Container registries should use private link

What does this mean?

This recommendation ensures that Azure Container Registry is configured with Azure Private Link, restricting access to the registry through private endpoints within your virtual network rather than over the public internet.

Benefits of implementation

• Eliminates exposure of the registry to the public internet
• Reduces the attack surface for container image supply chain attacks
• Network traffic stays within the Azure backbone

Drawbacks and considerations

• Requires Private Link/Private Endpoint configuration
• Additional costs for private endpoints
• More complex network setup for CI/CD pipelines pulling images

Implementation

Implementation guidance coming soon.

Related recommendations

Related recommendations will be linked here.