You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/container-registry/container-registry-service-tag.md
+7-5Lines changed: 7 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -15,21 +15,23 @@ Service tags help set rules to allow or deny traffic to a specific Azure service
15
15
16
16
Azure Container Registry (ACR) generates network traffic originating from the ACR service tag for features such as Image import, Webhook, and ACR Tasks.
17
17
18
-
## Import container images to Azure Container Registry
18
+
When you configure a firewall for a registry, ACR serves the requests on its service tag IP addresses. For the scenarios mentioned in [Firewall access rules](container-registry-firewall-access-rules.md), customers can configure the firewall outbound rule to allow access to ACR service tag IP addresses.
19
19
20
-
ACR sends requests to the external registry service through service tag IP addresses to download the images. If the external registry service runs behind firewall, it needs to have inbound rule to allow ACR service tag IP addresses. These IPs are part of the AzureContainerRegistry service tag, which encompasses IP ranges necessary for importing images from public or Azure registries automatically updates Azure. Configuring a security measure to maintain the registry's integrity and accessibility.
20
+
## Import container images
21
+
22
+
Azure Container Registry (ACR) initiates requests to external registry services via service tag IP addresses for image downloads. If the external registry service operates behind a firewall, it requires an inbound rule to accept ACR service tag IP addresses. These IPs fall under the ACR service tag, which includes the necessary IP ranges for importing images from public or Azure registries. Azure ensures these ranges are updated automatically. Establishing this security protocol is crucial for upholding the registry's integrity and ensuring its availability.
21
23
22
-
When you configure a firewall for a registry, ACR server sends requests on its service tag IP addresses. For the scenarios mentioned in [Firewall access rules](container-registry-firewall-access-rules.md), customers can configure the firewall outbound rule to allow access to ACR service tag IP addresses.
24
+
ACR sends requests to the external registry service through service tag IP addresses to download the images. If the external registry service runs behind firewall, it needs to have inbound rule to allow ACR service tag IP addresses. These IPs are part of the AzureContainerRegistry service tag, which encompasses IP ranges necessary for importing images from public or Azure registries automatically updates Azure. Configuring a security measure to maintain the registry's integrity and accessibility.
23
25
24
26
Learn about [registry endpoints](container-registry-firewall-access-rules.md#about-registry-endpoints) to configure network security rules and allow traffic from the ACR service tag for image import in ACR.
25
27
26
28
For detailed steps and guidance on how to use the service tag during image import, refer to the [Azure Container Registry documentation](container-registry-import-images.md).
27
29
28
-
## Webhooks in Azure Container Registry
30
+
## Webhooks
29
31
30
32
Service tags in Azure Container Registry (ACR) are used to manage network traffic for features like webhooks to ensure only trusted sources are able to trigger these events. When you set up a webhook in ACR, it can respond to events at the registry level or be scoped down to a specific repository tag. For geo-replicated registries, you configure each webhook to respond to events in a specific regional replica.
31
33
32
-
The endpoint for a webhook must be publicly accessible from the registry. You can configure registry webhook requests to authenticate to a secured endpoint. ACR sends the request to the configured webhook endpoint through service tag IP addresses. If the webhook endpoint runs behind firewall, it needs to have inbound rule to allow ACR service tag IP addresses.
34
+
The endpoint for a webhook must be publicly accessible from the registry. You can configure registry webhook requests to authenticate to a secured endpoint. ACR sends the request to the configured webhook endpoint through service tag IP addresses. If the webhook endpoint runs behind firewall, it needs to have inbound rule to allow ACR service tag IP addresses. Additionally, to secure the webhook endpoint access, the customer must configure the proper authentication to validate the request.
33
35
34
36
For detailed steps on creating a webhook setup, refer to the [Azure Container Registry documentation](container-registry-webhook.md).
0 commit comments