This is a continuation of an article that describes operational considerations for hosting solutions on Azure public cloud.

Some of the best practices for Azure Container Registry include Network-close deployment, geo-replicated multi-region deployments, maximized pull performance, repository namespaces, dedicated resource group, individual and headless authentication and authorization and management of registry size.

When the registry is created in the same region as where the containers are deployed, the closeness of the registry to the host in terms of network helps lower latency and cost. Availability is improved with further enhancing the region to be zone redundant. Docker images have a layering construct which facilitates incremental deployments, but new nodes need to pull all layers defined in the dockerfile. Since there are many fetches, the network RTT matters to the design.

Multi-region deployments could leverage geo-replication which simplifies registry management and minimizes latency.  It is also configured to use regional webhook which notifies us of events in specific replicas when images are pushed.

The pull-performance can be maximized by reducing the image size and the number of layers. The former is achieved by removing unnecessary layers and the use of multi-stage Docker build. Base images can be smaller when the alpine version is used. The number of layers should ideally be between 5-10.

The repository namespaces allow sharing a single registry with multiple groups within your organization. Nested namespaces support group isolation but a flat list of repositories is preferred.

Resource groups tie resource lifetimes. A Registry should reside in its own resource group. Azure container instances, on the other hand, can be created or deleted as necessary.

When an individual uses the registry, the preferred way to authenticate is to use “az acr login”. When a build and deployment pipeline authenticate, it can use a server principal.

The storage for container registry must align with a typical scenario, standard for most production applications and premium for improved performance and geo-replication.

An Azure Function helps to create and delete the Container Instance in the time needed or get the state or message from a container instance.

Some like to use tag as ‘Latest’ when pulling images but using a specific version eliminates uncertainty and falls back on tried and tested deployments.