We recently released a preview of new Azure Container Registry SKUs, along with an overview on Channel 9 Video with Seth Juarez.
One question that's come up; what are the differences in the SKUs.
In March we released General Availability for the standard registry features including:
- Authentication with a single Admin Account
- Authenticate with a Service Principal for service to service authentication; such as your Kubernetes cluster or Build System
- CLI Commands including Docker Login, Push, Pull
This enabled the most common scenarios, and provided a GA product as we heard customers needed a private registry, network-close to their deployments that wasn't in preview.
The March GA release placed the storage of the registry in the customers subscription. This was an Azure implementation of the Open Source Docker Registry. Since March, we've seen a number of customers experiencing problems as they accidentally delete the storage account backing their registry. Or they dig into the storage account attempting deleted images and/or tags; which in many cases have caused corruption and support calls.
Pricing was deferred to Azure Storage and associated networking fees. From an SLA perspective, ACR had no means to provide an SLA for the registry service itself as an SLA provides financial recourse for outages.
Addition of the Basic, Standard and Premium SKUs
Customers have been asking for features such as deletes, web hooks, easier login model as Service Principals can be difficult to create and maintain and global scale capabilities. As we considered the additional features in our backlog, we found many would benefit from managing the storage of the registry on behalf of the customer.
As we looked at additional features like deletes, Webhooks, multi-arch manifest management and a few other features coming, having tighter integration with the storage of the images became core to our efforts. We have additional features like caching the common images from DockerHub across all registries within a region. When you push your first image, you'll find the common layers will already exist. This minimizes the storage for each subscription, passing savings to you and improves the overall performance as there's just less to manage.
For Deletes., two repos in the same registry may share a common set of layers. Attempting to delete one repo requires ref counting to know when to delete the common layers. This indexing is something we've added on top of the OSS docker registry and takes advantage of the internal storage.
To provide these capabilities, the new SKUs manage the storage of the images behind each container registry. ACR stores them with Storage Service Encryption enabled, so all images are safely secured at rest as well as in-transit. Only the common DockerHub layers will be shared across registries (in the near future), so their's not potential for leaking layer information across customers. We do take the security of our customers image layers a top priority.
Intended as the developers sandbox, basic has all the features a developer would need to interact with, including Individual Identity, Webhooks and Deletes. As we provide multi-arch manifest editing, layer caching, etc, the developer will be able to design their solution against these features. Basic is limited on the amount of usage and scale.
Intended for the most common deployments with several hosts pulling images, continuous build and integration solutions pushing images. Here you'll see larger throttle and storage limits and geo-redundant storage assuring your production data is backed up across two regions.
Intended for the larger, more complex deployment. Premium includes higher throttle limits, but will also include more complex features for managing registries across the globe. More will be coming here as we complete the next round of feature work, so stay tuned. As of this post, Premium is differentiated with higher throttle limits and storage.
|Azure AD Individual Access Control||N/A||Yes||Yes||Yes|
|Available Storage (GB)||See Azure Storage||10||100||500|
|Encryption at Rest & In Transit||See Azure Storage||Yes||Yes||Yes|
|Geo Redundant Storage||See Azure Storage||N/A||Yes||Yes|
|Global Scale Features*||N/A||N/A||N/A||Yes|
|Price / Month||See Azure Storage||$5||$20||$50|
During the Preview Period, Basic, Standard and Premium are discounted 50%. The pricing page reflects the discounted rate.
Tell us what you think
I'll of course monitor here for your comments, but you can also find us at:
Questions/Comments: Stack Overflow with the ACR tag stackoverflow.com/questions/tagged/azure-container-registry
Bugs/Issues: GitHub: github.com/azure/acr/issues
Steve and the Azure Container Registry team