You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/container-registry/container-registry-firewall-access-rules.md
+9-9Lines changed: 9 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,6 +1,6 @@
1
1
---
2
2
title: Firewall access rules
3
-
description: Configure rules to access an Azure container registry from behind a firewall.
3
+
description: Configure rules to access an Azure container registry from behind a firewall, by allowing access to ("whitelisting") REST API and storage endpoint domain names or service-specific IP address ranges.
4
4
ms.topic: article
5
5
ms.date: 07/17/2019
6
6
---
@@ -9,29 +9,29 @@ ms.date: 07/17/2019
9
9
10
10
This article explains how to configure rules on your firewall to allow access to an Azure container registry. For example, an Azure IoT Edge device behind a firewall or proxy server might need to access a container registry to pull a container image. Or, a locked-down server in an on-premises network might need access to push an image.
11
11
12
-
If instead you want to configure inbound network access rules on a container registry to allow access only within an Azure virtual network or a public IP address range, see [Restrict access to an Azure container registry from a virtual network](container-registry-vnet.md).
12
+
If instead you want to configure inbound network access rules on a container registry only within an Azure virtual network or from a public IP address range, see [Restrict access to an Azure container registry from a virtual network](container-registry-vnet.md).
13
13
14
14
## About registry endpoints
15
15
16
16
To pull or push images or other artifacts to an Azure container registry, a client such as a Docker daemon needs to interact over HTTPS with two distinct endpoints.
17
17
18
-
***Registry REST API endpoint** - Authentication and registry management operations are handled through the registry's public REST API endpoint. This endpoint is the login server URL of the registry, or an associated IP address range.
18
+
***Registry REST API endpoint** - Authentication and registry management operations are handled through the registry's public REST API endpoint. This endpoint is the login server name of the registry, or an associated IP address range.
19
19
20
-
***Storage endpoint** - Azure [allocates blob storage](container-registry-storage.md) in Azure storage accounts on behalf of each registry to manage container images and other artifacts. When a client accesses image layers in an Azure container registry, it makes requests using a storage account endpoint provided by the registry.
20
+
***Storage endpoint** - Azure [allocates blob storage](container-registry-storage.md) in Azure Storage accounts on behalf of each registry to manage the data for container images and other artifacts. When a client accesses image layers in an Azure container registry, it makes requests using a storage account endpoint provided by the registry.
21
21
22
22
If your registry is [geo-replicated](container-registry-geo-replication.md), a client might need to interact with REST and storage endpoints in a specific region or in multiple replicated regions.
23
23
24
-
## Allow access to REST and storage URLs
24
+
## Allow access to REST and storage domain names
25
25
26
-
***REST endpoint** - Allow access to the registry server URL, such as `myregistry.azurecr.io`
27
-
***Storage endpoint** - Allow access to all Azure blob storage accounts using the wildcard `*.blob.core.windows.net`
26
+
***REST endpoint** - Allow access to the fully qualified registry login server name, such as `myregistry.azurecr.io`
27
+
***Storage (data) endpoint** - Allow access to all Azure blob storage accounts using the wildcard `*.blob.core.windows.net`
28
28
29
29
30
30
## Allow access by IP address range
31
31
32
-
If you need to allow access to specific IP addresses, download [Azure IP Ranges and Service Tags – Public Cloud](https://www.microsoft.com/download/details.aspx?id=56519).
32
+
If your organization has policies to allow access only to specific IP addresses or address ranges, download [Azure IP Ranges and Service Tags – Public Cloud](https://www.microsoft.com/download/details.aspx?id=56519).
33
33
34
-
To find the ACR REST endpoint IP ranges, search for **AzureContainerRegistry** in the JSON file.
34
+
To find the ACR REST endpoint IP ranges for which you need to allow access, search for **AzureContainerRegistry** in the JSON file.
35
35
36
36
> [!IMPORTANT]
37
37
> IP address ranges for Azure services can change, and updates are published weekly. Download the JSON file regularly, and make necessary updates in your access rules. If your scenario involves configuring network security group rules in an Azure virtual network to access Azure Container Registry, use the **AzureContainerRegistry**[service tag](#allow-access-by-service-tag) instead.
0 commit comments