Container Registries Should Not Allow Unrestricted Network Access
- Former user (Deleted)
Analytics
Description:
Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific public IP addresses or address ranges. If your registry doesn't have an IP/firewall rule or a configured virtual network, it will appear in the unhealthy resources.
Solution/Reference:
To enable VNet/Firewall rules for a registry:
1. In the Azure Portal, navigate to your registry in the portal
2. Under Networking settings, on the Public access tab, select allow public access from 'Selected networks' instead of 'All Networks'
3. Under Firewall, enter a public IP address, such as the public IP address of a VM in a virtual network. Or, enter an address range in CIDR notation that contains the VM's IP address
4. Select save.
Learn more about Container Registry network rules here: https://aka.ms/acr/portal/public-network and here https://aka.ms/acr/vnet.
For more information, see: https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet.