Optimize image pulls with artifact cache in Azure Container Registry
The artifact cache feature of Azure Container Registry lets you cache container images in both public and private repositories.
Artifact cache enables faster and more reliable pull operations through Azure Container Registry (ACR), using features like geo-replication and Availability Zone support for higher availability and faster image pulls. Cached registries are accessible over private networks to align with firewall configurations and compliance standards.
Artifact cache addresses the challenge of pull limits imposed by public registries. We recommend authenticating your cache rules with your upstream source credentials. Then, you can pull images from the local ACR, helping to mitigate rate limits.
The artifact cache feature is available in Basic, Standard, and Premium service tiers. You can enable artifact cache rules in the Azure portal or by using Azure CLI.
Terminology
When working with artifact caching, it's helpful to understand the following terminology:
Cache Rule: A rule you create to pull artifacts from a supported repository into your cache. A cache rule contains four parts:
- Rule name: The name of your cache rule. For example,
Hello-World-Cache. - Source: The name of the source registry.
- Repository path: The source path of the repository to find and retrieve artifacts you want to cache. For example,
docker.io/library/hello-world. - New ACR repository namespace: The name of the new repository path to store artifacts. For example,
hello-world. The repository can't already exist inside the ACR instance.
- Rule name: The name of your cache rule. For example,
Credentials: A username and password set for the source registry. You require credentials to authenticate with a public or private repository. Credentials contain four parts:
- Credentials: The name of your credentials.
- Source registry login server: The login server of your source registry.
- Source authentication: The key vault locations to store credentials.
- Username and password secrets: Secrets containing the username and password.
Current limitations
When using artifact cache, keep in mind the following limitations:
- Cache only occurs after at least one image pull is complete on the available container image. For every new image available, a new image pull must be complete. Currently, artifact cache doesn't automatically pull new tags of images when a new tag is available.
- Artifact cache supports a maximum of 1,000 cache rules.
- Artifact cache rules can't overlap with other cache rules. In other words, if you have an artifact cache rule for a certain registry path, you can't add another cache rule that overlaps with it.
Upstream support
Artifact cache currently supports the following upstream registries. Review the following table for details about which types of pulls are supported and how they can be used.
Warning
You must generate a credential set by using Azure CLI or the Azure portal to source content from Docker Hub.
| Upstream registry | Support | Availability |
|---|---|---|
| Docker Hub | Supports authenticated pulls only. | Azure CLI, Azure portal |
| Microsoft Artifact Registry | Supports unauthenticated pulls only. | Azure CLI, Azure portal |
| AWS Elastic Container Registry (ECR) Public Gallery | Supports unauthenticated pulls only. | Azure CLI, Azure portal |
| GitHub Container Registry | Supports both authenticated and unauthenticated pulls. | Azure CLI, Azure portal |
| Quay | Supports both authenticated and unauthenticated pulls. | Azure CLI, Azure portal |
registry.k8s.io |
Supports both authenticated and unauthenticated pulls. | Azure CLI |
| Google Container Registry | Supports both authenticated and unauthenticated pulls. | Azure CLI |
Next steps
- Learn how to enable artifact caching using the Azure portal or Azure CLI.
- Learn about using wildcards to match multiple paths within the container image registry.