Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Azure Container Registry supports an IPv6 dual-stack endpoint protocol in preview. When the endpoint protocol of a registry is set to IPv4AndIPv6, the registry's endpoints are reachable over both IPv4 and IPv6, so clients on IPv4-only, dual-stack, and IPv6-capable networks can authenticate, push, and pull against the same registry.
Important
IPv6 dual-stack endpoints are currently in PREVIEW. This preview enables IPv6 for the registry's public endpoints only (the login server, dedicated data endpoints, and regional endpoints). IPv6 over private endpoints isn't supported yet and is planned for general availability; private endpoint traffic continues to use IPv4.
Why IPv6 dual-stack endpoints
Teams adopt IPv6 for their container registry traffic for several reasons:
- IPv6-only and dual-stack networks. Clients in networks that prefer or require IPv6 — including newer cloud network deployments, telco and IoT environments, and modernized corporate networks — need their container registry reachable over IPv6.
- Guarding against IPv4 address exhaustion. Organizations migrating toward IPv6 reduce their dependence on increasingly scarce IPv4 address space.
- Regulatory and organizational mandates. Some organizations operate under requirements to transition services and clients to IPv6.
The dual-stack model means you don't have to choose: the registry continues to serve IPv4 clients while also serving IPv6 clients.
Endpoint protocol values
The endpoint protocol is a registry-level setting with two values:
| Endpoint protocol | Behavior |
|---|---|
IPv4 (default) |
Registry endpoints are reachable over IPv4 only. |
IPv4AndIPv6 (preview) |
Registry endpoints are reachable over both IPv4 and IPv6 (dual stack). |
There's no IPv6-only mode. Dual stack preserves compatibility with existing IPv4 clients.
Prerequisites
- A registry in the Premium SKU.
- Dedicated data endpoints enabled on the registry. Setting the endpoint protocol to
IPv4AndIPv6requiresdataEndpointEnabledto betrue. This requirement is enforced by the service. - Azure CLI version 2.87.0 or later for
az acr update --endpoint-protocol. Runaz versionto check your version andaz upgradeto update.
Enable dual-stack endpoints on an existing registry
Enable dedicated data endpoints and set the endpoint protocol in a single update:
az acr update --name myregistry --data-endpoint-enabled true --endpoint-protocol IPv4AndIPv6
If dedicated data endpoints are already enabled on the registry, you can set the endpoint protocol on its own:
az acr update --name myregistry --endpoint-protocol IPv4AndIPv6
Verify the configuration:
az acr show --name myregistry --query "{endpointProtocol:endpointProtocol, dataEndpointEnabled:dataEndpointEnabled}"
Example output:
{
"dataEndpointEnabled": true,
"endpointProtocol": "IPv4AndIPv6"
}
Revert to IPv4-only endpoints
To revert the registry to IPv4-only endpoints:
az acr update --name myregistry --endpoint-protocol IPv4
Reverting the endpoint protocol doesn't disable dedicated data endpoints. To disable them as well, run az acr update --name myregistry --data-endpoint-enabled false after reverting the endpoint protocol to IPv4.
Firewall and network considerations
- FQDN-based firewall rules continue to work unchanged. Rules that allow the registry login server (
myregistry.azurecr.io), dedicated data endpoints (myregistry.<region>.data.azurecr.io), and regional endpoints (myregistry.<region>.geo.azurecr.io, if enabled) apply regardless of protocol. - IP-based allowlists need to account for IPv6. If your client firewall allows registry access by IP address ranges instead of FQDNs, IPv6 client traffic to the registry needs corresponding IPv6 rules.
- Dedicated data endpoints are part of the dual-stack model. Because dual stack requires dedicated data endpoints, layer blob downloads are served from
myregistry.<region>.data.azurecr.iorather than*.blob.core.windows.net. If you're enabling dedicated data endpoints for the first time as part of dual-stack adoption, review Dedicated data endpoints for the client firewall impact before enabling.
For more information, see Configure rules to access an Azure container registry behind a firewall.
Interactions with other registry features
| Feature | Interaction with IPv4AndIPv6 |
|---|---|
| Dedicated data endpoints | Required. The service rejects IPv4AndIPv6 unless dataEndpointEnabled is true. |
| SKU | Premium SKU is required, because dedicated data endpoints are a Premium feature. |
| Geo-replication | The endpoint protocol is a registry-level setting. In a geo-replicated registry, dedicated data endpoints exist in every replica region. |
| Private endpoints | The endpointProtocol setting applies to the registry's public endpoints. IPv6 over private endpoints isn't part of this preview; it's planned for general availability. |
Next steps
- Learn about dedicated data endpoints, the prerequisite for dual-stack endpoints.
- See the Azure Container Registry endpoint reference for all endpoint types, URL formats, and CLI flags.
- Review firewall access rules for clients behind a firewall.