You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/container-registry/container-registry-firewall-access-rules.md
+7-7Lines changed: 7 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -2,29 +2,29 @@
2
2
title: Firewall access rules
3
3
description: Configure rules to access an Azure container registry from behind a firewall, by allowing access to ("whitelisting") REST API and data endpoint domain names or service-specific IP address ranges.
4
4
ms.topic: article
5
-
ms.date: 04/28/2020
5
+
ms.date: 05/06/2020
6
6
---
7
7
8
8
# Configure rules to access an Azure container registry behind a firewall
9
9
10
10
This article explains how to configure rules on your firewall to allow access to an Azure container registry. For example, an Azure IoT Edge device behind a firewall or proxy server might need to access a container registry to pull a container image. Or, a locked-down server in an on-premises network might need access to push an image.
11
11
12
-
If instead you want to configure inbound network access to a container registry only within an Azure virtual network or from a public IP address range, see [Configure Azure Private Link for an Azure container registry](container-registry-private-link.md) or [Restrict access to an Azure container registry from a virtual network](container-registry-vnet.md).
12
+
If instead you want to configure inbound network access to a container registry only within an Azure virtual network, see [Configure Azure Private Link for an Azure container registry](container-registry-private-link.md).
13
13
14
14
## About registry endpoints
15
15
16
-
To pull or push images or other artifacts to an Azure container registry, a client such as a Docker daemon needs to interact over HTTPS with two distinct endpoints. For clients that need access from an external network, you need to configure access rules for both endpoints.
16
+
To pull or push images or other artifacts to an Azure container registry, a client such as a Docker daemon needs to interact over HTTPS with two distinct endpoints. For clients that access a registry from behind a firewall, you need to configure access rules for both endpoints.
17
17
18
-
***Registry REST API endpoint** - Authentication and registry management operations are handled through the registry's public REST API endpoint. This endpoint is the login server name of the registry, or an associated IP address range. Example: `myregistry.azurecr.io`
18
+
***Registry REST API endpoint** - Authentication and registry management operations are handled through the registry's public REST API endpoint. This endpoint is the login server name of the registry. Example: `myregistry.azurecr.io`
19
19
20
20
***Data endpoint** - Azure [allocates blob storage](container-registry-storage.md) in Azure Storage accounts on behalf of each registry to manage the data for container images and other artifacts. When a client accesses image layers in an Azure container registry, it makes requests using a storage account endpoint provided by the registry.
21
21
22
22
If your registry is [geo-replicated](container-registry-geo-replication.md), a client might need to interact with the data endpoint in a specific region or in multiple replicated regions.
23
23
24
24
## Allow access to REST and data endpoints
25
25
26
-
***REST endpoint** - Allow access to the fully qualified registry login server name, such as `myregistry.azurecr.io`
27
-
***Storage (data) endpoint** - Enable access to a [dedicated data endpoint](#configure-dedicated-data-endpoints-preview) (preview) in each region where the registry is located or replicated, such as `myregistry.westeurope.azurecr.io`. Alternatively, and less specifically, allow access to all Azure blob storage accounts using the wildcard `*.blob.core.windows.net`.
26
+
***REST endpoint** - Allow access to the fully qualified registry login server name, such as `myregistry.azurecr.io`, or an associated IP address range
27
+
***Storage (data) endpoint** - Enable access to a [dedicated data endpoint](#configure-dedicated-data-endpoints-preview) (preview) in each region where the registry is located or replicated, such as `myregistry.westeurope.azurecr.io`. Alternatively, and less specifically, allow access to all Azure blob storage accounts using the wildcard `*.blob.core.windows.net`, or an associated IP address range.
28
28
29
29
## Configure dedicated data endpoints (preview)
30
30
@@ -33,7 +33,7 @@ If your registry is [geo-replicated](container-registry-geo-replication.md), a c
33
33
34
34
### Enable data endpoint (preview)
35
35
36
-
A dedicated data endpoint is an optional feature of the **Premium** container registry service tier. For information about registry service tiers and limits, see [Azure Container Registry SKUs](container-registry-skus.md). To enable data endpoints using the Azure CLI, use Azure CLI version 2.4.0 or higher. If you need to install or upgrade, see [Install Azure CLI](/cli/azure/install-azure-cli).
36
+
A dedicated data endpoint is an optional feature of the **Premium** container registry service tier. For information about registry service tiers and limits, see [Azure Container Registry Tiers](container-registry-skus.md). To enable data endpoints using the Azure CLI, use Azure CLI version 2.4.0 or higher. If you need to install or upgrade, see [Install Azure CLI](/cli/azure/install-azure-cli).
37
37
38
38
The following [az acr update][az-acr-update] command enables data endpoints on a registry *myregistry*. For demonstration purpose, assume that the registry is replicated in two regions:
0 commit comments