您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

使用 Azure 虚拟网络中的服务终结点限制对容器注册表的访问Restrict access to a container registry using a service endpoint in an Azure virtual network

Azure 虚拟网络为 Azure 资源和本地资源提供安全的专用网络。Azure Virtual Network provides secure, private networking for your Azure and on-premises resources. 使用服务终结点可以保护容器注册表的公共 IP 地址,仅在自己的虚拟网络中对其进行访问。A service endpoint allows you to secure your container registry's public IP address to only your virtual network. 此终结点为流量提供通过 Azure 主干网络到达资源的最优路径。This endpoint gives traffic an optimal route to the resource over the Azure backbone network. 虚拟网络和子网的标识也随每个请求进行传输。The identities of the virtual network and the subnet are also transmitted with each request.

本文介绍如何在虚拟网络中配置容器注册表服务终结点(预览版)。This article shows how to configure a container registry service endpoint (preview) in a virtual network.

重要

Azure 容器注册表现支持 Azure 专用链接,允许将来自虚拟网络的专用终结点放置在注册表上。Azure Container Registry now supports Azure Private Link, enabling private endpoints from a virtual network to be placed on a registry. 可以使用专用 IP 地址从虚拟网络内部访问专用终结点。Private endpoints are accessible from within the virtual network, using private IP addresses. 在大多数网络方案中,我们建议使用专用终结点,而不是服务终结点。We recommend using private endpoints instead of service endpoints in most network scenarios.

“高级”容器注册表服务层级支持配置注册表服务终结点。Configuring a registry service endpoint is available in the Premium container registry service tier. 若要了解注册表服务层和限制,请参阅 Azure 容器注册表服务层For information about registry service tiers and limits, see Azure Container Registry service tiers.

预览版限制Preview limitations

  • 目前尚未打算在未来开发 Azure 容器注册表的服务终结点。Future development of service endpoints for Azure Container Registry isn't currently planned. 我们推荐改用专用终结点We recommend using private endpoints instead.
  • 不能使用 Azure 门户在注册表上配置服务终结点。You can't use the Azure portal to configure service endpoints on a registry.
  • 只有 Azure Kubernetes 服务群集或 Azure 虚拟机可以用作主机,以使用服务终结点访问容器注册表。Only an Azure Kubernetes Service cluster or Azure virtual machine can be used as a host to access a container registry using a service endpoint. 其他 Azure 服务(包括 Azure 容器实例)不受支持。Other Azure services including Azure Container Instances aren't supported.
  • 每个注册表最多支持 100 条网络访问规则。Each registry supports a maximum of 100 network access rules.
  • Azure 容器注册表的服务终结点在 Azure 美国政府云或 Azure 中国云中不受支持。Service endpoints for Azure Container Registry aren't supported in the Azure US Government cloud or Azure China cloud.

重要

  • Azure 安全中心当前无法在限制对专用终结点、所选子网或 IP 地址的访问的注册表中执行映像漏洞扫描Azure Security Center can't currently perform image vulnerability scanning in a registry that restricts access to private endpoints, selected subnets, or IP addresses.
  • 某些 Azure 服务的实例(包括 Azure DevOps Services、Web 应用和 Azure 容器实例)也无法访问受网络限制的容器注册表。Instances of certain Azure services including Azure DevOps Services, Web Apps, and Azure Container Instances are also unable to access a network-restricted container registry.

先决条件Prerequisites

  • 若要使用本文中所述的 Azure CLI 步骤,需要安装 Azure CLI 版本 2.0.58 或更高版本。To use the Azure CLI steps in this article, Azure CLI version 2.0.58 or later is required. 如果需要进行安装或升级,请参阅安装 Azure CLIIf you need to install or upgrade, see Install Azure CLI.

  • 如果还没有容器注册表,请创建一个(需要高级层),并推送示例映像,如来自 Docker Hub 的 hello-worldIf you don't already have a container registry, create one (Premium tier required) and push a sample image such as hello-world from Docker Hub. 例如,使用 Azure 门户Azure CLI 创建注册表。For example, use the Azure portal or the Azure CLI to create a registry.

  • 若要使用其他 Azure 订阅中的服务终结点限制注册表访问,请在该订阅中注册 Azure 容器注册表的资源提供程序。If you want to restrict registry access using a service endpoint in a different Azure subscription, register the resource provider for Azure Container Registry in that subscription. 例如:For example:

    az account set --subscription <Name or ID of subscription of virtual network>
    
    az provider register --namespace Microsoft.ContainerRegistry
    

创建启用了 Docker 的虚拟机Create a Docker-enabled virtual machine

出于测试目的,请使用启用了 Docker 的 Ubuntu VM 来访问 Azure 容器注册表。For test purposes, use a Docker-enabled Ubuntu VM to access an Azure container registry. 若要对注册表使用 Azure Active Directory 身份验证,请在 VM 上安装 Azure CLITo use Azure Active Directory authentication to the registry, also install the Azure CLI on the VM. 如果已有 Azure 虚拟机,请跳过此创建步骤。If you already have an Azure virtual machine, skip this creation step.

你可以对虚拟机和容器注册表使用同一资源组。You may use the same resource group for your virtual machine and your container registry. 此设置简化了在结束时的清理,但并不是必需的。This setup simplifies clean-up at the end but isn't required. 如果选择为虚拟机和虚拟网络创建单独的资源组,请运行 az group createIf you choose to create a separate resource group for the virtual machine and virtual network, run az group create. 以下示例假设你已为资源组名称和注册表位置设置环境变量:The following example assumes you've set environment variables for the resource group name and registry location:

az group create --name $RESOURCE_GROUP --location $REGISTRY_LOCATION

现在使用 az vm create部署默认 Ubuntu Azure 虚拟机。Now deploy a default Ubuntu Azure virtual machine with az vm create. 以下示例创建名为 myDockerVM的 VM。The following example creates a VM named myDockerVM.

VM_NAME=myDockerVM

az vm create \
  --resource-group $RESOURCE_GROUP \
  --name $VM_NAME \
  --image UbuntuLTS \
  --admin-username azureuser \
  --generate-ssh-keys

创建 VM 需要几分钟时间。It takes a few minutes for the VM to be created. 等该命令完成后,记下 Azure CLI 显示的 publicIpAddressWhen the command completes, take note of the publicIpAddress displayed by the Azure CLI. 使用此地址与 VM 建立 SSH 连接。Use this address to make SSH connections to the VM.

在 VM 上安装 DockerInstall Docker on the VM

等 VM 正常运行后,与 VM 建立 SSH 连接。After the VM is running, make an SSH connection to the VM. publicIpAddress 替换为 VM 的公共 IP 地址。Replace publicIpAddress with the public IP address of your VM.

ssh azureuser@publicIpAddress

运行以下命令,在 Ubuntu VM 上安装 Docker:Run the following commands to install Docker on the Ubuntu VM:

sudo apt-get update
sudo apt install docker.io -y

安装完成后,运行以下命令验证 Docker 在 VM 上是否正常运行:After installation, run the following command to verify that Docker is running properly on the VM:

sudo docker run -it hello-world

输出:Output:

Hello from Docker!
This message shows that your installation appears to be working correctly.
[...]

安装 Azure CLIInstall the Azure CLI

按照使用 apt 安装 Azure CLI 中的步骤在 Ubuntu 虚拟机上安装 Azure CLI。Follow the steps in Install Azure CLI with apt to install the Azure CLI on your Ubuntu virtual machine. 例如:For example:

curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash

退出 SSH 连接。Exit the SSH connection.

为注册表配置网络访问Configure network access for registry

在本部分中,将容器注册表配置为允许从 Azure 虚拟网络中的子网进行访问。In this section, configure your container registry to allow access from a subnet in an Azure virtual network. 使用 Azure CLI 提供步骤。Steps are provided using the Azure CLI.

将服务终结点添加到子网Add a service endpoint to a subnet

创建 VM 时,Azure 默认情况下会在同一个资源组中创建虚拟网络。When you create a VM, Azure by default creates a virtual network in the same resource group. 虚拟网络的名称基于虚拟机的名称。The name of the virtual network is based on the name of the virtual machine. 例如,如果将虚拟机命名为 myDockerVM,则默认虚拟网络名称为 myDockerVMVNET,且子网名为 myDockerVMSubnet。For example, if you name your virtual machine myDockerVM , the default virtual network name is myDockerVMVNET , with a subnet named myDockerVMSubnet . 使用 az network vnet list 命令验证此内容:Verify this by using the az network vnet list command:

az network vnet list \
  --resource-group myResourceGroup \
  --query "[].{Name: name, Subnet: subnets[0].name}"

输出:Output:

[
  {
    "Name": "myDockerVMVNET",
    "Subnet": "myDockerVMSubnet"
  }
]

使用 az network vnet subnet update 命令将 Microsoft.ContainerRegistry 服务终结点添加到子网。Use the az network vnet subnet update command to add a Microsoft.ContainerRegistry service endpoint to your subnet. 使用以下命令替换虚拟网络和子网的名称:Substitute the names of your virtual network and subnet in the following command:

az network vnet subnet update \
  --name myDockerVMSubnet \
  --vnet-name myDockerVMVNET \
  --resource-group myResourceGroup \
  --service-endpoints Microsoft.ContainerRegistry

使用 az network vnet subnet show 命令检索子网的资源 ID。Use the az network vnet subnet show command to retrieve the resource ID of the subnet. 在后面的步骤中,你将使用此 ID 配置网络访问规则。You need this in a later step to configure a network access rule.

az network vnet subnet show \
  --name myDockerVMSubnet \
  --vnet-name myDockerVMVNET \
  --resource-group myResourceGroup \
  --query "id"
  --output tsv

输出:Output:

/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myDockerVMVNET/subnets/myDockerVMSubnet

更改默认网络对注册表的访问权限Change default network access to registry

默认情况下,Azure 容器注册表允许来自任何网络上的主机的连接。By default, an Azure container registry allows connections from hosts on any network. 要将访问权限仅授予所选网络,请将默认操作更改为拒绝访问。To limit access to a selected network, change the default action to deny access. 请将以下 az acr update 命令中的占位符替换为你的注册表名称:Substitute the name of your registry in the following az acr update command:

az acr update --name myContainerRegistry --default-action Deny

向注册表添加网络规则Add network rule to registry

使用 az acr network-rule add 命令向注册表添加允许从 VM 子网进行访问的网络规则。Use the az acr network-rule add command to add a network rule to your registry that allows access from the VM's subnet. 使用以下命令替换容器注册表的名称和子网的资源 ID:Substitute the container registry's name and the resource ID of the subnet in the following command:

az acr network-rule add \
 --name mycontainerregistry \
 --subnet <subnet-resource-id>

验证对注册表的访问Verify access to the registry

等待几分钟以更新配置后,请验证 VM 是否可以访问容器注册表。After waiting a few minutes for the configuration to update, verify that the VM can access the container registry. 建立与 VM 的 SSH 连接,并运行 az acr login 命令以登录注册表。Make an SSH connection to your VM, and run the az acr login command to login to your registry.

az acr login --name mycontainerregistry

可以执行注册表操作(如运行 docker pull),以从注册表拉取示例映像。You can perform registry operations such as run docker pull to pull a sample image from the registry. 替换适用于注册表的映像和标记值,并以注册表登录服务器名称(全部小写)作为前缀:Substitute an image and tag value appropriate for your registry, prefixed with the registry login server name (all lowercase):

docker pull mycontainerregistry.azurecr.io/hello-world:v1

Docker 已成功将映像拉取到 VM。Docker successfully pulls the image to the VM.

此示例演示了如何通过网络访问规则访问专用容器注册表。This example demonstrates that you can access the private container registry through the network access rule. 但是,无法从未配置网络访问规则的登录主机访问注册表。However, the registry can't be accessed from a login host that doesn't have a network access rule configured. 如果尝试使用 az acr login 命令或 docker login 命令从另一个主机登录,则输出类似于以下内容:If you attempt to login from another host using the az acr login command or docker login command, output is similar to the following:

Error response from daemon: login attempt to https://xxxxxxx.azurecr.io/v2/ failed with status: 403 Forbidden

还原默认注册表访问Restore default registry access

若要将注册表还原为默认允许访问,请删除配置的所有网络规则。To restore the registry to allow access by default, remove any network rules that are configured. 然后,设置默认操作以允许访问。Then set the default action to allow access.

删除网络规则Remove network rules

若要查看为注册表配置的网络规则列表,请运行以下 az acr network-rule list 命令:To see a list of network rules configured for your registry, run the following az acr network-rule list command:

az acr network-rule list --name mycontainerregistry 

对于配置的每个规则,运行 az acr network-rule remove 命令将其删除。For each rule that is configured, run the az acr network-rule remove command to remove it. 例如:For example:

# Remove a rule that allows access for a subnet. Substitute the subnet resource ID.

az acr network-rule remove \
  --name mycontainerregistry \
  --subnet /subscriptions/ \
  xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myDockerVMVNET/subnets/myDockerVMSubnet

允许访问Allow access

在以下 az acr update 命令中,替换注册表的名称:Substitute the name of your registry in the following az acr update command:

az acr update --name myContainerRegistry --default-action Allow

清理资源Clean up resources

如果在同一资源组中创建了所有 Azure 资源,并且不再需要这些资源,则可以选择使用单个 az group delete 命令删除资源:If you created all the Azure resources in the same resource group and no longer need them, you can optionally delete the resources by using a single az group delete command:

az group delete --name myResourceGroup

后续步骤Next steps