Microsoft.ContainerRegistry registries 2020-11-01-preview

Bicep resource definition

The registries resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.ContainerRegistry/registries resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.ContainerRegistry/registries@2020-11-01-preview' = {
  name: 'string'
  location: 'string'
  tags: {
    tagName1: 'tagValue1'
    tagName2: 'tagValue2'
  }
  sku: {
    name: 'string'
  }
  identity: {
    principalId: 'string'
    tenantId: 'string'
    type: 'string'
    userAssignedIdentities: {}
  }
  properties: {
    adminUserEnabled: bool
    anonymousPullEnabled: bool
    dataEndpointEnabled: bool
    encryption: {
      keyVaultProperties: {
        identity: 'string'
        keyIdentifier: 'string'
      }
      status: 'string'
    }
    networkRuleBypassOptions: 'string'
    networkRuleSet: {
      defaultAction: 'string'
      ipRules: [
        {
          action: 'Allow'
          value: 'string'
        }
      ]
      virtualNetworkRules: [
        {
          action: 'Allow'
          id: 'string'
        }
      ]
    }
    policies: {
      quarantinePolicy: {
        status: 'string'
      }
      retentionPolicy: {
        days: int
        status: 'string'
      }
      trustPolicy: {
        status: 'string'
        type: 'Notary'
      }
    }
    publicNetworkAccess: 'string'
    zoneRedundancy: 'string'
  }
}

Property values

registries

Name Description Value
name The resource name string (required)

Character limit: 5-50

Valid characters:
Alphanumerics.

Resource name must be unique across Azure.
location The location of the resource. This cannot be changed after the resource is created. string (required)
tags The tags of the resource. Dictionary of tag names and values. See Tags in templates
sku The SKU of the container registry. Sku (required)
identity The identity of the container registry. IdentityProperties
properties The properties of the container registry. RegistryProperties

IdentityProperties

Name Description Value
principalId The principal ID of resource identity. string
tenantId The tenant ID of resource. string
type The identity type. 'None'
'SystemAssigned'
'SystemAssigned, UserAssigned'
'UserAssigned'
userAssignedIdentities The list of user identities associated with the resource. The user identity
dictionary key references will be ARM resource ids in the form:
'/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/
providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.
object

RegistryProperties

Name Description Value
adminUserEnabled The value that indicates whether the admin user is enabled. bool
anonymousPullEnabled Enables registry-wide pull from unauthenticated clients. bool
dataEndpointEnabled Enable a single data endpoint per region for serving data. bool
encryption The encryption settings of container registry. EncryptionProperty
networkRuleBypassOptions Whether to allow trusted Azure services to access a network restricted registry. 'AzureServices'
'None'
networkRuleSet The network rule set for a container registry. NetworkRuleSet
policies The policies for a container registry. Policies
publicNetworkAccess Whether or not public network access is allowed for the container registry. 'Disabled'
'Enabled'
zoneRedundancy Whether or not zone redundancy is enabled for this container registry 'Disabled'
'Enabled'

EncryptionProperty

Name Description Value
keyVaultProperties Key vault properties. KeyVaultProperties
status Indicates whether or not the encryption is enabled for container registry. 'disabled'
'enabled'

KeyVaultProperties

Name Description Value
identity The client id of the identity which will be used to access key vault. string
keyIdentifier Key vault uri to access the encryption key. string

NetworkRuleSet

Name Description Value
defaultAction The default action of allow or deny when no other rules match. 'Allow'
'Deny' (required)
ipRules The IP ACL rules. IPRule[]
virtualNetworkRules The virtual network rules. VirtualNetworkRule[]

IPRule

Name Description Value
action The action of IP ACL rule. 'Allow'
value Specifies the IP or IP range in CIDR format. Only IPV4 address is allowed. string (required)

VirtualNetworkRule

Name Description Value
action The action of virtual network rule. 'Allow'
id Resource ID of a subnet, for example: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}. string (required)

Policies

Name Description Value
quarantinePolicy The quarantine policy for a container registry. QuarantinePolicy
retentionPolicy The retention policy for a container registry. RetentionPolicy
trustPolicy The content trust policy for a container registry. TrustPolicy

QuarantinePolicy

Name Description Value
status The value that indicates whether the policy is enabled or not. 'disabled'
'enabled'

RetentionPolicy

Name Description Value
days The number of days to retain an untagged manifest after which it gets purged. int
status The value that indicates whether the policy is enabled or not. 'disabled'
'enabled'

TrustPolicy

Name Description Value
status The value that indicates whether the policy is enabled or not. 'disabled'
'enabled'
type The type of trust policy. 'Notary'

Sku

Name Description Value
name The SKU name of the container registry. Required for registry creation. 'Basic'
'Classic'
'Premium'
'Standard' (required)

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
CI/CD using Jenkins on Azure Container Service (AKS)

Deploy to Azure
Containers make it very easy for you to continuously build and deploy your applications. By orchestrating deployment of those containers using Kubernetes in Azure Container Service, you can achieve replicable, manageable clusters of containers. By setting up a continuous build to produce your container images and orchestration, you can increase the speed and reliability of your deployment.
AKS Cluster with a NAT Gateway and an Application Gateway

Deploy to Azure
This sample shows how to a deploy an AKS cluster with NAT Gateway for outbound connections and an Application Gateway for inbound connections.
Create a Private AKS Cluster with a Public DNS Zone

Deploy to Azure
This sample shows how to a deploy a private AKS cluster with a Public DNS Zone.
Creates a Container App and Environment with Registry

Deploy to Azure
Create a Container App Environment with a basic Container App from an Azure Container Registry. It also deploys a Log Analytics Workspace to store logs.
Creates a Dapr pub-sub servicebus app using Container Apps

Deploy to Azure
Create a Dapr pub-sub servicebus app using Container Apps.
Simple Azure Container Registry Template

Deploy to Azure
A template for creating a new Azure Container Registry.
Azure Container Registry with Geo-replication Template

Deploy to Azure
A template for creating a new Azure Container Registry with geo-replication
Azure Container Registry with Policies and Diagnostics

Deploy to Azure
Azure Container Registry with Policies and Diagnostics (bicep)
Azure AI Studio basic setup

Deploy to Azure
This set of templates demonstrates how to set up Azure AI Studio with the basic setup, meaning with public internet access enabled, Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource.
Azure AI Studio basic setup

Deploy to Azure
This set of templates demonstrates how to set up Azure AI Studio with the basic setup, meaning with public internet access enabled, Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource.
Azure AI Studio with Microsoft Entra ID Authentication

Deploy to Azure
This set of templates demonstrates how to set up Azure AI Studio with Microsoft Entra ID authentication for dependent resources, such as Azure AI Services and Azure Storage.
Azure Machine Learning end-to-end secure setup

Deploy to Azure
This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster.
Azure Machine Learning end-to-end secure setup (legacy)

Deploy to Azure
This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster.
Create an AKS compute target with a Private IP address

Deploy to Azure
This template creates an AKS compute target in given Azure Machine Learning service workspace with a private IP address.
Create an Azure Machine Learning service workspace

Deploy to Azure
This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. This configuration describes the minimal set of resources you require to get started with Azure Machine Learning.
Create an Azure Machine Learning service workspace (CMK)

Deploy to Azure
This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. The example shows how to configure Azure Machine Learning for encryption with a customer-managed encryption key.
Create an Azure Machine Learning service workspace (CMK)

Deploy to Azure
This deployment template specifies how to create an Azure Machine Learning workspace with service-side encryption using your encryption keys.
Create an Azure Machine Learning service workspace (vnet)

Deploy to Azure
This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. This configuration describes the set of resources you require to get started with Azure Machine Learning in a network isolated set up.
Create an Azure Machine Learning service workspace (legacy)

Deploy to Azure
This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. This configuration describes the set of resources you require to get started with Azure Machine Learning in a network isolated set up.
AKS cluster with the Application Gateway Ingress Controller

Deploy to Azure
This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault
Build container images with ACR Tasks

Deploy to Azure
This template uses DeploymentScript to orchestrate ACR to build your container image from code repo.
Import Container Images into ACR

Deploy to Azure
This template leverages the Import ACR module from the bicep registry to import public container images into an Azure Container Registry.

ARM template resource definition

The registries resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.ContainerRegistry/registries resource, add the following JSON to your template.

{
  "type": "Microsoft.ContainerRegistry/registries",
  "apiVersion": "2020-11-01-preview",
  "name": "string",
  "location": "string",
  "tags": {
    "tagName1": "tagValue1",
    "tagName2": "tagValue2"
  },
  "sku": {
    "name": "string"
  },
  "identity": {
    "principalId": "string",
    "tenantId": "string",
    "type": "string",
    "userAssignedIdentities": {}
  },
  "properties": {
    "adminUserEnabled": "bool",
    "anonymousPullEnabled": "bool",
    "dataEndpointEnabled": "bool",
    "encryption": {
      "keyVaultProperties": {
        "identity": "string",
        "keyIdentifier": "string"
      },
      "status": "string"
    },
    "networkRuleBypassOptions": "string",
    "networkRuleSet": {
      "defaultAction": "string",
      "ipRules": [
        {
          "action": "Allow",
          "value": "string"
        }
      ],
      "virtualNetworkRules": [
        {
          "action": "Allow",
          "id": "string"
        }
      ]
    },
    "policies": {
      "quarantinePolicy": {
        "status": "string"
      },
      "retentionPolicy": {
        "days": "int",
        "status": "string"
      },
      "trustPolicy": {
        "status": "string",
        "type": "Notary"
      }
    },
    "publicNetworkAccess": "string",
    "zoneRedundancy": "string"
  }
}

Property values

registries

Name Description Value
type The resource type 'Microsoft.ContainerRegistry/registries'
apiVersion The resource api version '2020-11-01-preview'
name The resource name string (required)

Character limit: 5-50

Valid characters:
Alphanumerics.

Resource name must be unique across Azure.
location The location of the resource. This cannot be changed after the resource is created. string (required)
tags The tags of the resource. Dictionary of tag names and values. See Tags in templates
sku The SKU of the container registry. Sku (required)
identity The identity of the container registry. IdentityProperties
properties The properties of the container registry. RegistryProperties

IdentityProperties

Name Description Value
principalId The principal ID of resource identity. string
tenantId The tenant ID of resource. string
type The identity type. 'None'
'SystemAssigned'
'SystemAssigned, UserAssigned'
'UserAssigned'
userAssignedIdentities The list of user identities associated with the resource. The user identity
dictionary key references will be ARM resource ids in the form:
'/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/
providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.
object

RegistryProperties

Name Description Value
adminUserEnabled The value that indicates whether the admin user is enabled. bool
anonymousPullEnabled Enables registry-wide pull from unauthenticated clients. bool
dataEndpointEnabled Enable a single data endpoint per region for serving data. bool
encryption The encryption settings of container registry. EncryptionProperty
networkRuleBypassOptions Whether to allow trusted Azure services to access a network restricted registry. 'AzureServices'
'None'
networkRuleSet The network rule set for a container registry. NetworkRuleSet
policies The policies for a container registry. Policies
publicNetworkAccess Whether or not public network access is allowed for the container registry. 'Disabled'
'Enabled'
zoneRedundancy Whether or not zone redundancy is enabled for this container registry 'Disabled'
'Enabled'

EncryptionProperty

Name Description Value
keyVaultProperties Key vault properties. KeyVaultProperties
status Indicates whether or not the encryption is enabled for container registry. 'disabled'
'enabled'

KeyVaultProperties

Name Description Value
identity The client id of the identity which will be used to access key vault. string
keyIdentifier Key vault uri to access the encryption key. string

NetworkRuleSet

Name Description Value
defaultAction The default action of allow or deny when no other rules match. 'Allow'
'Deny' (required)
ipRules The IP ACL rules. IPRule[]
virtualNetworkRules The virtual network rules. VirtualNetworkRule[]

IPRule

Name Description Value
action The action of IP ACL rule. 'Allow'
value Specifies the IP or IP range in CIDR format. Only IPV4 address is allowed. string (required)

VirtualNetworkRule

Name Description Value
action The action of virtual network rule. 'Allow'
id Resource ID of a subnet, for example: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}. string (required)

Policies

Name Description Value
quarantinePolicy The quarantine policy for a container registry. QuarantinePolicy
retentionPolicy The retention policy for a container registry. RetentionPolicy
trustPolicy The content trust policy for a container registry. TrustPolicy

QuarantinePolicy

Name Description Value
status The value that indicates whether the policy is enabled or not. 'disabled'
'enabled'

RetentionPolicy

Name Description Value
days The number of days to retain an untagged manifest after which it gets purged. int
status The value that indicates whether the policy is enabled or not. 'disabled'
'enabled'

TrustPolicy

Name Description Value
status The value that indicates whether the policy is enabled or not. 'disabled'
'enabled'
type The type of trust policy. 'Notary'

Sku

Name Description Value
name The SKU name of the container registry. Required for registry creation. 'Basic'
'Classic'
'Premium'
'Standard' (required)

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
CI/CD using Jenkins on Azure Container Service (AKS)

Deploy to Azure
Containers make it very easy for you to continuously build and deploy your applications. By orchestrating deployment of those containers using Kubernetes in Azure Container Service, you can achieve replicable, manageable clusters of containers. By setting up a continuous build to produce your container images and orchestration, you can increase the speed and reliability of your deployment.
AKS Cluster with a NAT Gateway and an Application Gateway

Deploy to Azure
This sample shows how to a deploy an AKS cluster with NAT Gateway for outbound connections and an Application Gateway for inbound connections.
Create a Private AKS Cluster with a Public DNS Zone

Deploy to Azure
This sample shows how to a deploy a private AKS cluster with a Public DNS Zone.
Creates a Container App and Environment with Registry

Deploy to Azure
Create a Container App Environment with a basic Container App from an Azure Container Registry. It also deploys a Log Analytics Workspace to store logs.
Creates a Dapr pub-sub servicebus app using Container Apps

Deploy to Azure
Create a Dapr pub-sub servicebus app using Container Apps.
Simple Azure Container Registry Template

Deploy to Azure
A template for creating a new Azure Container Registry.
Azure Container Registry with Geo-replication Template

Deploy to Azure
A template for creating a new Azure Container Registry with geo-replication
Azure Container Registry with Policies and Diagnostics

Deploy to Azure
Azure Container Registry with Policies and Diagnostics (bicep)
Azure AI Studio basic setup

Deploy to Azure
This set of templates demonstrates how to set up Azure AI Studio with the basic setup, meaning with public internet access enabled, Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource.
Azure AI Studio basic setup

Deploy to Azure
This set of templates demonstrates how to set up Azure AI Studio with the basic setup, meaning with public internet access enabled, Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource.
Azure AI Studio with Microsoft Entra ID Authentication

Deploy to Azure
This set of templates demonstrates how to set up Azure AI Studio with Microsoft Entra ID authentication for dependent resources, such as Azure AI Services and Azure Storage.
Azure Machine Learning end-to-end secure setup

Deploy to Azure
This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster.
Azure Machine Learning end-to-end secure setup (legacy)

Deploy to Azure
This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster.
Create an AKS compute target with a Private IP address

Deploy to Azure
This template creates an AKS compute target in given Azure Machine Learning service workspace with a private IP address.
Create an Azure Machine Learning service workspace

Deploy to Azure
This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. This configuration describes the minimal set of resources you require to get started with Azure Machine Learning.
Create an Azure Machine Learning service workspace (CMK)

Deploy to Azure
This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. The example shows how to configure Azure Machine Learning for encryption with a customer-managed encryption key.
Create an Azure Machine Learning service workspace (CMK)

Deploy to Azure
This deployment template specifies how to create an Azure Machine Learning workspace with service-side encryption using your encryption keys.
Create an Azure Machine Learning service workspace (vnet)

Deploy to Azure
This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. This configuration describes the set of resources you require to get started with Azure Machine Learning in a network isolated set up.
Create an Azure Machine Learning service workspace (legacy)

Deploy to Azure
This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. This configuration describes the set of resources you require to get started with Azure Machine Learning in a network isolated set up.
AKS cluster with the Application Gateway Ingress Controller

Deploy to Azure
This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault
Build container images with ACR Tasks

Deploy to Azure
This template uses DeploymentScript to orchestrate ACR to build your container image from code repo.
Import Container Images into ACR

Deploy to Azure
This template leverages the Import ACR module from the bicep registry to import public container images into an Azure Container Registry.

Terraform (AzAPI provider) resource definition

The registries resource type can be deployed with operations that target:

  • Resource groups

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.ContainerRegistry/registries resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  type = "Microsoft.ContainerRegistry/registries@2020-11-01-preview"
  name = "string"
  location = "string"
  parent_id = "string"
  tags = {
    tagName1 = "tagValue1"
    tagName2 = "tagValue2"
  }
  identity {
    type = "string"
    identity_ids = []
  }
  body = jsonencode({
    properties = {
      adminUserEnabled = bool
      anonymousPullEnabled = bool
      dataEndpointEnabled = bool
      encryption = {
        keyVaultProperties = {
          identity = "string"
          keyIdentifier = "string"
        }
        status = "string"
      }
      networkRuleBypassOptions = "string"
      networkRuleSet = {
        defaultAction = "string"
        ipRules = [
          {
            action = "Allow"
            value = "string"
          }
        ]
        virtualNetworkRules = [
          {
            action = "Allow"
            id = "string"
          }
        ]
      }
      policies = {
        quarantinePolicy = {
          status = "string"
        }
        retentionPolicy = {
          days = int
          status = "string"
        }
        trustPolicy = {
          status = "string"
          type = "Notary"
        }
      }
      publicNetworkAccess = "string"
      zoneRedundancy = "string"
    }
    sku = {
      name = "string"
    }
  })
}

Property values

registries

Name Description Value
type The resource type "Microsoft.ContainerRegistry/registries@2020-11-01-preview"
name The resource name string (required)

Character limit: 5-50

Valid characters:
Alphanumerics.

Resource name must be unique across Azure.
location The location of the resource. This cannot be changed after the resource is created. string (required)
parent_id To deploy to a resource group, use the ID of that resource group. string (required)
tags The tags of the resource. Dictionary of tag names and values.
sku The SKU of the container registry. Sku (required)
identity The identity of the container registry. IdentityProperties
properties The properties of the container registry. RegistryProperties

IdentityProperties

Name Description Value
type The identity type. "SystemAssigned"
"SystemAssigned, UserAssigned"
"UserAssigned"
identity_ids The list of user identities associated with the resource. The user identity
dictionary key references will be ARM resource ids in the form:
'/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/
providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.
Array of user identity IDs.

RegistryProperties

Name Description Value
adminUserEnabled The value that indicates whether the admin user is enabled. bool
anonymousPullEnabled Enables registry-wide pull from unauthenticated clients. bool
dataEndpointEnabled Enable a single data endpoint per region for serving data. bool
encryption The encryption settings of container registry. EncryptionProperty
networkRuleBypassOptions Whether to allow trusted Azure services to access a network restricted registry. "AzureServices"
"None"
networkRuleSet The network rule set for a container registry. NetworkRuleSet
policies The policies for a container registry. Policies
publicNetworkAccess Whether or not public network access is allowed for the container registry. "Disabled"
"Enabled"
zoneRedundancy Whether or not zone redundancy is enabled for this container registry "Disabled"
"Enabled"

EncryptionProperty

Name Description Value
keyVaultProperties Key vault properties. KeyVaultProperties
status Indicates whether or not the encryption is enabled for container registry. "disabled"
"enabled"

KeyVaultProperties

Name Description Value
identity The client id of the identity which will be used to access key vault. string
keyIdentifier Key vault uri to access the encryption key. string

NetworkRuleSet

Name Description Value
defaultAction The default action of allow or deny when no other rules match. "Allow"
"Deny" (required)
ipRules The IP ACL rules. IPRule[]
virtualNetworkRules The virtual network rules. VirtualNetworkRule[]

IPRule

Name Description Value
action The action of IP ACL rule. "Allow"
value Specifies the IP or IP range in CIDR format. Only IPV4 address is allowed. string (required)

VirtualNetworkRule

Name Description Value
action The action of virtual network rule. "Allow"
id Resource ID of a subnet, for example: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}. string (required)

Policies

Name Description Value
quarantinePolicy The quarantine policy for a container registry. QuarantinePolicy
retentionPolicy The retention policy for a container registry. RetentionPolicy
trustPolicy The content trust policy for a container registry. TrustPolicy

QuarantinePolicy

Name Description Value
status The value that indicates whether the policy is enabled or not. "disabled"
"enabled"

RetentionPolicy

Name Description Value
days The number of days to retain an untagged manifest after which it gets purged. int
status The value that indicates whether the policy is enabled or not. "disabled"
"enabled"

TrustPolicy

Name Description Value
status The value that indicates whether the policy is enabled or not. "disabled"
"enabled"
type The type of trust policy. "Notary"

Sku

Name Description Value
name The SKU name of the container registry. Required for registry creation. "Basic"
"Classic"
"Premium"
"Standard" (required)