edits

Author: dlepow

articles/container-registry/TOC.yml

@@ -84,7 +84,7 @@
       items:
       - name: Restrict access using private endpoint
         href: container-registry-private-link.md
-      - name: Restrict access from public networks
+      - name: Allow access from selected public networks
         href: container-registry-access-selected-networks.md
       - name: Restrict access using service endpoint (preview)
         href: container-registry-vnet.md

articles/container-registry/container-registry-access-selected-networks.md

@@ -1,21 +1,17 @@
 ---
-title: Allow access from public networks
-description: Allow access to an Azure container registry from selected public IP addresses or address ranges.
+title: Configure access from public networks
+description: Configure IP rules to enable access to an Azure container registry from selected public IP addresses or address ranges.
 ms.topic: article
 ms.date: 05/04/2020
 ---
 
-# Allow access from selected public networks
+# Configure access from selected public networks
 
 An Azure container registry by default accepts connections over the internet from hosts on any network. This article shows how to configure your container registry to allow access from only specific public IP addresses or address ranges. Equivalent steps using the Azure CLI and Azure portal are provided.
 
 In IP network rules, provide allowed internet address ranges using CIDR notation such as *16.17.18.0/24* or an individual IP addresses like *16.17.18.19*. IP network rules are only allowed for *public* internet IP addresses. IP address ranges reserved for private networks (as defined in RFC 1918) aren't allowed.
 
-## Prerequisites
-
-* If you don't already have a container registry, create one (Premium SKU required) and push a sample image such as `hello-world` from Docker Hub. For example, use the [Azure portal][quickstart-portal] or the [Azure CLI][quickstart-cli] to create a registry. 
-
-[!INCLUDE [Set up Docker-enabled VM](../../includes/container-registry-docker-vm-setup.md)]
+Configuring IP access rules is available in the **Premium** container registry service tier. For information about registry service tiers and limits, see [Azure Container Registry SKUs](container-registry-skus.md).
 
 ## Access from selected public network - CLI
 
@@ -29,60 +25,39 @@ az acr update --name myContainerRegistry --default-action Deny
 
 ### Add network rule to registry
 
-Use the [az acr network-rule add][az-acr-network-rule-add] command to add a network rule to your registry that allows access from a public IP address or range. For example, substitute the container registry's name and the public IP address of the VM in the following command.
+Use the [az acr network-rule add][az-acr-network-rule-add] command to add a network rule to your registry that allows access from a public IP address or range. For example, substitute the container registry's name and the public IP address of a VM in a virtual network.
 
 ```azurecli
 az acr network-rule add \
   --name mycontainerregistry \
   --ip-address <public-IP-address>
 ```
 
-Continue to [Verify access to the registry](#verify-access-to-the-registry).
+After adding a rule, it takes a few minutes for the rule to take effect.
 
 ## Access from selected public network - portal
 
 1. In the portal, navigate to your container registry.
 1. Under **Settings**, select **Networking**.
 1. On the **Public access** tab, select to allow public access from **Selected networks**.
-1. Under **Firewall**, enter a public IP address, such as your test VM's public IP address. Or, enter an address range in CIDR notation that contains the VM's IP address.
+1. Under **Firewall**, enter a public IP address, such as the public IP address of a VM in a virtual network. Or, enter an address range in CIDR notation that contains the VM's IP address.
 1. Select **Save**.
 
 ![Configure firewall rule for container registry][acr-access-selected-networks]
 
+After adding a rule, it takes a few minutes for the rule to take effect.
+
 > [!TIP]
 > Optionally, enable registry access from a local client computer or IP address range. To allow this access, you need the computer's public IPv4 address. You can find this address using a search like "what is my IP address" in an Internet browser. The current client IPv4 address also appears automatically when you configure firewall settings on the **Networking** page in the portal.
 
-Continue to [Verify access to the registry](#verify-access-to-the-registry).
-
-## Verify access to the registry
-
-After waiting a few minutes for the configuration to update, verify that the VM can access the container registry. Make an SSH connection to your VM, and run the [az acr login][az-acr-login] command to login to your registry. 
-
-```bash
-az acr login --name mycontainerregistry
-```
-
-You can perform registry operations such as run `docker pull` to pull a sample image from the registry. Substitute an image and tag value appropriate for your registry, prefixed with the registry login server name (all lowercase):
-
-```bash
-docker pull mycontainerregistry.azurecr.io/hello-world:v1
-``` 
-
-Docker successfully pulls the image to the VM.
-
-This example demonstrates that you can access the private container registry through the network access rule. However, the registry can't be accessed from a different login host that doesn't have a network access rule configured. If you attempt to login from another host using the `az acr login` command or `docker login` command, output is similar to the following:
-
-```Console
-Error response from daemon: login attempt to https://xxxxxxx.azurecr.io/v2/ failed with status: 403 Forbidden
-```
-
 ## Disable public network access
 
 In certain scenarios, you might want to disable all public network access to registry. For example, if you set up a [private endpoint](container-registry-private-link.md) for a registry in a virtual network, you might also decide to disable access from outside the virtual network.
 
 ### Disable public access - CLI
 
 Substitute the name of your registry in the following [az acr update][az-acr-update] command:
+
 ```azurecli
 az acr update --name myContainerRegistry --default-action Deny
 ```
@@ -110,18 +85,11 @@ az acr update --name myContainerRegistry --default-action Allow
 1. Under **Firewall**, select each address range, and then select the Delete icon.
 1. On the **Public access** tab, in **Allow public access**, select **All networks**. Then select **Save**.
 
-## Clean up resources
-
-If you created all the Azure resources in the same resource group and no longer need them, you can optionally delete the resources by using a single [az group delete](/cli/azure/group) command:
-
-```azurecli
-az group delete --name myResourceGroup
-```
-
-To clean up your resources in the portal, navigate to the myResourceGroup resource group. Once the resource group is loaded, click on **Delete resource group** to remove the resource group and the resources stored there.
-
 ## Next steps
 
+* To restrict access to a registry using a private endpoint in a virtual network, see [Configure Azure Private Link for an Azure container registry](container-registry-private-link.md).
+* If you need to set up registry access rules from behind a client firewall, see [Configure rules to access an Azure container registry behind a firewall](container-registry-firewall-access-rules.md).
+
 [az-acr-login]: /cli/azure/acr#az-acr-login
 [az-acr-network-rule-add]: /cli/azure/acr/network-rule/#az-acr-network-rule-add
 [az-acr-network-rule-remove]: /cli/azure/acr/network-rule/#az-acr-network-rule-remove

articles/container-registry/container-registry-private-link.md

@@ -1,13 +1,13 @@
 ---
 title: Set up private link
-description: Set up a private endpoint on a container registry and enable a private link in a local virtual network
+description: Set up a private endpoint on a container registry and enable access over a private link in a local virtual network
 ms.topic: article
 ms.date: 05/04/2020
 ---
 
 # Configure Azure Private Link for an Azure container registry 
 
-Set up a [private endpoint](../private-link/private-endpoint-overview.md) for your Azure container registry so that clients on an Azure virtual network securely access the registry over a [private link](../private-link/private-link-overview.md). The private endpoint uses an IP address from the virtual network address space for your registry. Network traffic between the clients on the virtual network and the registry traverses the virtual network and a private link on the Microsoft backbone network, eliminating exposure from the public internet.
+Set up a [private endpoint](../private-link/private-endpoint-overview.md) for your Azure container registry so that clients on an Azure virtual network securely access the registry over a [private link](../private-link/private-link-overview.md). The private endpoint uses a private IP address from the virtual network address space for your registry. Network traffic between the clients on the virtual network and the registry traverses the virtual network and a private link on the Microsoft backbone network, eliminating exposure from the public internet.
 
 You can [configure DNS settings](../private-link/private-endpoint-overview.md#dns-configuration) for your private endpoint, so that the settings resolve to the registry's allocated private IP address. With DNS configuration, clients and services in the network can continue to access the registry at the registry's fully qualified domain name, such as *myregistry.azurecr.io*.
 
@@ -197,6 +197,7 @@ Set up a private link when you create a registry, or add a private link to an ex
 1. Select the **Networking** tab.
 1. In **Network connectivity**, select **Private endpoint** > **+ Add**.
 1. Enter or select the following information:
+
     | Setting | Value |
     | ------- | ----- |
     | Subscription | Select your subscription. |
@@ -212,7 +213,7 @@ Set up a private link when you create a registry, or add a private link to an ex
     |||
 1. Configure the remaining registry settings, and then select **Review + Create**.
 
-![Create registry with private endpoint](./media/container-registry-private-link/private-link-create-portal.png)
+  ![Create registry with private endpoint](./media/container-registry-private-link/private-link-create-portal.png)
 
 ### Create a private endpoint - existing registry
 
@@ -263,7 +264,7 @@ After the private endpoint is created, DNS settings in the private zone appear o
 1. On the **Private endpoints** tab, select the private endpoint you created.
 1. On the **Overview** page, review the link settings and custom DNS settings.
 
-![Endpoint DNS settings](./media/container-registry-private-link/private-endpoint-overview.png)
+  ![Endpoint DNS settings](./media/container-registry-private-link/private-endpoint-overview.png)
 
 Your private link is now configured and ready for use.
 
@@ -357,7 +358,7 @@ To clean up your resources in the portal, navigate to your resource group. Once
 ## Next steps
 
 * To learn more about Private Link, see the [Azure Private Link](../private-link/private-link-overview.md) documentation.
-* An alternative to private link is to set up network access rules to restrict registry access. To learn more, see [Restrict access to an Azure container registry using an Azure virtual network or firewall rules](container-registry-vnet.md).
+* If you need to set up registry access rules from behind a client firewall, see [Configure rules to access an Azure container registry behind a firewall](container-registry-firewall-access-rules.md).
 
 <!-- LINKS - external -->
 [docker-linux]: https://docs.docker.com/engine/installation/#supported-platforms

articles/container-registry/container-registry-vnet.md

@@ -12,7 +12,7 @@ ms.date: 05/04/2020
 This article shows how to configure a container registry service endpoint in a virtual network. 
 
 > [!IMPORTANT]
-> Azure Container Registry also supports [Azure Private Link](container-registry-private-link.md), enabling private endpoints from a virtual network to be placed on a registry. Private endpoints are accessible from within the virtual network, using private IP addresses. We recommend using private endpoints instead of service endpoints in most network scenarios.
+> Azure Container Registry now supports [Azure Private Link](container-registry-private-link.md), enabling private endpoints from a virtual network to be placed on a registry. Private endpoints are accessible from within the virtual network, using private IP addresses. We recommend using private endpoints instead of service endpoints in most network scenarios.
 
 Configuring a registry service endpoint is available in the **Premium** container registry service tier. For information about registry service tiers and limits, see [Azure Container Registry SKUs](container-registry-skus.md).
 
@@ -128,7 +128,7 @@ docker pull mycontainerregistry.azurecr.io/hello-world:v1
 
 Docker successfully pulls the image to the VM.
 
-This example demonstrates that you can access the private container registry through the network access rule. However, the registry can't be accessed from a different login host that doesn't have a network access rule configured. If you attempt to login from another host using the `az acr login` command or `docker login` command, output is similar to the following:
+This example demonstrates that you can access the private container registry through the network access rule. However, the registry can't be accessed from a login host that doesn't have a network access rule configured. If you attempt to login from another host using the `az acr login` command or `docker login` command, output is similar to the following:
 
 ```Console
 Error response from daemon: login attempt to https://xxxxxxx.azurecr.io/v2/ failed with status: 403 Forbidden
@@ -145,7 +145,7 @@ To restore the registry to allow,  access by default, remove any network rules t
 To see a list of network rules configured for your registry, run the following [az acr network-rule list][az-acr-network-rule-list] command:
 
 ```azurecli
-az acr network-rule list--name mycontainerregistry 
+az acr network-rule list --name mycontainerregistry 
 ```
 
 For each rule that is configured, run the [az acr network-rule remove][az-acr-network-rule-remove] command to remove it. For example:
@@ -157,12 +157,6 @@ az acr network-rule remove \
   --name mycontainerregistry \
   --subnet /subscriptions/ \
   xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myDockerVMVNET/subnets/myDockerVMSubnet
-
-# Remove a rule that allows access for an IP address or CIDR range such as 23.45.1.0/24.
-
-az acr network-rule remove \
-  --name mycontainerregistry \
-  --ip-address 23.45.1.0/24
 ```
 
 #### Allow access
@@ -184,14 +178,8 @@ To clean up your resources in the portal, navigate to the myResourceGroup resour
 
 ## Next steps
 
-Several virtual network resources and features were discussed in this article, though briefly. The Azure Virtual Network documentation covers these topics extensively:
-
-* [Virtual network](https://docs.microsoft.com/azure/virtual-network/manage-virtual-network)
-* [Subnet](https://docs.microsoft.com/azure/virtual-network/virtual-network-manage-subnet)
-* [Service endpoints](https://docs.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview)
-
-
-If instead you need to set up access rules for resources to reach a container registry from behind a client firewall, see [Configure rules to access an Azure container registry behind a firewall](container-registry-firewall-access-rules.md).
+* To restrict access to a registry using a private endpoint in a virtual network, see [Configure Azure Private Link for an Azure container registry](container-registry-private-link.md).
+* If you need to set up registry access rules from behind a client firewall, see [Configure rules to access an Azure container registry behind a firewall](container-registry-firewall-access-rules.md).
 
 
 <!-- IMAGES -->