Best Practices for using Azure Container Registry and Docker Hub

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Community Hub.


Many developers rely on Docker Hub to consume public content such as container images, Helm charts, and other artifacts, often without authenticating. However, when you have dependencies on public content you can introduce security and reliability risks into your environment. In this blog, we will describe the best practices for mitigating risks when using public content from Docker Hub and other public registries.


Import public content locally whenever possible

Importing public content to an internal registry is the first step in a set of best practices for your software supply chain . Doing so raises the availability and reliability of your public content pipeline. If you pull public content without using credentials from any public registry, including Docker Hub, you may be limited in how often you can pull. Importing public content also helps protect you from production outages by providing local backup copies. Importing public content enables you to create a local registry of public content to validate, sign, and deploy your own trusted images more securely and reliably. For more details, see Consuming Public Content by The Open Container Initiative.


Configure Artifact Cache to consume public content

The best practice for consuming public content is to combine registry authentication and the Azure Container Registry (ACR) Artifact Cache feature. You can use Artifact Cache to cache your container artifacts into your Azure Container Registry -- even in private networks. Using Artifact Cache not only protects you from registry rate limits, but dramatically increases pull reliability when combined with Geo-replicated ACR to pull artifacts from whichever region is closest to your Azure resource. In addition, you can also use all the security features ACR has to offer, including private networks, firewall configuration, Service Principals, and more. For complete information on using public content with ACR Artifact Cache, check out the Artifact Cache technical documentation.





Authenticate Pulls with Public Registries like Docker Hub

We recommend authenticating to public registries like . Docker Hub offers free and paid subscriptions to enable developers to authenticate when building with public library content. Authenticated users also have access to pull content directly from private repositories. For more information, please visit Docker Subscriptions. Artifact Cache supports authenticating with public registries.


Learn more about Container Security

Implementing the recommended best practices can help improve the security posture of your container workloads. You can learn more about how to secure your container workloads during their various stages of development here on Microsoft Learn.

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.