แก้ไข

แชร์ผ่าน


Share images using a community gallery

To share a gallery with all Azure users, you can create a community gallery. Community galleries can be used by anyone with an Azure subscription. Someone creating a VM can browse images shared with the community using the portal, REST, or the Azure CLI.

Sharing images to the community is a new capability in Azure Compute Gallery. You can make your image galleries public, and share them to all Azure customers. When a gallery is marked as a community gallery, all images under the gallery become available to all Azure customers as a new resource type under Microsoft.Compute/communityGalleries. All Azure customers can see the galleries and use them to create VMs. Your original resources of the type Microsoft.Compute/galleries are still under your subscription, and private.

Important

Microsoft does not provide support for Community Images and customers should contact the Image Publishers for any image related issues, however Microsoft will provide commercially reasonable support to isolate any platform issue when using Community image. Customers can find the publisher contact by querying the image.

There are three main ways to share images in an Azure Compute Gallery, depending on who you want to share with:

Sharing with: People Groups Service Principal All users in a specific subscription (or) tenant Publicly with all users in Azure
RBAC Sharing Yes Yes Yes No No
RBAC + Direct shared gallery Yes Yes Yes Yes No
RBAC + Community gallery Yes Yes Yes No Yes

Note

Please note that Images can be used with read permissions on them to deploy virtual machines and disks.

When utilizing the direct shared gallery, images are distributed widely to all users in a subscription/tenant, while the community gallery distributes images publicly. It is recommended to exercise caution when sharing images that contain intellectual property to prevent widespread distribution.

Disclaimer

Community images and associated publisher information aren't verified or tested by Microsoft. You're solely responsible for any Community image you deploy or use. You're responsible for your dealings with the publishers of images. For approved operating system base images, see: approved base images. For other images created by our verified publishers, see Azure Marketplace.

Limitations for images shared to the community

There are some limitations for sharing your gallery to the community:

  • You can't convert an existing private gallery(RBAC enabled gallery) to Community gallery.
  • You can't use a third party image from Marketplace and publish it to the community. For a list of approved operating system base images, please see: approved base images.
  • Encrypted images are not supported
  • Not available in Government clouds
  • Image resources need to be created in the same region as the gallery. For example, if you create a gallery in West US, the image definitions and image versions should be created in West US if you want to make them available.
  • You can't share VM Applications to the community yet.

How sharing with the community works

You create a gallery resource under Microsoft.Compute/Galleries and choose community as a sharing option.

When you're ready, you flag your gallery as ready to be shared publicly. Only the owner of a subscription, or a user or service principal with the Compute Gallery Sharing Admin role at the subscription or gallery level, can enable a gallery to go public to the community. At this point, the Azure infrastructure creates proxy read-only regional resources, under Microsoft.Compute/CommunityGalleries, which are public.

The end-users can only interact with the proxy resources, they never interact with your private resources. As the publisher of the private resource, you should consider the private resource as your handle to the public proxy resources. The prefix you provide when you create the gallery is used, along with a unique GUID, to create the public facing name for your gallery.

Azure users can see the latest image versions shared to the community in the portal, or query for them using the CLI. Only the latest version of an image is listed in the community gallery.

When creating a community gallery, you will need to provide contact information for your images. The objective and underlying intention of this information is to facilitate communication between the consumer of the image and the publisher, like if the consumer needs assistance. Microsoft doesn't offer support for these images. This information will be shown publicly, so be careful when providing it:

  • Community gallery prefix
  • Publisher support email
  • Publisher URL
  • Legal agreement URL (Do not put secrets, passwords, SASURI etc. in legal agreement URL field)

Information from your image definitions will also be publicly available, like what you provide for Publisher, Offer, and SKU.

Warning

If you want to stop sharing a gallery publicly, you can update the gallery to stop sharing, but making the gallery private will prevent existing virtual machine scale set users from scaling their resources.

When to publish to Azure Marketplace?

  • Publisher has signed Marketplace terms
  • Publish commercial images
  • Publish a stable version (or) major release

When to publish to Community Gallery:

  • Publisher cannot sign Marketplace terms and still want to share their image publicly on Azure
  • Publish non-commercial image
  • Publish daily/nightly builds

As a consumer of images, how to choose between Azure Marketplace images and Community images?

There are a variety of reasons why you might want to use an Azure Marketplace image instead of a community gallery image. The primary reason to choose an Azure Marketplace image is that they're supported by Microsoft, while community images aren't

When to use an Azure Marketplace Images?

  • You want to use Microsoft certified images
  • Use for production workloads
  • First party and third party images
  • Paid images with additional software offerings
  • Supported by Microsoft

When to use a Community Images?

  • You're looking for a community version of an image published by open-source community
  • You trust and know how to contact the publisher
  • Using the image for testing
  • Community images are free
  • Supported by the owner of the image, not Microsoft.

Reporting issues with a community image

Using community-submitted virtual machine images has several risks. Images could contain malware, security vulnerabilities, or violate someone's intellectual property. To help create a secure and reliable experience for the community, you can report images when you see these issues.

The easiest way to report issues with a community gallery is to use the portal, which will pre-fill information for the report:

  • For issues with links or other information in the fields of an image definition, select Report community image.
  • If an image version contains malicious code or there are other issues with a specific version of an image, select Report under the Report version column in the table of image versions.

You can also use the following links to report issues, but the forms won't be pre-filled:

Best practices

  • Images published to the community gallery should be generalized images that have had sensitive or machine specific information removed. For more information about preparing an image, see the OS specific information for Linux or Windows.
  • If you would like to block sharing images to Community at the organization level, create an Azure policy with the following policy rule to deny sharing to Community.
  "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/galleries"
          },
          {
            "field": "Microsoft.Compute/galleries/sharingProfile.permissions",
            "equals": "Community"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }

FAQ

Q: What are the charges for using a gallery that is shared to the community?

A: There are no charges for using the service itself. However, content publishers would be charged for the following:

  • Storage charges for application versions and replicas in each of the regions (source and target). These charges are based on the storage account type chosen.
  • Network egress charges for replication across regions.

Consumers of the image may have to pay additional software cost if the base image is using an Azure marketplace image with software charges.

Q: Is it safe to use images shared to the community?

A: Users should exercise caution while using images from non-verified sources, since these images aren't subject to certification and not scanned for malware/vulnerabilities and publisher details aren't verified.

Q: If an image that is shared to the community doesn’t work, who do I contact for support?

A: Azure isn't responsible for any issues users might encounter with community-shared images. The support is provided by the image publisher. Look up the publisher contact information for the image and reach out to them for any support.

Q: Is Community gallery sharing functionality part of Azure Marketplace?

A: No, Community gallery sharing isn't part of Azure Marketplace, it's a feature of 'Azure Compute Gallery'. Anyone with an Azure subscription can use 'Community gallery' and make their images public.

Q: I have concerns about an image, who do I contact?

A: For issues with images shared to the community:

Q: How do I request that an image shared to the community be replicated to a specific region?

A: Only the content publishers have control over the regions their images are available in. If you don’t find an image in a specific region, reach out to the publisher directly.

Start sharing publicly

In order to share a gallery publicly, it needs to be created as a community gallery. For more information, see Create a community gallery

Once you're ready to make the gallery available to the public, enable the community gallery using az sig share enable-community. Only a user in the Owner role definition can enable a gallery for community sharing.

az sig share enable-community \
   --gallery-name $galleryName \
   --resource-group $resourceGroup 

To go back to only RBAC based sharing, use the az sig share reset command.

To delete a gallery shared to community, you must first run az sig share reset to stop sharing, then delete the gallery.

Important

If you are listed as the owner of your subscription, but you are having trouble sharing the gallery publicly, you may need to explicitly add yourself as owner again.

To go back to only RBAC based sharing, use the az sig share reset command.

To delete a gallery shared to community, you must first run az sig share reset to stop sharing, then delete the gallery.

Next steps

Create an image definition and an image version.

Create a VM from a generalized or specialized image in a community gallery.