Azure Container Registry service tiers
Azure Container Registry is available in multiple service tiers (also known as SKUs). These tiers provide predictable pricing and several options for aligning to the capacity and usage patterns of your private Docker registry in Azure.
|Basic||A cost-optimized entry point for developers learning about Azure Container Registry. Basic registries have the same programmatic capabilities as Standard and Premium (such as Azure Active Directory authentication integration, image deletion, and webhooks). However, the included storage and image throughput are most appropriate for lower usage scenarios.|
|Standard||Standard registries offer the same capabilities as Basic, with increased included storage and image throughput. Standard registries should satisfy the needs of most production scenarios.|
|Premium||Premium registries provide the highest amount of included storage and concurrent operations, enabling high-volume scenarios. In addition to higher image throughput, Premium adds features such as geo-replication for managing a single registry across multiple regions, content trust for image tag signing, private link with private endpoints to restrict access to the registry.|
The Basic, Standard, and Premium tiers all provide the same programmatic capabilities. They also all benefit from image storage managed entirely by Azure. Choosing a higher-level tier provides more performance and scale. With multiple service tiers, you can get started with Basic, then convert to Standard and Premium as your registry usage increases.
Service tier features and limits
The following table details the features and registry limits of the Basic, Standard, and Premium service tiers.
|Included storage1 (GiB)||10||100||500|
|Storage limit (TiB)||20||20||20|
|Maximum image layer size (GiB)||200||200||200|
|Maximum manifest size (MiB)||4||4||4|
|ReadOps per minute2, 3||1,000||3,000||10,000|
|WriteOps per minute2, 4||100||500||2,000|
|Download bandwidth2 (Mbps)||30||60||100|
|Upload bandwidth 2 (Mbps)||10||20||50|
|Private link with private endpoints||N/A||N/A||Supported|
|• Private endpoints||N/A||N/A||200|
|Public IP network rules||N/A||N/A||100|
|Service endpoint VNet access||N/A||N/A||Preview|
|• Virtual network rules||N/A||N/A||100|
|• Scope maps||N/A||N/A||20,000|
|• Repositories per scope map5||N/A||N/A||500|
|Anonymous pull access||N/A||Preview||Preview|
1 Storage included in the daily rate for each tier. Additional storage may be used, up to the registry storage limit, at an additional daily rate per GiB. For rate information, see Azure Container Registry pricing. If you need storage beyond the registry storage limit, please contact Azure Support.
2ReadOps, WriteOps, and Bandwidth are minimum estimates. Azure Container Registry strives to improve performance as usage requires. Both resources, ACR, and the device must be in the same region to achieve a fast download speed.
3A docker pull translates to multiple read operations based on the number of layers in the image, plus the manifest retrieval.
4A docker push translates to multiple write operations, based on the number of layers that must be pushed. A
docker push includes ReadOps to retrieve a manifest for an existing image.
5 Individual actions of
metadata/write corresponds to the limit of Repositories per scope map.
Registry throughput and throttling
When generating a high rate of registry operations, use the service tier's limits for read and write operations and bandwidth as a guide for expected maximum throughput. These limits affect data-plane operations including listing, deleting, pushing, and pulling images and other artifacts.
To estimate the throughput of image pulls and pushes specifically, consider the registry limits and these factors:
- Number and size of image layers
- Reuse of layers or base images across images
- additional API calls that might be required for each pull or push
For details, see documentation for the Docker HTTP API V2.
When evaluating or troubleshooting registry throughput, also consider the configuration of your client environment:
- your Docker daemon configuration for concurrent operations
- your network connection to the registry's data endpoint (or endpoints, if your registry is geo-replicated).
If you experience issues with throughput to your registry, see Troubleshoot registry performance.
Pushing a single 133 MB
nginx:latest image to an Azure container registry requires multiple read and write operations for the image's five layers:
- Read operations to read the image manifest, if it exists in the registry
- Write operations to write the configuration blob of the image
- Write operations to write the image manifest
You may experience throttling of pull or push operations when the registry determines the rate of requests exceeds the limits allowed for the registry's service tier. You may see an HTTP 429 error similar to
Too many requests.
Throttling could occur temporarily when you generate a burst of image pull or push operations in a very short period, even when the average rate of read and write operations is within registry limits. You may need to implement retry logic with some backoff in your code or reduce the maximum rate of requests to the registry.
Show registry usage
Use the az acr show-usage command in the Azure CLI, Get-AzContainerRegistryUsage in Azure PowerShell, or the List Usages REST API, to get a snapshot of your registry's current consumption of storage and other resources, compared with the limits for that registry's service tier. Storage usage also appears on the registry's Overview page in the portal.
The registry's storage usage should only be used as a guide and may not reflect recent registry operations. Monitor the registry's StorageUsed metric for up-to-date data.
Depending on your registry's service tier, usage information includes some or all of the following, along with the limit in that tier:
- Storage consumed in bytes1
- Number of webhooks
- Number of geo-replications (includes the home replica)
- Number of private endpoints
- Number of IP access rules
- Number of virtual network rules
1In a geo-replicated registry, storage usage is shown for the home region. Multiply by the number of replications for total storage consumed.
You can change a registry's service tier with the Azure CLI or in the Azure portal. You can move freely between tiers as long as the tier you're switching to has the required maximum storage capacity.
There is no registry downtime or impact on registry operations when you move between service tiers.
To move between service tiers in the Azure CLI, use the az acr update command. For example, to switch to Premium:
az acr update --name myContainerRegistry --sku Premium
To move between service tiers in Azure PowerShell, use the Update-AzContainerRegistry cmdlet. For example, to switch to Premium:
Update-AzContainerRegistry -ResourceGroupName myResourceGroup -Name myContainerRegistry -Sku Premium
In the container registry Overview in the Azure portal, select Update, then select a new SKU from the SKU drop-down.
For pricing information on each of the Azure Container Registry service tiers, see Container Registry pricing.
For details about pricing for data transfers, see Bandwidth Pricing Details.
Azure Container Registry Roadmap
Visit the ACR Roadmap on GitHub to find information about upcoming features in the service.
Azure Container Registry UserVoice
Submit and vote on new feature suggestions in ACR UserVoice.