Merge pull request #113861 from dlepow/acrpl

[ACR] Private link - GA

Author: megvanhuygen

articles/container-registry/TOC.yml

@@ -87,9 +87,11 @@
         href: container-registry-webhook.md
     - name: Security and authentication
       items:
-      - name: Integrate with Azure Private Link (preview)
+      - name: Restrict access using private endpoint
         href: container-registry-private-link.md
-      - name: Limit access with virtual network (preview)
+      - name: Configure service firewall rules
+        href: container-registry-access-selected-networks.md
+      - name: Restrict access using service endpoint (preview)
         href: container-registry-vnet.md
       - name: Encrypt with customer-managed key
         href: container-registry-customer-managed-keys.md
@@ -109,10 +111,10 @@
           href: container-registry-auth-kubernetes.md
         - name: Authenticate from Azure Kubernetes Service (AKS)
           href: ../aks/cluster-container-registry-integration.md?toc=/azure/container-registry/toc.json&bc=/azure/container-registry/breadcrumb/toc.json
+        - name: Authenticate with repository-scoped token (preview)
+          href: container-registry-repository-scoped-permissions.md
       - name: Role-based access control
         href: container-registry-roles.md
-      - name: Repository-scoped permissions (preview)
-        href: container-registry-repository-scoped-permissions.md
       - name: Content trust
         href: container-registry-content-trust.md
       - name: Image scanning with Security Center

articles/container-registry/container-registry-access-selected-networks.md

@@ -0,0 +1,95 @@
+---
+title: Configure service firewall rules
+description: Configure IP rules to enable access to an Azure container registry from selected public IP addresses or address ranges.
+ms.topic: article
+ms.date: 05/04/2020
+---
+
+# Configure public IP network rules
+
+An Azure container registry by default accepts connections over the internet from hosts on any network. This article shows how to configure your container registry to allow access from only specific public IP addresses or address ranges. Equivalent steps using the Azure CLI and Azure portal are provided.
+
+IP network rules are configured on the public registry endpoint. IP network rules do not apply to private endpoints configured with [Private Link](container-registry-private-link.md)
+
+Configuring IP access rules is available in the **Premium** container registry service tier. For information about registry service tiers and limits, see [Azure Container Registry tiers](container-registry-skus.md).
+
+## Access from selected public network - CLI
+
+### Change default network access to registry
+
+To limit access to a selected public network, first change the default action to deny access. Substitute the name of your registry in the following [az acr update][az-acr-update] command:
+
+```azurecli
+az acr update --name myContainerRegistry --default-action Deny
+```
+
+### Add network rule to registry
+
+Use the [az acr network-rule add][az-acr-network-rule-add] command to add a network rule to your registry that allows access from a public IP address or range. For example, substitute the container registry's name and the public IP address of a VM in a virtual network.
+
+```azurecli
+az acr network-rule add \
+  --name mycontainerregistry \
+  --ip-address <public-IP-address>
+```
+
+> [!NOTE]
+> After adding a rule, it takes a few minutes for the rule to take effect.
+
+## Access from selected public network - portal
+
+1. In the portal, navigate to your container registry.
+1. Under **Settings**, select **Networking**.
+1. On the **Public access** tab, select to allow public access from **Selected networks**.
+1. Under **Firewall**, enter a public IP address, such as the public IP address of a VM in a virtual network. Or, enter an address range in CIDR notation that contains the VM's IP address.
+1. Select **Save**.
+
+![Configure firewall rule for container registry][acr-access-selected-networks]
+
+> [!NOTE]
+> After adding a rule, it takes a few minutes for the rule to take effect.
+
+> [!TIP]
+> Optionally, enable registry access from a local client computer or IP address range. To allow this access, you need the computer's public IPv4 address. You can find this address by searching "what is my IP address" in an internet browser. The current client IPv4 address also appears automatically when you configure firewall settings on the **Networking** page in the portal.
+
+## Disable public network access
+
+To limit traffic to virtual networks using [Private Link](container-registry-private-link.md), disable the public endpoint on the registry. Disabling the public endpoint overrides all firewall configurations.
+
+### Disable public access - Portal
+
+1. In the portal, navigate to your container registry and select **Settings > Networking**.
+1. On the **Public access** tab, in **Allow public access**, select **Disabled**. Then select **Save**.
+
+![Disable public access][acr-access-disabled]
+
+## Restore default registry access
+
+To restore the registry to allow access by default, update the default action. 
+
+### Restore default registry access - portal
+
+1. In the portal, navigate to your container registry and select **Settings > Networking**.
+1. Under **Firewall**, select each address range, and then select the Delete icon.
+1. On the **Public access** tab, in **Allow public access**, select **All networks**. Then select **Save**.
+
+![Public access from all networks][acr-access-all-networks]
+
+## Next steps
+
+* To restrict access to a registry using a private endpoint in a virtual network, see [Configure Azure Private Link for an Azure container registry](container-registry-private-link.md).
+* If you need to set up registry access rules from behind a client firewall, see [Configure rules to access an Azure container registry behind a firewall](container-registry-firewall-access-rules.md).
+
+[az-acr-login]: /cli/azure/acr#az-acr-login
+[az-acr-network-rule-add]: /cli/azure/acr/network-rule/#az-acr-network-rule-add
+[az-acr-network-rule-remove]: /cli/azure/acr/network-rule/#az-acr-network-rule-remove
+[az-acr-network-rule-list]: /cli/azure/acr/network-rule/#az-acr-network-rule-list
+[az-acr-run]: /cli/azure/acr#az-acr-run
+[az-acr-update]: /cli/azure/acr#az-acr-update
+[quickstart-portal]: container-registry-get-started-portal.md
+[quickstart-cli]: container-registry-get-started-azure-cli.md
+[azure-portal]: https://portal.azure.com
+
+[acr-access-selected-networks]: ./media/container-registry-access-selected-networks/acr-access-selected-networks.png
+[acr-access-disabled]: ./media/container-registry-access-selected-networks/acr-access-disabled.png
+[acr-access-all-networks]: ./media/container-registry-access-selected-networks/acr-access-all-networks.png

articles/container-registry/container-registry-health-error-reference.md

@@ -52,7 +52,7 @@ This error means that the DNS for the given registry login server was pinged but
 
 ## CONNECTIVITY_FORBIDDEN_ERROR
 
-This error means that the challenge endpoint for the given registry responded with a 403 Forbidden HTTP status. This error means that users don't have access to the registry, most likely because of a virtual network configuration. To see the currently configured firewall rules, run `az acr show --query networkRuleSet --name <registry>`.
+This error means that the challenge endpoint for the given registry responded with a 403 Forbidden HTTP status. This error means that users don't have access to the registry, most likely because of a virtual network configuration or because access to the registry's public endpoint is not allowed. To see the currently configured firewall rules, run `az acr show --query networkRuleSet --name <registry>`.
 
 *Potential solutions*: Remove virtual network rules, or add the current client IP address to the allowed list.