Last month, Azure Container Registry has gone to public preview. Finally you can start uploading your container images to Azure! This fills an important gap in the containerized application lifecycle in the Azure ecosystem. It is also the first production service I participated in building and delivering at Microsoft.

I’d like to show how easy it is to get started with Azure Container Registry in the CLI and how smoothly it integrates with the Azure ecosystem. If you lose your way at any point, please refer to the documentation.


You might be wondering, well, how did the Azure customers store their Docker images until now without a managed registry service?

Azure was one of the first storage drivers officially supported in the open-source docker-registry. I worked on this around late 2014. Until now, most of our customers were locally hosting their own private registries backed by Azure Blob Storage. It was a fine solution for a while, however it became another service to manage and keep up for all our customers. Therefore we started developing ACR.

Creating your first registry

Assuming you have the newest Azure CLI, you just create a resource group and create your registry in there. BAM!

$ az resource group create -n awesome-project -l westus

$ az acr create -g awesome-project -n registry -l westus

  "type": "Microsoft.ContainerRegistry/registries",
  "loginServer": "",
  "name": "registry",
  "location": "westus",
  "storageAccount": {
    "name": "registry095549"
  "id": "/subscriptions/<...>/resourcegroups/awesome-project/providers/Microsoft.ContainerRegistry/registries/registry"

Apparently, it created me a storage account automatically. This means the data is being transparently stored and I have full control over it.

Pay attention to the loginServer, that’s your registry host! I just claimed here.

Adding a service account

In Azure, we use Service Principal Accounts to access Azure APIs and other resources. These are backed by Azure Active Directory. This means you can audit and revoke these users at any time.

When you run az acr create above, it actually tells you to run this command to create a Service Principal user with access to your container registry:

$ az ad sp create-for-rbac --role Owner --password <your-password-here> \
    --scopes /subscriptions/27b750cd-0000-0000-0000-000000000000/resourcegroups/awesome-project/providers/Microsoft.ContainerRegistry/registries/registry

  "appId": "ca883614-0000-0000-0000-000000000000",
  "password": "<password>"

Copy that appId and password! Those will be your docker login credentials.

  • If you like to create a read-only user (can pull images but not push), you can use the --role Reader option.
  • If you want credentials to last longer than a years, you can use the --years option.

Let’s log in

$ docker login -u <app-id> -p <password>

Login Succeeded

So easy! You can now use these credentials in your cluster orchestrator or continous integration system and start pushing images.

  • For Apache Mesos Marathon, read here.
  • For Kubernetes read here.

Azure Container Registry itself is currently a free service. You are only charged for underlying storage and transfer costs of your images. But if your VM instances and the registry are both in Azure datacenters, then you don’t pay for the transfer; just the storage. Sweet!

This is just the beginning

A reliable and managed image delivery infrastructure is essential for running containerized applications on the cloud. Azure Container Registry is currently preview —yet it already completes an important piece of the puzzle.

Expect to see a ton more smooth integrations with Azure Container Service, Azure App Service, Azure Batch and other Microsoft products such as Visual Studio Team Services (VSTS).

ACR already has third-party integrations, such as image vulnerability scanning with Twistlock and Aqua.

If you run into any issues or if you would like to give feedback, open us an issue on GitHub.