Last updated: May 2026

Azure ContainersBeginnerAZ-204⏱ 11 min read

Azure Container Registry

Azure Container Registry (ACR) is a managed, private Docker registry service for storing and managing container images. It integrates natively with Azure services — AKS, App Service, Container Instances, and Azure DevOps — making it the natural choice for storing images in an Azure-based container pipeline.

What you'll learn ACR SKUs (Basic, Standard, Premium) · Creating an ACR · Authentication methods · Pushing and pulling images · ACR Tasks — build automation · Geo-replication (Premium) · Webhooks · Security — private endpoints, admin account

Table of Contents

ACR SKUs
Creating an ACR
Authentication
Pushing and Pulling Images
ACR Tasks
Geo-Replication
Security
Practice Questions

ACR SKUs

SKU	Storage	Geo-replication	Private endpoint	Best For
Basic	10 GB	❌	❌	Dev/test, learning
Standard	100 GB	❌	❌	Most production workloads
Premium	500 GB	✅	✅	Enterprise, multi-region, high throughput

Creating an ACR

Azure CLICreate Azure Container Registry

# Create ACR (Standard SKU)
az acr create \
  --name myregistry2026 \
  --resource-group myRG \
  --location centralindia \
  --sku Standard

# View login server URL
az acr show \
  --name myregistry2026 \
  --query loginServer \
  --output tsv
# Output: myregistry2026.azurecr.io

Authentication

Three ways to authenticate to ACR:

1. Azure CLI Login (Development)

Azure CLILogin with Azure credentials

az acr login --name myregistry2026

2. Service Principal (CI/CD Pipelines)

Azure CLICreate service principal for ACR access

# Get ACR ID
ACR_ID=$(az acr show --name myregistry2026 --query id --output tsv)

# Create service principal with pull access
az ad sp create-for-rbac \
  --name acr-pull-sp \
  --role AcrPull \
  --scope $ACR_ID

# Use the appId as username and password as password in CI/CD

3. Managed Identity (Azure Services)

Grant AKS, App Service, or Container Instances access to ACR using Managed Identity — no credentials needed:

Azure CLIAttach ACR to AKS cluster

# Grant AKS permission to pull from ACR
az aks update \
  --name myAKSCluster \
  --resource-group myRG \
  --attach-acr myregistry2026

💡

Disable Admin Account ACR has an admin account (username/password) that can be used for quick access. Disable it in production — use Service Principals or Managed Identities instead. Admin credentials are static and harder to rotate securely.

Pushing and Pulling Images

Docker + Azure CLIPush and pull from ACR

# Login to ACR
az acr login --name myregistry2026

# Tag image with ACR login server
docker tag myapp:v1 myregistry2026.azurecr.io/myapp:v1

# Push to ACR
docker push myregistry2026.azurecr.io/myapp:v1

# Pull from ACR
docker pull myregistry2026.azurecr.io/myapp:v1

# List repositories in ACR
az acr repository list --name myregistry2026 --output table

# List tags for a repository
az acr repository show-tags \
  --name myregistry2026 \
  --repository myapp \
  --output table

ACR Tasks

ACR Tasks automate container image builds and updates in Azure — no local Docker needed:

Quick task — Build on demand: az acr build
Triggered task — Build on Git commit or base image update
Scheduled task — Build on a cron schedule

Azure CLIBuild image using ACR Tasks

# Quick build — sends context to Azure and builds there
az acr build \
  --registry myregistry2026 \
  --image myapp:v1 .

Geo-Replication (Premium)

Premium ACR supports geo-replication — replicate your registry to multiple Azure regions. Benefits:

Faster image pulls for services in different regions
Single registry endpoint — Azure routes to nearest replica
High availability — if one region is down, others serve traffic

Azure CLIAdd geo-replication to ACR

az acr replication create \
  --registry myregistry2026 \
  --location eastus

Security

Private endpoint — Remove public access, connect only via VNet (Premium)
Firewall rules — Restrict which IPs can access the registry
Content trust — Sign images to ensure authenticity
Vulnerability scanning — Microsoft Defender for Containers scans images in ACR
RBAC roles — AcrPull (pull only), AcrPush (push), AcrDelete, Owner

💡

AZ-204 Exam Tip Know the three SKUs and that geo-replication and private endpoints require Premium. Know the three auth methods — CLI login (dev), Service Principal (CI/CD), Managed Identity (Azure services). Know that AcrPull grants pull-only access and AcrPush grants push access.

📝 Practice Questions

Click an option to check your answer.

Q1. Which ACR SKU is required for geo-replication across Azure regions?

A — Basic

B — Standard

C — Premium

D — Enterprise

Q2. What is the recommended authentication method for a CI/CD pipeline pulling images from ACR?

A — Admin account username and password

B — az acr login command

C — Service Principal with AcrPull role

D — Personal access token

Q3. What RBAC role grants an identity permission to pull images from ACR but NOT push?

A — AcrPull

B — AcrPush

C — Contributor

D — AcrDelete

Q4. What does az acr build --registry myregistry --image myapp:v1 . do?

A — Builds the image locally and pushes it to ACR

B — Sends source code to Azure and builds the image there — no local Docker required

C — Deploys the application directly to Azure App Service

D — Creates an Azure Container Instance from the image

Q5. Why should the ACR admin account be disabled in production?

A — It only supports pull operations, not push

B — It uses static credentials that are hard to rotate — Service Principals or Managed Identities are more secure

C — It is only available on Basic SKU and limits features

D — It reduces registry performance significantly

← PreviousDocker on Azure Next →Azure Container Instances

Comments

Disclaimer: RedKite Cloud is an independent educational resource and is not affiliated with Microsoft Corporation.