Azure Container Registry is the container image registry for Azure-based container workflows. Beyond basic image storage, ACR gives you features that affect production security and reliability.
Geo-replication for global registries
ACR geo-replication replicates the registry contents to multiple Azure regions. Kubernetes clusters in each region pull images from a regional replica, reducing pull latency and egress costs. Geo-replication is active-active: pushing to any regional endpoint replicates globally. For globally distributed deployments, geo-replication eliminates the cross-region image pull latency that can extend cold start times and scaling events.
ACR Tasks for image automation
ACR Tasks automates container image build and maintenance: build images on git push (triggered by a GitHub or Azure DevOps webhook), trigger downstream image builds when base images update (base image tracking), and run scheduled tasks for image scanning and maintenance. The base image tracking feature is operationally significant: when the upstream alpine:3.14 is updated, all images built from it is automatically rebuilt and pushed.
Content trust and image signing
ACR supports Docker Content Trust (Notary v1) for image signing. Signed images can only be pulled by clients with Docker Content Trust enabled. AKS can enforce that only images from a trusted registry (via Azure Policy) is deployed, providing a supply chain control for production clusters. The operational requirement: every image pushed to production registries must be signed by the build system.
Private endpoints for network isolation
ACR with private endpoints disables the public registry endpoint and routes all registry access through an Azure Private Link connection. Kubernetes clusters that use ACR with private endpoints pull images over the Azure backbone without public internet exposure. The networking requirement: the cluster's VNet must have a private endpoint connection to the ACR, and private DNS zones must resolve the registry FQDN to the private IP.