Azure 容器登錄中的異地複寫Geo-replication in Azure Container Registry

公司想要本機存在或熱備份時,選擇從多個 Azure 區域執行服務。Companies that want a local presence, or a hot backup, choose to run services from multiple Azure regions. 最佳做法是將容器登錄中放入每個區域,其中執行映像以允許網路關閉作業、啟用快速、可靠的映像圖層傳輸。As a best practice, placing a container registry in each region where images are run allows network-close operations, enabling fast, reliable image layer transfers. 異地複寫可讓 Azure 容器登錄成為單一登錄、服務包含多個區域登錄的多重主要區域。Geo-replication enables an Azure container registry to function as a single registry, serving multiple regions with multi-master regional registries.

異地複寫登錄提供下列優點:A geo-replicated registry provides the following benefits:

  • 可跨多個區域使用單一登錄/映像/標記名稱Single registry/image/tag names can be used across multiple regions
  • 從區域部署進行網路關閉登錄存取Network-close registry access from regional deployments
  • 沒有其他輸出費用,因為映像是取自與容器主機相同區域中的本機複寫登錄No additional egress fees, as images are pulled from a local, replicated registry in the same region as your container host
  • 跨多個區域單一管理登錄Single management of a registry across multiple regions

注意

如果您需要維護多個 Azure容器映像中的容器映像複本,Azure Container Registry 也支援映像匯入If you need to maintain copies of container images in more than one Azure container registry, Azure Container Registry also supports image import. 例如,在 DevOps 工作流程中,您可以從開發登錄將映像匯入到生產環境登錄,完全不需要使用 Docker 命令。For example, in a DevOps workflow, you can import an image from a development registry to a production registry, without needing to use Docker commands.

使用案例範例Example use case

Contoso 會執行位在美國、加拿大和歐洲的公開金鑰存在網站。Contoso runs a public presence website located across the US, Canada, and Europe. 為了在這些市場中提供本機和網路關閉內容,Contoso 在美國西部、美國東部、加拿大中部和歐洲西部執行 Azure Kubernetes Service (AKS) 叢集。To serve these markets with local and network-close content, Contoso runs Azure Kubernetes Service (AKS) clusters in West US, East US, Canada Central, and West Europe. 網站應用程式 (部署為 Docker 映像) 會在所有區域利用相同的程式碼和映像。The website application, deployed as a Docker image, utilizes the same code and image across all regions. 從資料庫 (基本在每個區域中佈建) 擷取該區域的本機內容。Content, local to that region, is retrieved from a database, which is provisioned uniquely in each region. 每個區域部署都會有其資源的唯一設定,例如本機資料庫。Each regional deployment has its unique configuration for resources like the local database.

開發小組位於 Seattle WA,利用美國西部的資料中心。The development team is located in Seattle WA, utilizing the West US data center.

推入至多個登錄Pushing to multiple registries
推入至多個登錄Pushing to multiple registries

在使用異地複寫功能前,Contoso 在美國西部具有美國型登錄,在西歐有其他登錄。Prior to using the geo-replication features, Contoso had a US-based registry in West US, with an additional registry in West Europe. 為了服務這些不同區域,開發小組將映像發送至兩個不同的登錄。To serve these different regions, the development team pushed images to two different registries.

docker push contoso.azurecr.io/public/products/web:1.2
docker push contosowesteu.azurecr.io/public/products/web:1.2

從多個登錄提取Pulling from multiple registries
從多個登錄提取Pulling from multiple registries

多個登錄的常見難題包含:Typical challenges of multiple registries include:

  • 美國東部、美國西部和加拿大中心叢集皆從美國西部登錄擷取,因為其中每個遠端容器主機皆從美國西部資料中心提取資料,因此會產生輸出費用。The East US, West US, and Canada Central clusters all pull from the West US registry, incurring egress fees as each of these remote container hosts pull images from West US data centers.
  • 開發小組必須將映像推送到美國西部和西歐登錄中。The development team must push images to West US and West Europe registries.
  • 開發小組必須設定及維護參考本機登錄之影像名稱所在的每個區域部署。The development team must configure and maintain each regional deployment with image names referencing the local registry.
  • 必須為每個區域設定登錄存取。Registry access must be configured for each region.

異地複寫的優點Benefits of geo-replication

從異地複寫登錄中提取

使用 Azure Container Registry 的異地複寫功能來實現這些優點:Using the geo-replication feature of Azure Container Registry, these benefits are realized:

  • 在所有區域管理單一登錄:contoso.azurecr.ioManage a single registry across all regions: contoso.azurecr.io
  • 管理單一映像部署設定,因為所有區域都使用相同的映像 URL:contoso.azurecr.io/public/products/web:1.2Manage a single configuration of image deployments as all regions used the same image URL: contoso.azurecr.io/public/products/web:1.2
  • 推送至單一登錄,同時 ACR 會管理異地複寫。Push to a single registry, while ACR manages the geo-replication. 您可以設定區域 Webhook 通知自己有特定複本中的事件。You can configure regional webhooks to notify you of events in specific replicas.

設定異地複寫Configure geo-replication

設定異地複寫是簡單的,只要按一下地圖上的區域。Configuring geo-replication is as easy as clicking regions on a map. 您也可以使用工具來管理異地複寫,包括 Azure CLI 中的 az acr replication 命令,或使用 Azure Resource Manager 範本部署已啟用異地複寫的登錄。You can also manage geo-replication using tools including the az acr replication commands in the Azure CLI, or deploy a registry enabled for geo-replication with an Azure Resource Manager template.

異地複寫是進階登錄的一項功能。Geo-replication is a feature of Premium registries. 如果您的登錄還不是進階,您可以在 Azure 入口網站中從基本和標準變更為進階:If your registry isn't yet Premium, you can change from Basic and Standard to Premium in the Azure portal:

在 Azure 入口網站中切換服務層級

若要設定進階登錄的異地複寫,請登入 Azure 入口網站 ( https://portal.azure.com )。To configure geo-replication for your Premium registry, log in to the Azure portal at https://portal.azure.com.

導覽到 Azure 容器登錄,並選取 [複寫]:Navigate to your Azure Container Registry, and select Replications:

在 Azure 入口網站的容器登錄 UI 中進行複寫

地圖會顯示,包含所有目前的 Azure 區域:A map is displayed showing all current Azure Regions:

Azure 入口網站的區域圖

  • 藍色六邊形代表目前的複本Blue hexagons represent current replicas
  • 綠色六邊形代表可能的複本區域Green hexagons represent possible replica regions
  • 灰色六邊形代表尚未提供複寫的 Azure 區域Gray hexagons represent Azure regions not yet available for replication

若要設定複本,選取綠色六邊形,然後選取 [建立]:To configure a replica, select a green hexagon, then select Create:

在 Azure 入口網站中建立複寫 UI

若要設定其他複本,請選取其他地區的綠色六邊形,然後按一下 [建立]。To configure additional replicas, select the green hexagons for other regions, then click Create.

ACR 會開始同步設定的複本之間的映像。ACR begins syncing images across the configured replicas. 完成時,入口網站會反映 [準備]。Once complete, the portal reflects Ready. 入口網站中的複本狀態不會自動更新。The replica status in the portal doesn't automatically update. 使用 [重新整理] 按鈕以查看更新的狀態。Use the refresh button to see the updated status.

使用異地複寫登錄的考量Considerations for using a geo-replicated registry

  • 異地複寫登錄中的每個區域在設定完成後,都是獨立的。Each region in a geo-replicated registry is independent once set up. Azure Container Registry SLA 會套用至每個異地複寫的區域。Azure Container Registry SLAs apply to each geo-replicated region.
  • 當您對異地複寫的登錄推送或提取映像時,背景中的 Azure 流量管理員會考慮網路延遲而將要求傳送至離您最近的區域中的登錄。When you push or pull images from a geo-replicated registry, Azure Traffic Manager in the background sends the request to the registry located in the region that is closest to you in terms of network latency.
  • 當您將映像或標記更新推送至最接近的區域之後,Azure Container registry 需要一些時間將資訊清單和層複寫至您選擇加入的其餘區域。After you push an image or tag update to the closest region, it takes some time for Azure Container Registry to replicate the manifests and layers to the remaining regions you opted into. 映像愈大,複寫就愈耗時。Larger images take longer to replicate than smaller ones. 各個複寫區域會透過最終的一致性模型同步處理映像和標記。Images and tags are synchronized across the replication regions with an eventual consistency model.
  • 若要管理必須將更新推送至異地複寫登錄的工作流程,建議您設定 Webhook 來回應推送事件。To manage workflows that depend on push updates to a geo-replicated registry, we recommend that you configure webhooks to respond to the push events. 您可以在異地複寫的登錄中設定區域 Webhook,來追蹤異地複寫區域之間的推送事件何時完成。You can set up regional webhooks within a geo-replicated registry to track push events as they complete across the geo-replicated regions.
  • 為了提供代表內容層的 blob,Azure Container Registry 使用資料端點。To serve blobs representing content layers, Azure Container Registry uses data endpoints. 您可以在每個登錄的異地複寫區域中,為您的登錄啟用專用的資料端點You can enable dedicated data endpoints for your registry in each of your registry's geo-replicated regions. 這些端點可讓您設定嚴格限定範圍的防火牆存取規則。These endpoints allow configuration of tightly scoped firewall access rules. 為了進行疑難排解,您可以在維護複寫的資料時,選擇性地停用對複寫的路由For troubleshooting purposes, you can optionally disable routing to a replication while maintaining replicated data.
  • 如果您使用虛擬網路中的私人連結設定登錄的私人連結,則預設會啟用每個異地複寫區域中的專用資料端點。If you configure a private link for your registry using private endpoints in a virtual network, dedicated data endpoints in each of the geo-replicated regions are enabled by default.

刪除複本伺服器Delete a replica

設定登錄的複本之後,您可以在不再需要時將它刪除。After you've configured a replica for your registry, you can delete it at any time if it's no longer needed. 使用 Azure 入口網站或其他工具 (例如 Azure CLI 中的 az acr replication delete 命令) 刪除複本。Delete a replica using the Azure portal or other tools such as the az acr replication delete command in the Azure CLI.

若要在 Azure 入口網站中刪除複本:To delete a replica in the Azure portal:

  1. 導覽到 Azure Container Registry,並選取 [複寫]。Navigate to your Azure Container Registry, and select Replications.
  2. 選取複本的名稱,然後選取 [刪除]。Select the name of a replica, and select Delete. 確認您要刪除該複本。Confirm that you want to delete the replica.

若要使用 Azure CLI 刪除「美國東部」區域中 myregistry 的複本:To use the Azure CLI to delete a replica of myregistry in the East US region:

az acr replication delete --name eastus --registry myregistry

異地複寫價格Geo-replication pricing

異地複寫是 Azure Container Registry 的進階服務層級功能。Geo-replication is a feature of the Premium service tier of Azure Container Registry. 當您要複寫登錄到您想要的區域時,您會產生每個區域的進階登錄費用。When you replicate a registry to your desired regions, you incur Premium registry fees for each region.

在上述範例中,Contoso 會將兩個登錄向下合併成一個,並將複本新增至美國東部、加拿大中部和西歐。In the preceding example, Contoso consolidated two registries down to one, adding replicas to East US, Canada Central, and West Europe. Contoso 應支付每月的次進階費用,不含任何額外的設定或管理。Contoso would pay four times Premium per month, with no additional configuration or management. 每個區域現在會在本機提取其映像,改善效能和可靠性,而不會衍生從美國西部到加拿大和美國東部的網路輸出費用。Each region now pulls their images locally, improving performance, reliability without network egress fees from West US to Canada and East US.

針對使用異地複寫登錄的推送作業進行疑難排解Troubleshoot push operations with geo-replicated registries

將映像推送至異地複寫登錄的 Docker 用戶端,可能不會將所有映像層及其資訊清單推送至單一複寫區域。A Docker client that pushes an image to a geo-replicated registry may not push all image layers and its manifest to a single replicated region. 這可能是因為 Azure 流量管理員會將登錄要求路由傳送至最接近網路的複寫登錄。This may occur because Azure Traffic Manager routes registry requests to the network-closest replicated registry. 如果登錄有兩個「鄰近」複寫區域,則映像層和資訊清單可能會散發至兩個網站,因而在驗證資訊清單時造成推送作業失敗。If the registry has two nearby replication regions, image layers and the manifest could be distributed to the two sites, and the push operation fails when the manifest is validated. 之所以會發生此問題,原因是某些 Linux 主機上用來解析登錄 DNS 名稱的方式有誤。This problem occurs because of the way the DNS name of the registry is resolved on some Linux hosts. 此問題不會發生在 Windows 上,因為 Windows 會提供用戶端 DNS 快取。This issue doesn't occur on Windows, which provides a client-side DNS cache.

如果發生此問題,有一個解決方案是在 Linux 主機上套用用戶端 DNS 快取,例如 dnsmasqIf this problem occurs, one solution is to apply a client-side DNS cache such as dnsmasq on the Linux host. 這有助於確保登錄名稱會以一致的方式進行解析。This helps ensure that the registry's name is resolved consistently. 如果您是使用 Azure 中的 Linux VM 來推送至登錄,請參閱 Azure 中 Linux 虛擬機器的 DNS 名稱解析選項中的選項。If you're using a Linux VM in Azure to push to a registry, see options in DNS Name Resolution options for Linux virtual machines in Azure.

若要將推送映像時的最接近複本 DNS 解析最佳化,請在與推送作業來源相同的 Azure 區域中設定異地複寫登錄,如果是在 Azure 外部工作,則請在最接近的區域設定。To optimize DNS resolution to the closest replica when pushing images, configure a geo-replicated registry in the same Azure regions as the source of the push operations, or the closest region when working outside of Azure.

暫時停用路由至複寫Temporarily disable routing to replication

若要使用異地複寫的登錄進行作業疑難排解,您可能會想要暫時停用流量管理員路由傳送至一或多個複寫。To troubleshoot operations with a geo-replicated registry, you might want to temporarily disable Traffic Manager routing to one or more replications. 從 Azure CLI 版本2.8 開始,您可以在 --region-endpoint-enabled 建立或更新複寫的區域時設定選項(預覽)。Starting in Azure CLI version 2.8, you can configure a --region-endpoint-enabled option (preview) when you create or update a replicated region. 當您將複寫的 --region-endpoint-enabled 選項設定為時 false ,流量管理員不會再將 docker push 或 pull 要求路由傳送至該區域。When you set a replication's --region-endpoint-enabled option to false, Traffic Manager no longer routes docker push or pull requests to that region. 根據預設,路由至所有複寫已啟用,而所有複寫的資料同步處理會在路由已啟用或停用時進行。By default, routing to all replications is enabled, and data synchronization across all replications takes place whether routing is enabled or disabled.

若要停用現有複寫的路由,請先執行az acr replication list來列出登錄中的複寫。To disable routing to an existing replication, first run az acr replication list to list the replications in the registry. 然後,執行az acr replication update ,並 --region-endpoint-enabled false 針對特定複寫進行設定。Then, run az acr replication update and set --region-endpoint-enabled false for a specific replication. 例如,若要在myregistry中設定westus複寫的設定:For example, to configure the setting for the westus replication in myregistry:

# Show names of existing replications
az acr replication list --registry --output table

# Disable routing to replication
az acr replication update update --name westus \
  --registry myregistry --resource-group MyResourceGroup \
  --region-endpoint-enabled false

若要還原至複寫的路由:To restore routing to a replication:

az acr replication update update --name westus \
  --registry myregistry --resource-group MyResourceGroup \
  --region-endpoint-enabled true

後續步驟Next steps

簽出三段式教學課程系列,Azure Container Registry 中的異地複寫Check out the three-part tutorial series, Geo-replication in Azure Container Registry. 逐步解說建立異地備援登錄、建立容器,然後再使用單一 docker push 命令將其部署到多個區域之 適用於容器的 Web Apps 執行個體。Walk through creating a geo-replicated registry, building a container, and then deploying it with a single docker push command to multiple regional Web Apps for Containers instances.