配置公共 IP 网络规则Configure public IP network rules

默认情况下,Azure 容器注册表接受来自任何网络上的主机的 Internet 连接。An Azure container registry by default accepts connections over the internet from hosts on any network. 本文介绍如何将容器注册表配置为仅允许来自特定公共 IP 地址或地址范围的访问。This article shows how to configure your container registry to allow access from only specific public IP addresses or address ranges. 其中提供了使用 Azure CLI 和 Azure 门户的等效步骤。Equivalent steps using the Azure CLI and Azure portal are provided.

IP 网络规则在公共注册表终结点上进行配置。IP network rules are configured on the public registry endpoint. IP 网络规则不适用于配置有专用链接的专用终结点IP network rules do not apply to private endpoints configured with Private Link

可在“高级”容器注册表服务层级配置 IP 访问规则。Configuring IP access rules is available in the Premium container registry service tier. 有关注册表服务层级和限制的信息,请参阅 Azure 容器注册表层级For information about registry service tiers and limits, see Azure Container Registry tiers.

备注

Azure 安全中心当前无法在限制对专用终结点、所选子网或 IP 地址的访问的注册表中执行映像漏洞扫描Azure Security Center can't currently perform image vulnerability scanning in a registry that restricts access to private endpoints, selected subnets, or IP addresses.

从所选的公用网络进行访问 - CLIAccess from selected public network - CLI

更改默认网络对注册表的访问权限Change default network access to registry

要将访问权限仅授予所选公用网络,请先将默认操作更改为拒绝访问。To limit access to a selected public network, first change the default action to deny access. 在以下 az acr update 命令中,替换注册表的名称:Substitute the name of your registry in the following az acr update command:

az acr update --name myContainerRegistry --default-action Deny

向注册表添加网络规则Add network rule to registry

使用 az acr network-rule add 命令向注册表添加允许从公共 IP 地址或范围进行访问的网络规则。Use the az acr network-rule add command to add a network rule to your registry that allows access from a public IP address or range. 例如,替换容器注册表的名称和虚拟网络中 VM 的公共 IP 地址。For example, substitute the container registry's name and the public IP address of a VM in a virtual network.

az acr network-rule add \
  --name mycontainerregistry \
  --ip-address <public-IP-address>

备注

添加规则后,它需要几分钟才能生效。After adding a rule, it takes a few minutes for the rule to take effect.

从所选的公用网络访问 - 门户Access from selected public network - portal

  1. 在门户中,导航到容器注册表。In the portal, navigate to your container registry.

  2. 在“设置”下选择“网络” 。Under Settings, select Networking.

  3. 在“公共访问”选项卡上,选择允许从“所选网络”进行公共访问 。On the Public access tab, select to allow public access from Selected networks.

  4. 在“防火墙”下,输入公共 IP 地址,如虚拟网络中 VM 的公共 IP 地址。Under Firewall, enter a public IP address, such as the public IP address of a VM in a virtual network. 或者,以 CIDR 表示法输入包含 VM IP 地址的地址范围。Or, enter an address range in CIDR notation that contains the VM's IP address.

  5. 选择“保存”。Select Save.

    为容器注册表配置防火墙规则

备注

添加规则后,它需要几分钟才能生效。After adding a rule, it takes a few minutes for the rule to take effect.

提示

或者,也可通过本地客户端计算机或 IP 地址范围启用注册表访问。Optionally, enable registry access from a local client computer or IP address range. 要允许此访问,需要计算机的公共 IPv4 地址。To allow this access, you need the computer's public IPv4 address. 可通过在 Internet 浏览器中搜索“我的 IP 地址是多少”来查找此地址。You can find this address by searching "what is my IP address" in an internet browser. 在门户中的“网络”页面上配置防火墙设置时,当前客户端 IPv4 地址也会自动出现。The current client IPv4 address also appears automatically when you configure firewall settings on the Networking page in the portal.

禁用公用网络访问Disable public network access

(可选)禁用注册表上的公共终结点。Optionally, disable the public endpoint on the registry. 禁用公共终结点会重写所有防火墙配置。Disabling the public endpoint overrides all firewall configurations. 例如,建议使用专用链接禁用对虚拟网络中受保护注册表的公共访问。For example, you might want to disable public access to a registry secured in a virtual network using Private Link.

禁用公共访问 - CLIDisable public access - CLI

若要使用 Azure CLI 禁用公共访问,请运行 az acr update,并将 --public-network-enabled 设置为 falseTo disable public access using the Azure CLI, run az acr update and set --public-network-enabled to false. public-network-enabled 参数需要 Azure CLI 2.6.0 或更高版本。The public-network-enabled argument requires Azure CLI 2.6.0 or later.

az acr update --name myContainerRegistry --public-network-enabled false

禁用公共访问 - 门户Disable public access - portal

  1. 在门户中,导航到容器注册表,选择“设置”>“网络”。In the portal, navigate to your container registry and select Settings > Networking.

  2. 在“公共访问”选项卡上的“允许公用网络访问”中,选择“禁用” 。On the Public access tab, in Allow public network access, select Disabled. 再选择“保存”。Then select Save.

    禁用公共访问

还原公用网络访问Restore public network access

要重新启用公共终结点,请更新网络设置以允许公共访问。To re-enable the public endpoint, update the networking settings to allow public access. 启用公共终结点会重写所有防火墙配置。Enabling the public endpoint overrides all firewall configurations.

还原公共访问 - CLIRestore public access - CLI

运行 az acr update 并将 --public-network-enabled 设置为 trueRun az acr update and set --public-network-enabled to true.

备注

public-network-enabled 参数需要 Azure CLI 2.6.0 或更高版本。The public-network-enabled argument requires Azure CLI 2.6.0 or later.

az acr update --name myContainerRegistry --public-network-enabled true

还原公共访问 - 门户Restore public access - portal

  1. 在门户中,导航到容器注册表,选择“设置”>“网络”。In the portal, navigate to your container registry and select Settings > Networking.
  2. 在“公共访问”选项卡上的“允许公用网络访问”中,选择“所有网络” 。On the Public access tab, in Allow public network access, select All networks. 再选择“保存”。Then select Save.

来自所有网络的公共访问

故障排除Troubleshoot

如果设置了公用网络规则,或拒绝对注册表的公共访问,则尝试从禁止的公用网络登录注册表会失败。If a public network rule is set, or public access to the registry is denied, attempts to login to the registry from a disallowed public network will fail. 如果未设置代理的访问规则,则从 HTTPS 代理后面进行的客户端访问也会失败。Client access from behind an HTTPS proxy will also fail if an access rule for the proxy is not set. 你会看到类似于 Error response from daemon: login attempt failed with status: 403 ForbiddenLooks like you don't have access to registry 的错误消息。You will see an error message similar to Error response from daemon: login attempt failed with status: 403 Forbidden or Looks like you don't have access to registry.

如果使用网络访问规则所允许的 HTTPS 代理,但未在客户端环境中正确配置该代理,则也可能会发生这些错误。These errors can also occur if you use an HTTPS proxy that is allowed by a network access rule, but the proxy isn't properly configured in the client environment. 检查 Docker 客户端和 Docker 守护程序均已针对代理行为进行了配置。Check that both your Docker client and the Docker daemon are configured for proxy behavior. 有关详细信息,请参阅 Docker 文档中的 HTTP/HTTPS 代理For details, see HTTP/HTTPS proxy in the Docker documentation.

后续步骤Next steps