You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/container-registry/container-registry-firewall-access-rules.md
+9-7Lines changed: 9 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,6 +1,6 @@
1
1
---
2
2
title: Firewall access rules
3
-
description: Configure rules to access an Azure container registry from behind a firewall, by allowing access to ("whitelisting") REST API and storage endpoint domain names or service-specific IP address ranges.
3
+
description: Configure rules to access an Azure container registry from behind a firewall, by allowing access to ("whitelisting") REST API and data endpoint domain names or service-specific IP address ranges.
4
4
ms.topic: article
5
5
ms.date: 04/28/2020
6
6
---
@@ -13,7 +13,7 @@ If instead you want to configure inbound network access to a container registry
13
13
14
14
## About registry endpoints
15
15
16
-
To pull or push images or other artifacts to an Azure container registry, a client such as a Docker daemon needs to interact over HTTPS with two distinct endpoints. You need to configure access rules for both endpoints.
16
+
To pull or push images or other artifacts to an Azure container registry, a client such as a Docker daemon needs to interact over HTTPS with two distinct endpoints. For clients that need access from an external network, you need to configure access rules for both endpoints.
17
17
18
18
***Registry REST API endpoint** - Authentication and registry management operations are handled through the registry's public REST API endpoint. This endpoint is the login server name of the registry, or an associated IP address range. Example: `myregistry.azurecr.io`
19
19
@@ -24,18 +24,18 @@ If your registry is [geo-replicated](container-registry-geo-replication.md), a c
24
24
## Allow access to REST and data endpoints
25
25
26
26
***REST endpoint** - Allow access to the fully qualified registry login server name, such as `myregistry.azurecr.io`
27
-
***Storage (data) endpoint** - Allow access to all Azure blob storage accounts using the wildcard `*.blob.core.windows.net`. More securely, enable access to a [dedicated data endpoint](#configure-dedicated-data-endpoints-preview) (preview) in the region where the registry is located or replicated, such as `myregistry.westeurope.azurecr.io`. Configure data endpoint access rules for all required regions.
27
+
***Storage (data) endpoint** - Enable access to a [dedicated data endpoint](#configure-dedicated-data-endpoints-preview) (preview) in each region where the registry is located or replicated, such as `myregistry.westeurope.azurecr.io`. Alternatively, and less specifically, allow access to all Azure blob storage accounts using the wildcard `*.blob.core.windows.net`.
28
28
29
29
## Configure dedicated data endpoints (preview)
30
30
31
31
> [!WARNING]
32
32
> If you previously configured client firewall access to the existing `*.blob.core.windows.net` endpoints, switching to dedicated data endpoints will impact client connectivity, causing pull failures. To ensure clients have consistent access, add the new data endpoint rules to the client firewall rules. Once completed, enable dedicated data endpoints for your registries using the Azure CLI or other tools.
33
33
34
-
### Enable data endpoint
34
+
### Enable data endpoint (preview)
35
35
36
-
To enable data endpoints using the Azure CLI, use Azure CLI version 2.4.0 or higher. If you need to install or upgrade, see [Install Azure CLI](/cli/azure/install-azure-cli).
36
+
A dedicated data endpoint is an optional feature of the **Premium** container registry service tier. For information about registry service tiers and limits, see [Azure Container Registry SKUs](container-registry-skus.md). To enable data endpoints using the Azure CLI, use Azure CLI version 2.4.0 or higher. If you need to install or upgrade, see [Install Azure CLI](/cli/azure/install-azure-cli).
37
37
38
-
The following [az acr update][az-acr-update] command enables data endpoints on a registry *myregistry*. For demonstration purpose, the registry is replicated in two regions:
38
+
The following [az acr update][az-acr-update] command enables data endpoints on a registry *myregistry*. For demonstration purpose, assume that the registry is replicated in two regions:
39
39
40
40
```azurecli
41
41
az acr update --name myregistry --data-endpoint-enabled
@@ -65,7 +65,7 @@ Output:
65
65
}
66
66
```
67
67
68
-
After you set up dedicated data endpoints for your registry, your client firewall access rules for the endpoints are enabled.
68
+
After you set up dedicated data endpoints for your registry, you can enable client firewall access rules for the data endpoints. Enable data endpoint access rules for all required registry regions.
69
69
70
70
## Allow access by IP address range
71
71
@@ -161,6 +161,8 @@ If you need to access Microsoft Container Registry (MCR) from behind a firewall,
161
161
162
162
* Learn more about [security groups](/azure/virtual-network/security-overview) in an Azure virtual network
163
163
164
+
* Learn more about [dedicated data endpoints](https://azure.microsoft.com/blog/azure-container-registry-mitigating-data-exfiltration-with-dedicated-data-endpoints/) for Azure Container Registry
0 commit comments