Container Registry service firewall is not restricted

March 21, 2025 ยท View on GitHub

SYNOPSIS

Container Registry without restrictions can be accessed from any network location including the Internet.

DESCRIPTION

Azure Container Registry (ACR) allows you to restrict network access to trusted clients and networks instead of any client.

Container registries using the Premium SKU can limit network access by setting firewall rules or using private endpoints. Firewall and private endpoints are not supported when using the Basic or Standard SKU.

In general, network access should be restricted to harden against unauthorized access or exfiltration attempts. However may not be required when publishing and distributing public container images to external parties.

RECOMMENDATION

Consider restricting network access to trusted clients to harden against unauthorized access or exfiltration attempts.

EXAMPLES

Configure with Azure template

To deploy Azure Container Registries that pass this rule:

  • Set the properties.publicNetworkAccess property to Disabled. OR
  • Set the properties.networkRuleSet.defaultAction property to Deny.

For example:

{
  "type": "Microsoft.ContainerRegistry/registries",
  "apiVersion": "2023-11-01-preview",
  "name": "[parameters('registryName')]",
  "location": "[parameters('location')]",
  "sku": {
    "name": "Premium"
  },
  "properties": {
    "publicNetworkAccess": "Enabled",
    "networkRuleBypassOptions": "AzureServices",
    "networkRuleSet": {
      "defaultAction": "Deny",
      "ipRules": [
        {
          "action": "Allow",
          "value": "_PublicIPv4Address_"
        }
      ]
    }
  }
}

Configure with Bicep

To deploy Azure Container Registries that pass this rule:

  • Set the properties.publicNetworkAccess property to Disabled. OR
  • Set the properties.networkRuleSet.defaultAction property to Deny.

For example:

resource acr 'Microsoft.ContainerRegistry/registries@2023-11-01-preview' = {
  name: registryName
  location: location
  sku: {
    name: 'Premium'
  }
  properties: {
    publicNetworkAccess: 'Enabled'
    networkRuleBypassOptions: 'AzureServices'
    networkRuleSet: {
      defaultAction: 'Deny'
      ipRules: [
        {
          action: 'Allow'
          value: '_PublicIPv4Address_'
        }
      ]
    }
  }
}

NOTES

Configuring firewall rules or using private endpoints is only available for the Premium SKU.

When used with Microsoft Defender for Containers, you must enable trusted Microsoft services for the vulnerability assessment feature to be able to scan the registry.