Merge pull request #99460 from dlepow/acifresh6

[ACI Freshness] Using ACR

Author: megvanhuygen

articles/container-instances/container-instances-using-azure-container-registry.md

@@ -3,7 +3,7 @@ title: Deploy container image from Azure Container Registry
 description: Learn how to deploy containers in Azure Container Instances using container images in an Azure container registry.
 services: container-instances
 ms.topic: article
-ms.date: 01/04/2019
+ms.date: 12/30/2019
 ms.author: danlep
 ms.custom: mvc
 ---
@@ -20,15 +20,19 @@ ms.custom: mvc
 
 ## Configure registry authentication
 
-In any production scenario, access to an Azure container registry should be provided by using [service principals](../container-registry/container-registry-auth-service-principal.md). Service principals allow you to provide [role-based access control](../container-registry/container-registry-roles.md) to your container images. For example, you can configure a service principal with pull-only access to a registry.
+In a production scenario where you provide access to "headless" services and applications, it's recommended to configure registry access by using a [service principal](../container-registry/container-registry-auth-service-principal.md). A service principal allows you to provide [role-based access control](../container-registry/container-registry-roles.md) to your container images. For example, you can configure a service principal with pull-only access to a registry.
+
+Azure Container Registry provides additional [authentication options](../container-registry/container-registry-authentication.md).
 
 In the following section, you create an Azure key vault and a service principal, and store the service principal's credentials in the vault. 
 
 ### Create key vault
 
 If you don't already have a vault in [Azure Key Vault](../key-vault/key-vault-overview.md), create one with the Azure CLI using the following commands.
 
-Update the `RES_GROUP` variable with the name of an existing resource group in which to create the key vault, and `ACR_NAME` with the name of your container registry. Specify a name for your new key vault in `AKV_NAME`. The vault name must be unique within Azure and must be 3-24 alphanumeric characters in length, begin with a letter, end with a letter or digit, and cannot contain consecutive hyphens.
+Update the `RES_GROUP` variable with the name of an existing resource group in which to create the key vault, and `ACR_NAME` with the name of your container registry. For brevity, commands in this article assume that your registry, key vault, and container instances are all created in the same resource group.
+
+ Specify a name for your new key vault in `AKV_NAME`. The vault name must be unique within Azure and must be 3-24 alphanumeric characters in length, begin with a letter, end with a letter or digit, and cannot contain consecutive hyphens.
 
 ```azurecli
 RES_GROUP=myresourcegroup # Resource Group name
@@ -40,12 +44,12 @@ az keyvault create -g $RES_GROUP -n $AKV_NAME
 
 ### Create service principal and store credentials
 
-You now need to create a service principal and store its credentials in your key vault.
+Now create a service principal and store its credentials in your key vault.
 
 The following command uses [az ad sp create-for-rbac][az-ad-sp-create-for-rbac] to create the service principal, and [az keyvault secret set][az-keyvault-secret-set] to store the service principal's **password** in the vault.
 
 ```azurecli
-# Create service principal, store its password in AKV (the registry *password*)
+# Create service principal, store its password in vault (the registry *password*)
 az keyvault secret set \
   --vault-name $AKV_NAME \
   --name $ACR_NAME-pull-pwd \
@@ -62,14 +66,14 @@ The `--role` argument in the preceding command configures the service principal
 Next, store the service principal's *appId* in the vault, which is the **username** you pass to Azure Container Registry for authentication.
 
 ```azurecli
-# Store service principal ID in AKV (the registry *username*)
+# Store service principal ID in vault (the registry *username*)
 az keyvault secret set \
     --vault-name $AKV_NAME \
     --name $ACR_NAME-pull-usr \
     --value $(az ad sp show --id http://$ACR_NAME-pull --query appId --output tsv)
 ```
 
-You've created an Azure Key Vault and stored two secrets in it:
+You've created an Azure key vault and stored two secrets in it:
 
 * `$ACR_NAME-pull-usr`: The service principal ID, for use as the container registry **username**.
 * `$ACR_NAME-pull-pwd`: The service principal password, for use as the container registry **password**.
@@ -111,18 +115,22 @@ Once the container has started successfully, you can navigate to its FQDN in you
 
 ## Deploy with Azure Resource Manager template
 
-You can specify the properties of your Azure Container Registry in an Azure Resource Manager template by including the `imageRegistryCredentials` property in the container group definition:
+You can specify the properties of your Azure container registry in an Azure Resource Manager template by including the `imageRegistryCredentials` property in the container group definition. For example, you can specify the registry credentials directly:
 
 ```JSON
+[...]
 "imageRegistryCredentials": [
   {
     "server": "imageRegistryLoginServer",
     "username": "imageRegistryUsername",
     "password": "imageRegistryPassword"
   }
 ]
+[...]
 ```
 
+For complete container group settings, see the [Resource Manager template reference](/azure/templates/Microsoft.ContainerInstance/2018-10-01/containerGroups).    
+
 For details on referencing Azure Key Vault secrets in a Resource Manager template, see [Use Azure Key Vault to pass secure parameter value during deployment](../azure-resource-manager/resource-manager-keyvault-parameter.md).
 
 ## Deploy with Azure portal