配置规则以访问防火墙后的 Azure 容器注册表Configure rules to access an Azure container registry behind a firewall

本文介绍如何在防火墙上配置规则,以允许访问 Azure 容器注册表。This article explains how to configure rules on your firewall to allow access to an Azure container registry. 例如,防火墙或代理服务器后面的 Azure IoT Edge 设备可能需要访问容器注册表以拉取容器映像。For example, an Azure IoT Edge device behind a firewall or proxy server might need to access a container registry to pull a container image. 或者,本地网络中的锁定服务器可能需要访问权限以推送映像。Or, a locked-down server in an on-premises network might need access to push an image.

相反,如果只是要在 Azure 虚拟网络中配置对容器注册表的入站网络访问,请参阅为 Azure 容器注册表配置 Azure 专用链接If instead you want to configure inbound network access to a container registry only within an Azure virtual network, see Configure Azure Private Link for an Azure container registry.

关于注册表终结点About registry endpoints

若要将映像或其他项目请求或推送到 Azure 容器注册表,客户端(例如 Docker 后台程序)需要通过 HTTPS 与两个不同的终结点进行交互。To pull or push images or other artifacts to an Azure container registry, a client such as a Docker daemon needs to interact over HTTPS with two distinct endpoints. 对于从防火墙后面访问注册表的客户端,需要为两个终结点配置访问规则。For clients that access a registry from behind a firewall, you need to configure access rules for both endpoints. 通过端口 443 可以访问两个终结点。Both endpoints are reached over port 443.

  • 注册表 REST API 终结点 - 身份验证和注册表管理操作通过注册表的公共 REST API 终结点进行处理。Registry REST API endpoint - Authentication and registry management operations are handled through the registry's public REST API endpoint. 此终结点是注册表的登录服务器名称。This endpoint is the login server name of the registry. 示例: myregistry.azurecr.cnExample: myregistry.azurecr.cn

  • 存储(数据)终结点 - Azure 代表每个注册表在 Azure 存储帐户中分配 blob 存储,以管理容器映像和其他项目的数据。Storage (data) endpoint - Azure allocates blob storage in Azure Storage accounts on behalf of each registry to manage the data for container images and other artifacts. 当客户端访问 Azure 容器注册表中的映像层时,它会使用注册表提供的存储帐户终结点发出请求。When a client accesses image layers in an Azure container registry, it makes requests using a storage account endpoint provided by the registry.

如果你的注册表是异地复制的,则客户端可能需要与特定区域或多个已复制区域中的数据终结点交互。If your registry is geo-replicated, a client might need to interact with the data endpoint in a specific region or in multiple replicated regions.

允许访问 REST 和数据终结点Allow access to REST and data endpoints

  • REST 终结点 - 允许访问完全限定的注册表登录服务器名称、<registry-name>.azurecr.cn 或关联的 IP 地址范围REST endpoint - Allow access to the fully qualified registry login server name, <registry-name>.azurecr.cn, or an associated IP address range
  • 存储(数据)终结点 - 允许访问所有使用通配符 *.blob.core.chinacloudapi.cn 或关联的 IP 地址范围的 Azure blob 存储帐户。Storage (data) endpoint - Allow access to all Azure blob storage accounts using the wildcard *.blob.core.chinacloudapi.cn, or an associated IP address range.

备注

Azure 容器注册表即将引入专用数据终结点,这样你可以为注册表存储严格限定客户端防火墙规则的范围。Azure Container Registry is introducing dedicated data endpoints, allowing you to tightly scope client firewall rules for your registry storage. 视需要使用格式 <registry-name>.<region>.data.azurecr.cn 在其中找到或复制注册表的所有区域中启用数据终结点。Optionally enable data endpoints in all regions where the registry is located or replicated, using the form <registry-name>.<region>.data.azurecr.cn.

允许按 IP 地址范围进行访问Allow access by IP address range

如果你的组织具有仅允许访问特定 IP 地址或地址范围的策略,请下载 Azure IP 范围和服务标记 - 中国云If your organization has policies to allow access only to specific IP addresses or address ranges, download Azure IP Ranges and Service Tags - China Cloud.

若要查找需要允许访问的 ACR REST 终结点 IP 范围,请在 JSON 文件中搜索 AzureContainerRegistry。To find the ACR REST endpoint IP ranges for which you need to allow access, search for AzureContainerRegistry in the JSON file.

重要

Azure 服务的 IP 地址范围可以更改,每周发布一次更新。IP address ranges for Azure services can change, and updates are published weekly. 定期下载 JSON 文件,并在访问规则中进行必要的更新。Download the JSON file regularly, and make necessary updates in your access rules. 如果你的方案涉及在 Azure 虚拟网络中配置网络安全组规则,或者使用 Azure 防火墙,请改为使用 AzureContainerRegistry 服务标记If your scenario involves configuring network security group rules in an Azure virtual network or you use Azure Firewall, use the AzureContainerRegistry service tag instead.

所有区域的 REST IP 地址REST IP addresses for all regions

{
  "name": "AzureContainerRegistry",
  "id": "AzureContainerRegistry",
  "properties": {
    "changeNumber": 10,
    "region": "",
    "platform": "Azure",
    "systemService": "AzureContainerRegistry",
    "addressPrefixes": [
      "40.73.136.24/29",
    [...]

特定区域的 REST IP 地址REST IP addresses for a specific region

搜索特定的区域,例如 AzureContainerRegistry.ChinaNorth。Search for the specific region, such as AzureContainerRegistry.ChinaNorth.

{
  "name": "AzureContainerRegistry.ChinaNorth",
  "id": "AzureContainerRegistry.ChinaNorth",
  "properties": {
    "changeNumber": 1,
    "region": "chinanorth",
    "platform": "Azure",
    "systemService": "AzureContainerRegistry",
    "addressPrefixes": [
      "139.217.48.104/29",
    [...]

所有区域的存储 IP 地址Storage IP addresses for all regions

{
  "name": "Storage",
  "id": "Storage",
  "properties": {
    "changeNumber": 19,
    "region": "",
    "platform": "Azure",
    "systemService": "AzureStorage",
    "addressPrefixes": [
      "40.72.64.0/24",
    [...]

特定区域的存储 IP 地址Storage IP addresses for specific regions

搜索特定的区域,例如 Storage.ChinaNorth。Search for the specific region, such as Storage.ChinaNorth.

{
  "name": "Storage.ChinaNorth",
  "id": "Storage.ChinaNorth",
  "properties": {
    "changeNumber": 1,
    "region": "chinanorth",
    "platform": "Azure",
    "systemService": "AzureStorage",
    "addressPrefixes": [
      "40.72.64.0/24"
    [...]

允许通过服务标记访问Allow access by service tag

在 Azure 虚拟网络中,使用网络安全规则筛选从虚拟机等资源到容器注册表的流量。In an Azure virtual network, use network security rules to filter traffic from a resource such as a virtual machine to a container registry. 若要简化 Azure 网络规则的创建,请使用 AzureContainerRegistry 服务标记To simplify the creation of the Azure network rules, use the AzureContainerRegistry service tag. 服务标记代表一组用于全局或每个 Azure 区域访问 Azure 服务的 IP 地址前缀。A service tag represents a group of IP address prefixes to access an Azure service globally or per Azure region. 当地址更改时,将自动更新标记。The tag is automatically updated when addresses change.

例如,创建包含目标 AzureContainerRegistry 的出站网络安全组规则,以允许流量流向 Azure 容器注册表。For example, create an outbound network security group rule with destination AzureContainerRegistry to allow traffic to an Azure container registry. 若要只允许在特定区域中访问服务标记,请按以下格式指定区域:AzureContainerRegistry.[区域名称]。To allow access to the service tag only in a specific region, specify the region in the following format: AzureContainerRegistry.[region name].

启用专用数据终结点Enable dedicated data endpoints

警告

如果以前配置了对现有 *.blob.core.chinacloudapi.cn 终结点的客户端防火墙访问,切换到专用数据终结点会影响客户端连接,进而导致拉取失败。If you previously configured client firewall access to the existing *.blob.core.chinacloudapi.cn endpoints, switching to dedicated data endpoints will impact client connectivity, causing pull failures. 若要确保客户端具有一致的访问权限,请将新的数据终结点规则添加到客户端防火墙规则。To ensure clients have consistent access, add the new data endpoint rules to the client firewall rules. 完成后,使用 Azure CLI 或其他工具为你的注册表启用专用数据终结点。Once completed, enable dedicated data endpoints for your registries using the Azure CLI or other tools.

专用数据终结点是高级容器注册表服务层的可选功能。Dedicated data endpoints is an optional feature of the Premium container registry service tier. 若要了解注册表服务层和限制,请参阅 Azure 容器注册表服务层For information about registry service tiers and limits, see Azure Container Registry service tiers.

可以使用 Azure 门户或 Azure CLI 启用专用数据终结点。You can enable dedicated data endpoints using the Azure portal or the Azure CLI. 数据终结点遵循区域模式 <registry-name>.<region>.data.azurecr.cnThe data endpoints follow a regional pattern, <registry-name>.<region>.data.azurecr.cn. 在异地复制注册表中,启用数据终结点会在所有副本区域中启用终结点。In a geo-replicated registry, enabling data endpoints enables endpoints in all replica regions.

门户Portal

若要使用门户启用数据终结点,请执行以下操作:To enable data endpoints using the portal:

  1. 转到容器注册表。Navigate to your container registry.
  2. 依次选择“网络” > “公共访问”。Select Networking > Public access.
  3. 选中“启用专用数据终结点”复选框。Select the Enable dedicated data endpoint checkbox.
  4. 选择“保存”。Select Save.

此时,一个或多个数据终结点显示在门户中。The data endpoint or endpoints appear in the portal.

门户中的专用数据终结点

Azure CLIAzure CLI

若要使用 Azure CLI 启用数据终结点,请使用 Azure CLI 版本 2.4.0 或更高版本。To enable data endpoints using the Azure CLI, use Azure CLI version 2.4.0 or higher. 如果需要进行安装或升级,请参阅安装 Azure CLIIf you need to install or upgrade, see Install Azure CLI.

以下 az acr update 命令在注册表 myregistry 上启用专用数据终结点。The following az acr update command enables dedicated data endpoints on a registry myregistry.

az acr update --name myregistry --data-endpoint-enabled

若要查看数据终结点,请运行 az acr show-endpoints 命令:To view the data endpoints, use the az acr show-endpoints command:

az acr show-endpoints --name myregistry

出于演示目的,输出显示两个区域终结点Output for demonstration purposes shows two regional endpoints

{
    "loginServer": "myregistry.azurecr.cn",
    "dataEndpoints": [
        {
            "region": "chinanorth",
            "endpoint": "myregistry.chinaeast2.data.azurecr.cn",
        },
        {
            "region": "chinanorth",
            "endpoint": "myregistry.chinaeast2.data.azurecr.cn",
        }
    ]
}

为注册表设置专用数据终结点后,可以为数据终结点启用客户端防火墙访问规则。After you set up dedicated data endpoints for your registry, you can enable client firewall access rules for the data endpoints. 为所有必需的注册表区域启用数据终结点访问规则。Enable data endpoint access rules for all required registry regions.

配置 MCR 的客户端防火墙规则Configure client firewall rules for MCR

如果需要访问防火墙后的 Microsoft 容器注册表 (MCR),请参阅配置 MCR 客户端防火墙规则的指南。If you need to access Microsoft Container Registry (MCR) from behind a firewall, see the guidance to configure MCR client firewall rules. MCR 是 Microsoft 发布的所有 docker 映像的主注册表,例如 Windows Server 映像。MCR is the primary registry for all Microsoft-published docker images, such as Windows Server images.

后续步骤Next steps