Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Use Private Endpoints for Container Registries

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)

To reduce the risk of exposure to external threats and strengthens overall security for your container registry interactions, ensure that your Microsoft Azure container registries are accessed exclusively through private endpoint connections. Once private endpoints are established, all network traffic between clients on the virtual network and the registry's private endpoints flows through the virtual network and a private link on the Microsoft backbone network, ensuring no exposure to the public Internet.

Security

Using private endpoints for Microsoft Azure container registries enables secure data access over Azure Private Link. The private endpoint uses an IP address from the virtual network, ensuring traffic stays within the Microsoft Azure backbone network, avoiding public Internet exposure. This setup blocks public endpoint connections, enhances virtual network security, and prevents data exfiltration. Additionally, it helps maintain compliance with regulatory requirements and organizational policies by enforcing strict network access controls and minimizing the surface area for potential security breaches.

Audit

To determine if network access to Azure container registries is allowed via private endpoints only, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Container registry, and choose Apply to list only the Microsoft Azure container registries available in the selected subscription.

05 Click on the name (link) of the Azure container registry that you want to examine.

06 In the resource navigation panel, under Settings, select Networking, and perform the following checks:

  1. Select the Public access tab and check the Public network access configuration setting to determine the level of access configured for the selected container registry. If Public network access is set to Disabled, network access via public endpoints or selected networks is disabled, therefore, you can continue the Audit process with the next step. Otherwise, the Audit process ends here.
  2. Select the Private access tab and check for any private endpoint connections configured for the selected registry. If there are no private endpoint connections deployed for your resource, the selected Microsoft Azure container registry is not configured to allow network access via private endpoints only.

07 Repeat steps no. 5 and 6 for each Azure container registry available within the selected subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run acr list command (Windows/macOS/Linux) with custom output filters to list the name and the associated resource group for each Azure container registry available in the current subscription: 

az acr list
  --output table
  --query '[*].{name:name, resourceGroup:resourceGroup}'

02 The command output should return the requested container registry identifiers: 

Name                        ResourceGroup
-------------------------   ------------------------------
Project5ContainerRegistry   cloud-shell-storage-westeurope
DevAIContainerRegistry      cloud-shell-storage-westeurope

03 Run acr show command (Windows/macOS/Linux) with the name of the Azure container registry that you want to examine as the identifier parameter and custom output filters to determine if the public network access to the selected container registry is disabled: 

az acr show
  --name Project5ContainerRegistry
  --resource-group cloud-shell-storage-westeurope
  --query '{networkRuleSet:networkRuleSet.defaultAction,publicNetworkAccess:publicNetworkAccess}'

04 The command output should return the status of the default network access rule used by the selected registry (i.e. "networkRuleSet" value) and the status of the "publicNetworkAccess" setting configured for the registry: 

{
	"networkRuleSet": "Deny",
	"publicNetworkAccess": "Disabled"
}

If the acr show command output returns "Deny" for "networkRuleSet" and "Disabled" for "publicNetworkAccess", as shown in the example above, network access via public endpoints or selected networks is disabled for the selected registry. Therefore, you can proceed to the next step of the Audit process. Otherwise, the Audit process ends here."

05 Run acr list command (Windows/macOS/Linux) with custom query filters to list the resource ID of each Azure container registry available in the selected subscription: 

az acr list
  --query '[*].id'

06 The command output should return the requested container registry IDs: 

[
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.ContainerRegistry/registries/Project5ContainerRegistry",
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.ContainerRegistry/registries/DevAIContainerRegistry"
]

07 Run network private-endpoint-connection list command (Windows/macOS/Linux) to list all the private endpoint connections deployed for the selected Azure container registry: 

az network private-endpoint-connection list
  --id "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.ContainerRegistry/registries/Project5ContainerRegistry"

08 The command output should return the information available for the deployed private endpoint connections: 

[]

If the network private-endpoint-connection list command output returns an empty array, i.e. [], there are no private endpoint connections associated with your resource, therefore, the selected Microsoft Azure container registry is not configured to allow network access via private endpoints only.

09 Repeat steps no. 3 - 8 for each Azure container registry available in the selected Azure subscription.

10 Repeat steps no. 1 – 9 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To ensure that your Microsoft Azure container registries are accessed exclusively through private endpoint connections, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Container registry, and choose Apply to list only the Microsoft Azure container registries available in the selected subscription.

05 Click on the name (link) of the Azure container registry that you want to configure.

06 In the navigation panel, under Settings, select Networking to access the networking configuration settings available for the selected container registry.

07 Select the Public access tab and set Public network access to Disabled to disable public network access. Choose Save to apply the changes. Once the network configuration is updated, no networks can access your resource. Private endpoint connections will be the exclusive way to access your container registry.

08 Select the Private access tab, choose Create a private endpoint connection, and perform the following actions to deploy a new private endpoint:

  1. For Basics, provide the following information:
    1. For Subscription, choose your Azure subscription.
    2. For Resource group, select the correct resource group.
    3. Provide a unique name for the private endpoint instance in the Name box.
    4. For Network Interface Name, enter a name for the associated network interface (NIC).
    5. For Region, select the Azure cloud region where the private endpoint instance will be deployed.
    6. Choose Next : Resource > to continue the setup process.
  2. For Resource, select registry from the Target sub-resource dropdown list. Choose Next : Virtual Network > to continue the setup.
  3. For Virtual Network, perform the following actions:
    1. For Virtual network, choose the name of the Azure virtual network (VNet) that you want to use for your private endpoint.
    2. For Subnet, select the VNet subnet where the private endpoint will be deployed.
    3. (Optional) For Network policy for private endpoints, choose (edit) next to Disabled to configure network policies for the selected VNet subnet.
    4. For Private IP configuration, choose whether to dynamically or statically allocate the private IP address.
    5. (Optional) For Application security group, choose Create to create an Application Security Group (ASG) if required. ASGs allow you to configure network security by grouping virtual machines and defining policies based on these groups.
    6. Choose Next : DNS > to continue.
  4. For DNS, select Yes for Integrate with private DNS zone under Private DNS integration, to integrate your private endpoint with a private DNS zone. Ensure that the correct subscription and resource group are selected for the private DNS zone. Choose Next : Tags > to continue the setup.
  5. For Tags, use the Name, Value, and Resource fields to create tags that will help organize the identity of the selected resource. Choose Next : Review + create > to validate the private endpoint setup.
  6. For Review + create, review the resource configuration details, then choose Create to create your new private endpoint.

09 Repeat steps no. 5 – 8 for each Azure container registry that you want to configure, available in the selected Azure subscription.

10 Repeat steps no. 3 – 9 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run acr update command (Windows/macOS/Linux) with the name of the Azure container registry that you want to configure as the identifier parameter, to disable public network access to the selected container registry. To disable public network access to the registry endpoint set the --public-network-enabled parameter to false and --default-action parameter to Deny: 

az acr update
  --name Project5ContainerRegistry
  --resource-group cloud-shell-storage-westeurope
  --default-action Deny
  --public-network-enabled false

02 The command output should return the information available for the configured container registry: 

{
	"adminUserEnabled": false,
	"anonymousPullEnabled": false,
	"creationDate": "2024-10-15T13:55:00.004639+00:00",
	"dataEndpointEnabled": false,
	"dataEndpointHostNames": [],
	"encryption": {
		"keyVaultProperties": null,
		"status": "disabled"
	},
	"id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.ContainerRegistry/registries/Project5ContainerRegistry",
	"identity": null,
	"location": "westeurope",
	"loginServer": "project5containerregistry.azurecr.io",
	"metadataSearch": "Disabled",
	"name": "Project5ContainerRegistry",
	"networkRuleBypassOptions": "AzureServices",
	"networkRuleSet": {
		"defaultAction": "Deny",
		"ipRules": []
	},
	"policies": {
		"azureAdAuthenticationAsArmPolicy": {
			"status": "enabled"
		},
		"exportPolicy": {
			"status": "enabled"
		},
		"quarantinePolicy": {
			"status": "disabled"
		},
		"retentionPolicy": {
			"days": 7,
			"lastUpdatedTime": "2024-10-15T13:55:40.227209+00:00",
			"status": "disabled"
		},
		"softDeletePolicy": {
			"lastUpdatedTime": "2024-10-15T13:55:40.227261+00:00",
			"retentionDays": 7,
			"status": "disabled"
		},
		"trustPolicy": {
			"status": "disabled",
			"type": "Notary"
		}
	},
	"privateEndpointConnections": [],
	"provisioningState": "Succeeded",
	"publicNetworkAccess": "Disabled",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"sku": {
		"name": "Premium",
		"tier": "Premium"
	},
	"status": null,
	"tags": {},
	"type": "Microsoft.ContainerRegistry/registries",
	"zoneRedundancy": "Disabled"
}

03 Run network private-endpoint create command (Windows/macOS/Linux) to create and attach a private endpoint to your Microsoft Azure container registry. Use the --private-connection-resource-id command parameter to specify the resource ID of your container registry: 

az network private-endpoint create
  --name tm-registry-private-endpoint
  --resource-group cloud-shell-storage-westeurope
  --vnet-name tm-project5-vnet
  --subnet default
  --location westeurope
  --connection-name tm-container-registry-private-connection
  --group-id registry
  --private-connection-resource-id "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.ContainerRegistry/registries/Project5ContainerRegistry"

04 The command output should return the new private endpoint configuration information: 

{
	"customDnsConfigs": [
		{
			"fqdn": "project5containerregistry.westeurope.data.azurecr.io",
			"ipAddresses": [
				"10.0.0.4"
			]
		},
		{
			"fqdn": "project5containerregistry.azurecr.io",
			"ipAddresses": [
				"10.0.0.5"
			]
		}
	],
	"customNetworkInterfaceName": "",
	"etag": "W/\"abcdabcd-1234-abcd-1234-abcdabcdabcd\"",
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/privateEndpoints/tm-registry-private-endpoint",
	"ipConfigurations": [],
	"location": "westeurope",
	"manualPrivateLinkServiceConnections": [],
	"name": "tm-registry-private-endpoint",
	"networkInterfaces": [
		{
			"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/networkInterfaces/tm-registry-private-endpoint.nic.abcdabcd-1234-abcd-1234-abcdabcdabcd",
			"resourceGroup": "cloud-shell-storage-westeurope"
		}
	],
	"privateLinkServiceConnections": [
		{
			"etag": "W/\"abcdabcd-1234-abcd-1234-abcdabcdabcd\"",
			"groupIds": [
				"registry"
			],
			"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/privateEndpoints/tm-registry-private-endpoint/privateLinkServiceConnections/tm-container-registry-private-connection",
			"name": "tm-container-registry-private-connection",
			"privateLinkServiceConnectionState": {
				"actionsRequired": "None",
				"description": "Auto-Approved",
				"status": "Approved"
			},
			"privateLinkServiceId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.ContainerRegistry/registries/Project5ContainerRegistry",
			"provisioningState": "Succeeded",
			"resourceGroup": "cloud-shell-storage-westeurope",
			"type": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections"
		}
	],
	"provisioningState": "Succeeded",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"subnet": {
		"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/tm-project5-vnet/subnets/default",
		"resourceGroup": "cloud-shell-storage-westeurope"
	},
	"type": "Microsoft.Network/privateEndpoints"
}

05 Repeat steps no. 1 - 4 for each Azure container registry that you want to configure, available within the current subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Oct 23, 2024

Related ContainerRegistry rules