by setting the --default-action parameter to Deny:
az acr update --name Project5ContainerRegistry --resource-group cloud-shell-storage-westeurope --default-action Deny --public-network-enabled false
02 The command output should return the information available for the configured container registry:
{
"adminUserEnabled": false,
"anonymousPullEnabled": false,
"creationDate": "2024-08-15T13:55:00.004639+00:00",
"dataEndpointEnabled": false,
"dataEndpointHostNames": [],
"encryption": {
"keyVaultProperties": null,
"status": "disabled"
},
"id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.ContainerRegistry/registries/Project5ContainerRegistry",
"identity": null,
"location": "westeurope",
"loginServer": "project5containerregistry.azurecr.io",
"metadataSearch": "Disabled",
"name": "Project5ContainerRegistry",
"networkRuleBypassOptions": "AzureServices",
"networkRuleSet": {
"defaultAction": "Deny",
"ipRules": []
},
"policies": {
"azureAdAuthenticationAsArmPolicy": {
"status": "enabled"
},
"exportPolicy": {
"status": "enabled"
},
"quarantinePolicy": {
"status": "disabled"
},
"retentionPolicy": {
"days": 7,
"lastUpdatedTime": "2024-08-15T13:55:40.227209+00:00",
"status": "disabled"
},
"softDeletePolicy": {
"lastUpdatedTime": "2024-08-15T13:55:40.227261+00:00",
"retentionDays": 7,
"status": "disabled"
},
"trustPolicy": {
"status": "disabled",
"type": "Notary"
}
},
"privateEndpointConnections": [],
"provisioningState": "Succeeded",
"publicNetworkAccess": "Disabled",
"resourceGroup": "cloud-shell-storage-westeurope",
"sku": {
"name": "Premium",
"tier": "Premium"
},
"status": null,
"tags": {},
"type": "Microsoft.ContainerRegistry/registries",
"zoneRedundancy": "Disabled"
}
03 To allow access from specific, trusted public IP addresses or IP ranges, run az acr network-rule add command (Windows/macOS/Linux) to add a network rule for an individual IPv4 address or IPv4 address range. Replace \<public-ip-address\> with your public IPv4 address or CIDR range:
az acr network-rule add --name Project5ContainerRegistry --resource-group cloud-shell-storage-westeurope --ip-address <public-ip-address>
04 The command output should return the information available for the configured container registry:
{
"adminUserEnabled": false,
"anonymousPullEnabled": false,
"creationDate": "2024-08-15T13:55:00.004639+00:00",
"dataEndpointEnabled": false,
"dataEndpointHostNames": [],
"encryption": {
"keyVaultProperties": null,
"status": "disabled"
},
"id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.ContainerRegistry/registries/Project5ContainerRegistry",
"identity": null,
"location": "westeurope",
"loginServer": "project5containerregistry.azurecr.io",
"metadataSearch": "Disabled",
"name": "Project5ContainerRegistry",
"networkRuleBypassOptions": "AzureServices",
"networkRuleSet": {
"defaultAction": "Deny",
"ipRules": [
{
"action": "Allow",
"ipAddressOrRange": "<public-ip-address>"
}
],
"virtualNetworkRules": []
},
"policies": {
"azureAdAuthenticationAsArmPolicy": {
"status": "enabled"
},
"exportPolicy": {
"status": "enabled"
},
"quarantinePolicy": {
"status": "disabled"
},
"retentionPolicy": {
"days": 7,
"lastUpdatedTime": "2024-08-15T13:55:40.227209+00:00",
"status": "disabled"
},
"softDeletePolicy": {
"lastUpdatedTime": "2024-08-15T13:55:40.227261+00:00",
"retentionDays": 7,
"status": "disabled"
},
"trustPolicy": {
"status": "disabled",
"type": "Notary"
}
},
"privateEndpointConnections": [],
"provisioningState": "Succeeded",
"publicNetworkAccess": "Disabled",
"resourceGroup": "cloud-shell-storage-westeurope",
"sku": {
"name": "Premium",
"tier": "Premium"
},
"status": null,
"tags": {},
"type": "Microsoft.ContainerRegistry/registries",
"zoneRedundancy": "Disabled"
}
05 Repeat steps no. 1 - 4 for each Azure container registry that you want to configure, available in the selected Azure subscription.
06 Repeat steps no. 1 – 5 for each subscription available in your Microsoft Azure cloud account.
References
- Azure Official Documentation
- About registries, repositories, and artifacts
- Configure public IP network rules
- Allow trusted services to securely access a network-restricted container registry
- Azure Command Line Interface (CLI) Documentation
- az acr list
- az acr show
- az acr update
- az acr network-rule add
Related ContainerRegistry rules
- Use Private Endpoints for Container Registries (Security)
- Use Managed Identities for Azure Container Registries (Security, operational-excellence)
- Disable ARM Audience Token Authentication for Container Registries (Security)
- Enable Diagnostic Logs for Container Registries (Security, reliability, operational-excellence, cost-optimisation, performance-efficiency)