This is a continuation of an article that describes operational considerations for hosting solutions on Azure public cloud.
Some of the best practices for Azure Container Registry
include Network-close deployment, geo-replicated multi-region deployments,
maximized pull performance, repository namespaces, dedicated resource group,
individual and headless authentication and authorization and management of
registry size.
When the registry is created in the same region as where
the containers are deployed, the closeness of the registry to the host in terms
of network helps lower latency and cost. Availability is improved with further
enhancing the region to be zone redundant. Docker images have a layering
construct which facilitates incremental deployments, but new nodes need to pull
all layers defined in the dockerfile. Since there are many fetches, the network
RTT matters to the design.
Multi-region deployments could leverage geo-replication
which simplifies registry management and minimizes latency. It is also configured to use regional webhook
which notifies us of events in specific replicas when images are pushed.
The pull-performance can be maximized by reducing the
image size and the number of layers. The former is achieved by removing
unnecessary layers and the use of multi-stage Docker build. Base images can be
smaller when the alpine version is used. The number of layers should ideally be
between 5-10.
The repository namespaces allow sharing a single registry
with multiple groups within your organization. Nested namespaces support group
isolation but a flat list of repositories is preferred.
Resource groups tie resource lifetimes. A Registry should
reside in its own resource group. Azure container instances, on the other hand,
can be created or deleted as necessary.
When an individual uses the registry, the preferred way
to authenticate is to use “az acr login”. When a build and deployment pipeline
authenticate, it can use a server principal.
The storage for container registry must align with a
typical scenario, standard for most production applications and premium for
improved performance and geo-replication.
An Azure Function helps to create and delete the
Container Instance in the time needed or get the state or message from a
container instance.
Some like to use tag as ‘Latest’ when pulling images but
using a specific version eliminates uncertainty and falls back on tried and
tested deployments.
No comments:
Post a Comment