Container registries should not allow unrestricted network access

HIGH

Ensures Azure Container Registries restrict network access through firewall rules or virtual network integration.

What does this mean?

By default, Azure Container Registry accepts connections from any network. This recommendation ensures network access is restricted through firewall rules, service endpoints, or private endpoints.

Benefits of implementation

Reduces the attack surface of the container registry
Prevents unauthorized image pulls from unknown networks
Supports network segmentation strategy

Drawbacks and considerations

Requires network rule configuration and maintenance
CI/CD pipelines need explicit network access
May complicate multi-region or hybrid deployments

Implementation

Implementation guidance coming soon.

Related recommendations will be linked here.

Frameworks

BIO MCSB Defender for Cloud Recommendations

Details

Risk Level: HIGH
Category: Container Security
Azure Resource
Frameworks: 3 frameworks
Last updated: 2026-02-12