Azure Container Registry (ACR) is a managed, private registry service based on the open-source Docker Registry 2.0. Within the context of the Azure Administrator Associate (AZ-104) certification, ACR is critical for the 'Deploy and manage Azure compute resources' domain, acting as the centralized r…Azure Container Registry (ACR) is a managed, private registry service based on the open-source Docker Registry 2.0. Within the context of the Azure Administrator Associate (AZ-104) certification, ACR is critical for the 'Deploy and manage Azure compute resources' domain, acting as the centralized repository for storing and managing private Docker container images and Helm charts before they are deployed to compute targets.
Unlike public hubs, ACR provides a secure environment integrated directly with Azure services like Azure Kubernetes Service (AKS), Azure Container Instances (ACI), and Azure App Service. For administrators, the primary management tasks involve authenticating and securing these registries using Microsoft Entra ID (formerly Azure AD). Administrators leverage Role-Based Access Control (RBAC) to grant specific permissions, such as assigning 'AcrPush' to build pipelines and 'AcrPull' to compute resources via Managed Identities, eliminating the need to manage raw credentials.
ACR is available in three tiers—Basic, Standard, and Premium. Administrators must choose the appropriate tier based on storage and throughput requirements. The Premium tier is notable for enabling Geo-replication, which allows a single registry to serve images across multiple global regions, reducing network latency for distributed deployments.
Furthermore, ACR includes 'ACR Tasks,' a suite of features that automates image building and patching in the cloud. This allows administrators to define workflows where images are automatically rebuilt and updated whenever source code commits are pushed or base images are patched. By managing ACR, administrators ensure a secure, efficient, and automated supply chain for containerized compute resources.
Azure Container Registry (ACR)
What is Azure Container Registry? Azure Container Registry (ACR) is a managed, private Docker registry service based on the open-source Docker Registry 2.0. It allows you to build, store, and manage container images and artifacts in a private repository for all types of container deployments. Think of it as 'GitHub for your Docker Images', but hosted privately within your Azure subscription.
Why is it Important for the AZ-104? As an Azure Administrator, you are responsible for deploying and managing compute resources. Since modern Azure compute resources—such as Azure Kubernetes Service (AKS), Azure App Service for Containers, and Azure Container Instances (ACI)—rely heavily on container images, ACR acts as the central, secure point of distribution for these images. It eliminates the latency and security risks associated with using public registries like Docker Hub for proprietary applications.
Key Concepts and How It Works
1. Registry Tiers (SKUs) Understanding the Service Tiers is critical for the exam: - Basic: Cost-effective for learning, limited storage/throughput. - Standard: Increased limits for production usage. - Premium: Required for enterprise features, specifically Geo-replication, Content Trust (image signing), Private Link, and higher storage/throughput limits.
2. Authentication ACR does not support anonymous access by default. You must authenticate using: - Microsoft Entra ID (formerly Azure AD): Use individual identities or Service Principals. - Admin Account: A simple 'root' user (username/password) enabled in the Settings. Good for testing but not recommended for scaled production. - Managed Identities: The preferred method for Azure resources (like an AKS cluster) to pull images.
3. ACR Tasks This is a suite of features within ACR that allows you to build container images in the cloud (without a local Docker engine) and automate image patching. For example, an ACR Task can automatically trigger a new build when you commit source code to Git or when a base image is updated.
4. Hierarchy - Registry: The top-level service (e.g., myregistry.azurecr.io). - Repository: A collection of images with the same name (e.g., my-app). - Tag: A version identifier (e.g., v1.0, latest).
Exam Tips: Answering Questions on Azure Container Registry
Tip 1: Multi-Region Deployment Scenarios If an exam question describes a scenario requiring a single registry to serve images to web apps in multiple global regions with low latency, the answer is always ACR Premium SKU with Geo-replication. Geo-replication allows a single registry to function as multiple registries in different regions using the same URL.
Tip 2: Authentication & Access Control (RBAC) You will likely face questions about connecting AKS to ACR. The correct method is creating a Role Assignment. Specifically, you must grant the AcrPull permission to the Managed Identity (or Service Principal) used by the Kubernetes cluster. Do not assign 'Owner' or 'Contributor' just to pull images.
Tip 3: Docker Commands vs. AZ CLI Know that you do not install Docker on the registry itself. You use the Azure CLI or Docker CLI on your local machine. - To build an image in the cloud without Docker installed locally: az acr build. - To log in via CLI: az acr login.
Tip 4: The 'Admin Account' Trap Questions may ask how to quickly allow a developer to access the registry without configuring Entra ID. The answer is usually enabling the Admin User in the Access Keys blade to get immediate username/password credentials, though the exam prefers Managed Identities for secure resource-to-resource communication.