配置规则以访问防火墙后的 Azure 容器注册表Configure rules to access an Azure container registry behind a firewall

本文介绍如何在防火墙上配置规则,以允许访问 Azure 容器注册表。This article explains how to configure rules on your firewall to allow access to an Azure container registry. 例如,防火墙或代理服务器后面的 Azure IoT Edge 设备可能需要访问容器注册表以拉取容器映像。For example, an Azure IoT Edge device behind a firewall or proxy server might need to access a container registry to pull a container image. 或者,本地网络中的锁定服务器可能需要访问权限以推送映像。Or, a locked-down server in an on-premises network might need access to push an image.

关于注册表终结点About registry endpoints

若要将映像或其他项目请求或推送到 Azure 容器注册表,客户端(例如 Docker 后台程序)需要通过 HTTPS 与两个不同的终结点进行交互。To pull or push images or other artifacts to an Azure container registry, a client such as a Docker daemon needs to interact over HTTPS with two distinct endpoints. 对于访问防火墙后注册表的客户端,需要为这两个终结点配置访问规则。For clients that access a registry from behind a firewall, you need to configure access rules for both endpoints.

  • 注册表 REST API 终结点 - 通过注册表的公共 REST API 终结点处理身份验证和注册表管理操作。Registry REST API endpoint - Authentication and registry management operations are handled through the registry's public REST API endpoint. 此终结点是注册表的登录服务器名称。This endpoint is the login server name of the registry. 示例: myregistry.azurecr.cnExample: myregistry.azurecr.cn

  • 存储(数据)终结点 - Azure 代表每个注册表在 Azure 存储帐户中分配 blob 存储,以管理容器映像和其他项目的数据。Storage (data) endpoint - Azure allocates blob storage in Azure Storage accounts on behalf of each registry to manage the data for container images and other artifacts. 当客户端访问 Azure 容器注册表中的映像层时,它会使用注册表提供的存储帐户终结点发出请求。When a client accesses image layers in an Azure container registry, it makes requests using a storage account endpoint provided by the registry.

如果你的注册表是异地复制的,则客户端可能需要与特定区域或多个已复制区域中的数据终结点交互。If your registry is geo-replicated, a client might need to interact with the data endpoint in a specific region or in multiple replicated regions.

允许访问 REST 和数据终结点Allow access to REST and data endpoints

  • REST 终结点 - 允许访问完全限定的注册表登录服务器名称、<registry-name>.azurecr.cn 或关联的 IP 地址范围REST endpoint - Allow access to the fully qualified registry login server name, <registry-name>.azurecr.cn, or an associated IP address range
  • 存储(数据)终结点 - 允许使用通配符 *.blob.core.chinacloudapi.cn 或关联的 IP 地址范围访问所有 Azure blob 存储帐户。Storage (data) endpoint - Allow access to all Azure blob storage accounts using the wildcard *.blob.core.chinacloudapi.cn, or an associated IP address range.

Note

Azure 容器注册表即将引入专用数据终结点(预览版),可以通过它为注册表存储严格限制客户端防火墙规则的作用域。Azure Container Registry is introducing dedicated data endpoints (preview), allowing you to tightly scope client firewall rules for your registry storage. 还可以选择使用 <registry-name>.<region>.data.azurecr.cn 的形式,启用注册表所在或复制到的所有区域中的数据终结点。Optionally enable data endpoints in all regions where the registry is located or replicated, using the form <registry-name>.<region>.data.azurecr.cn.

允许按 IP 地址范围进行访问Allow access by IP address range

如果你的组织具有仅允许访问特定 IP 地址或地址范围的策略,请下载 Azure IP 范围和服务标记 - 中国云If your organization has policies to allow access only to specific IP addresses or address ranges, download Azure IP Ranges and Service Tags - China Cloud.

若要查找需要允许访问的 ACR REST 终结点 IP 范围,请在 JSON 文件中搜索 AzureContainerRegistry。To find the ACR REST endpoint IP ranges for which you need to allow access, search for AzureContainerRegistry in the JSON file.

Important

Azure 服务的 IP 地址范围可以更改,每周发布一次更新。IP address ranges for Azure services can change, and updates are published weekly. 定期下载 JSON 文件,并在访问规则中进行必要的更新。Download the JSON file regularly, and make necessary updates in your access rules. 如果你的方案涉及在 Azure 虚拟网络中配置网络安全组规则,或者使用 Azure 防火墙,请改为使用 AzureContainerRegistry 服务标记If your scenario involves configuring network security group rules in an Azure virtual network or you use Azure Firewall, use the AzureContainerRegistry service tag instead.

所有区域的 REST IP 地址REST IP addresses for all regions

{
  "name": "AzureContainerRegistry",
  "id": "AzureContainerRegistry",
  "properties": {
    "changeNumber": 10,
    "region": "",
    "platform": "Azure",
    "systemService": "AzureContainerRegistry",
    "addressPrefixes": [
      "40.73.136.24/29",
    [...]

特定区域的 REST IP 地址REST IP addresses for a specific region

搜索特定的区域,例如 AzureContainerRegistry.ChinaNorth。Search for the specific region, such as AzureContainerRegistry.ChinaNorth.

{
  "name": "AzureContainerRegistry.ChinaNorth",
  "id": "AzureContainerRegistry.ChinaNorth",
  "properties": {
    "changeNumber": 1,
    "region": "chinanorth",
    "platform": "Azure",
    "systemService": "AzureContainerRegistry",
    "addressPrefixes": [
      "139.217.48.104/29",
    [...]

所有区域的存储 IP 地址Storage IP addresses for all regions

{
  "name": "Storage",
  "id": "Storage",
  "properties": {
    "changeNumber": 19,
    "region": "",
    "platform": "Azure",
    "systemService": "AzureStorage",
    "addressPrefixes": [
      "40.72.64.0/24",
    [...]

特定区域的存储 IP 地址Storage IP addresses for specific regions

搜索特定的区域,例如 Storage.ChinaNorth。Search for the specific region, such as Storage.ChinaNorth.

{
  "name": "Storage.ChinaNorth",
  "id": "Storage.ChinaNorth",
  "properties": {
    "changeNumber": 1,
    "region": "chinanorth",
    "platform": "Azure",
    "systemService": "AzureStorage",
    "addressPrefixes": [
      "40.72.64.0/24"
    [...]

允许通过服务标记访问Allow access by service tag

在 Azure 虚拟网络中,使用网络安全规则筛选从虚拟机等资源到容器注册表的流量。In an Azure virtual network, use network security rules to filter traffic from a resource such as a virtual machine to a container registry. 若要简化 Azure 网络规则的创建,请使用 AzureContainerRegistry 服务标记To simplify the creation of the Azure network rules, use the AzureContainerRegistry service tag. 服务标记代表一组用于全局或每个 Azure 区域访问 Azure 服务的 IP 地址前缀。A service tag represents a group of IP address prefixes to access an Azure service globally or per Azure region. 当地址更改时,将自动更新标记。The tag is automatically updated when addresses change.

例如,创建包含目标 AzureContainerRegistry 的出站网络安全组规则,以允许流量流向 Azure 容器注册表。For example, create an outbound network security group rule with destination AzureContainerRegistry to allow traffic to an Azure container registry. 若要仅允许在特定区域中访问服务标记,请按以下格式指定区域:AzureContainerRegistry.[区域名称]。To allow access to the service tag only in a specific region, specify the region in the following format: AzureContainerRegistry.[region name].

启用专用数据终结点(预览)Enable dedicated data endpoints (preview)

Warning

如果以前配置了对现有 *.blob.core.chinacloudapi.cn 终结点的客户端防火墙访问,则切换到专用数据终结点会影响客户端连接,从而导致拉取失败。If you previously configured client firewall access to the existing *.blob.core.chinacloudapi.cn endpoints, switching to dedicated data endpoints will impact client connectivity, causing pull failures. 若要确保客户端具有一致的访问权限,请将新的数据终结点规则添加到客户端防火墙规则。To ensure clients have consistent access, add the new data endpoint rules to the client firewall rules. 完成后,使用 Azure CLI 或其他工具为你的注册表启用专用数据终结点。Once completed, enable dedicated data endpoints for your registries using the Azure CLI or other tools.

专用数据终结点是高级容器注册表服务层的一项可选功能。Dedicated data endpoints is an optional feature of the Premium container registry service tier. 有关注册表服务层级和限制的信息,请参阅 Azure 容器注册表层For information about registry service tiers and limits, see Azure Container Registry Tiers. 若要使用 Azure CLI 启用数据终结点,请使用 Azure CLI 版本 2.4.0 或更高版本。To enable data endpoints using the Azure CLI, use Azure CLI version 2.4.0 or higher. 如果需要进行安装或升级,请参阅安装 Azure CLIIf you need to install or upgrade, see Install Azure CLI.

下面的 az acr update 命令启用注册表 myregistry 上的专用数据终结点。The following az acr update command enables dedicated data endpoints on a registry myregistry. 出于演示目的,假设在两个区域复制了注册表:For demonstration purpose, assume that the registry is replicated in two regions:

az acr update --name myregistry --data-endpoint-enabled

数据终结点使用区域模式 <registry-name>.<region>.data.azurecr.cnThe data endpoints use a regional pattern, <registry-name>.<region>.data.azurecr.cn. 若要查看数据终结点,请使用 az acr show-endpoints 命令:To view the data endpoints, use the az acr show-endpoints command:

az acr show-endpoints --name myregistry

输出:Output:

{
    "loginServer": "myregistry.azurecr.cn",
    "dataEndpoints": [
        {
            "region": "chinanorth",
            "endpoint": "myregistry.chinanorth.data.azurecr.cn",
        },
        {
            "region": "chinanorth",
            "endpoint": "myregistry.chinanorth.data.azurecr.cn",
        }
    ]
}

为注册表设置专用数据终结点后,可以为数据终结点启用客户端防火墙访问规则。After you set up dedicated data endpoints for your registry, you can enable client firewall access rules for the data endpoints. 为所有必需的注册表区域启用数据终结点访问规则。Enable data endpoint access rules for all required registry regions.

配置 MCR 的客户端防火墙规则Configure client firewall rules for MCR

如果需要访问防火墙后的 Microsoft 容器注册表 (MCR),请参阅配置 MCR 客户端防火墙规则的指南。If you need to access Microsoft Container Registry (MCR) from behind a firewall, see the guidance to configure MCR client firewall rules. MCR 是 Microsoft 发布的所有 docker 映像的主注册表,例如 Windows Server 映像。MCR is the primary registry for all Microsoft-published docker images, such as Windows Server images.

后续步骤Next steps