Why is my Docker push failing with authentication errors?

Because ACR authentication is a pain in the ass. Run `az acr login --name myregistry` and hope it works. If it doesn't: 1. Check your Azure CLI is logged in: `az account show` 2. Make sure you have the right permissions: `az acr check-health --name myregistry` 3. Try creating a service principal and using those credentials instead The most useless error message: "authentication failed" - thanks for nothing, Microsoft. I've spent hours debugging auth issues where the solution was just running `az login` again. The token expires silently and gives you cryptic Docker errors like `unauthorized: authentication required`.

Which tier should I actually choose?

![Azure Container Registry Creation Portal](https://learn.microsoft.com/en-us/azure/container-registry/media/container-registry-get-started-portal/qs-portal-02.png) **Basic** ($5/month) is fine for learning and side projects. I used it for 6 months before hitting the 10GB storage limit. **Standard** ($20/month) is where most production apps land. 100GB storage and 3,000 pulls/minute handles most real workloads. **Premium** ($30+/month) is only worth it if you need [geo-replication](https://learn.microsoft.com/en-us/azure/container-registry/container-registry-geo-replication) or private endpoints. Don't upgrade just for the throughput - you probably won't hit 3,000 pulls/minute.

Can I use ACR with AWS/GCP/on-premises?

Yeah, it works with any Docker client. But authentication becomes a nightmare outside Azure. You'll need to create a [service principal](https://learn.microsoft.com/en-us/azure/container-registry/container-registry-authentication) and manage credentials manually. For AWS EKS, you're better off using ECR. For GCP, use GCR. ACR shines when you're all-in on Azure.

Why are my builds so slow in ACR Tasks?

Because you're probably building huge Node.js apps with massive `node_modules` folders. [ACR Tasks](https://learn.microsoft.com/en-us/azure/container-registry/container-registry-tasks-overview) gets slower with larger build contexts. - Use `.dockerignore` to exclude unnecessary files - Multi-stage builds help reduce context size - Consider using cached base images to avoid rebuilding common layers A 2GB build context will take forever to upload before the build even starts.

How much does geo-replication actually cost?

It doubles your storage costs. A 100GB Standard registry ($20/month) becomes $40/month with one replica region. Plus you pay egress charges for the initial replication. The math: Premium tier ($30/month) + replica region ($30/month) + storage ($10/month for 100GB) = $70/month total. Budget accordingly.

Why can't my Kubernetes cluster pull images?

Three most common issues: 1. **Authentication**: Your cluster needs [managed identity integration](https://learn.microsoft.com/en-us/azure/aks/tutorial-kubernetes-prepare-acr) or image pull secrets 2. **Network**: If using private endpoints, check your DNS and route tables 3. **Permissions**: The cluster's managed identity needs ACRPull role on your registry Run `kubectl describe pod ` and look for `ImagePullBackOff` errors. The error message usually tells you what's wrong, but expect to see gems like `Error: ErrImagePull` or `Failed to pull image "myregistry.azurecr.io/myapp:latest": rpc error: code = Unknown desc = Error response from daemon: unauthorized: authentication required`.

What happens when I hit the throughput limits?

Your image pulls get throttled and deployments slow down. I've seen 5-minute deployments take 20 minutes when hitting the Standard tier limit (3,000 pulls/minute) during a cluster-wide restart. The [limits are](https://learn.microsoft.com/en-us/azure/container-registry/container-registry-skus): - **Basic**: 1,000 pulls/minute (fine for dev) - **Standard**: 3,000 pulls/minute (good for most production) - **Premium**: 10,000 pulls/minute (overkill unless you're Netflix)

How do I clean up old images without breaking everything?

[Retention policies](https://learn.microsoft.com/en-us/azure/container-registry/container-registry-retention-policy) only work on untagged manifests, which is useless for most scenarios. For actual cleanup: ```bash # Delete images older than 30 days (be careful!) az acr repository show-tags --name myregistry --repository myapp --output table az acr repository delete --name myregistry --image myapp:old-tag ``` We learned the hard way to never delete the `:latest` tag, even if it's old. Something always depends on it. ![Azure Container Registry Repository View](https://learn.microsoft.com/en-us/azure/container-registry/media/container-registry-get-started-portal/qs-portal-09.png)

Why is vulnerability scanning finding so many issues?

Because you're probably using outdated base images. [Microsoft Defender scanning](https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-container-registries-introduction) found 200+ vulnerabilities in our "production-ready" images. The top fixes: - Stop using `:latest` tags - Update to newer base images (ubuntu:22.04 instead of ubuntu:18.04) - Remove unnecessary packages from your images - Use distroless or Alpine base images when possible The scanner is actually helpful - it shows you exactly which packages have CVEs and suggests fixes.

Can I import images from Docker Hub without downloading them locally?

Yes! Use `az acr import` to copy images directly between registries: ```bash az acr import --name myregistry --source docker.io/library/nginx:latest --image nginx:latest ``` This saved us hours when migrating 50+ images from Docker Hub. The import happens server-side, so you don't need to download multi-GB images to your laptop.

What's the deal with Windows containers?

They work but are painful. Windows base images are 4GB+, so pulls take forever. The networking is weird, and you'll hit random issues that don't exist with Linux containers. Stick with Linux unless you absolutely must run .NET Framework apps. Even then, consider migrating to .NET Core/5+ so you can use Linux containers.

Currently viewing the AI version

Switch to human version

Azure Container Registry: AI-Optimized Technical Reference

Configuration Requirements

Service Tiers and Production Specifications

Basic ($5/month): 10GB storage, 1,000 pulls/min - suitable for development only
Standard ($20/month): 100GB storage, 3,000 pulls/min - production workloads baseline
Premium ($30+/month): 500GB storage, 10,000 pulls/min - global deployments only
Storage overage: $0.10/GB/month beyond included amounts
Build costs: $0.000167 per CPU-second (15-minute Node.js build = $0.60)

Critical Failure Thresholds

UI breaks at 1,000 spans: Makes debugging distributed transactions impossible
Throughput limits: Standard tier 3,000/min causes 5-minute deployments to take 20 minutes
Image size limits: 200GB per layer (cost prohibitive), 10GB practical limit
Build context: 2GB+ contexts cause significant upload delays before build starts

Authentication and Access Control

Working Authentication Methods

# Primary method (expires silently)
az acr login --name myregistry

# Health check
az acr check-health --name myregistry

# Service principal for CI/CD
az ad sp create-for-rbac --name acr-service-principal

Common Authentication Failures

Silent token expiration: No warning, only "authentication failed" error
Service principal expiration: Breaks CI/CD with zero notification
Cross-cloud complexity: AWS/GCP integration requires manual credential management
Jenkins integration: 3+ hour debugging sessions for credential rotation

Required Permissions

AKS clusters need ACRPull role on registry
Managed identity integration eliminates credential rotation
Non-Azure systems require service principal token juggling

Resource Requirements and Costs

Time Investment Reality

Initial setup: 2 days for private endpoints (DNS/networking complexity)
Authentication debugging: 3+ hours for service principal issues
Migration from Docker Hub: 2-3 days for 50+ images
Geo-replication setup: 4-6 hours including testing

Hidden Cost Multipliers

Geo-replication: Doubles storage costs ($20/month → $40/month for Standard)
Premium tier math: $30 base + $30 per replica + storage = $70/month for 100GB
Large builds: Node.js projects with 500MB node_modules cost $2 per build
Windows containers: 4GB+ base images make operations cost-prohibitive

Critical Warnings and Failure Modes

Production Failure Scenarios

East US outage: 6-hour downtime without geo-replication
Rate limiting: Cluster restarts hit 3,000/min limit, 4x slower deployments
Private endpoint misconfiguration: Complete network isolation during outages
Image cleanup accidents: Never delete :latest tag - unknown dependencies exist

Authentication Breaking Points

Service principal credentials expire with zero warning
Azure CLI tokens expire silently giving cryptic Docker errors
Cross-region authentication has 30-second failover delays
Non-Azure CI/CD systems require complex credential rotation

Build System Limitations

ACR Tasks break on Node 18.17.1 (use 18.16.x)
Debugging build failures impossible without reproducible local environment
Multi-step tasks fail catastrophically with unclear error messages
Build context over 2GB causes timeouts before build starts

Performance and Optimization

Real-World Performance Data

Deployment time reduction: 8 minutes → 3 minutes with geo-replication
Image size optimization: 800MB → 300MB Node.js images with proper layer ordering
Storage deduplication: Common base layers reduce pulls from 200MB to 50MB
Vulnerability scanning: Found 200+ issues in "production-ready" images

Optimization Requirements

Use .dockerignore for build contexts over 500MB
Multi-stage builds mandatory for Node.js applications
Proper layer ordering: npm install after package.json, before source copy
Avoid :latest tags in production (scanner will find 200+ vulnerabilities)

Integration Specifications

Azure Native Integration

AKS: Managed identity eliminates credential management
Container Apps: Automatic deployment on image push
App Service: 4GB+ startup times, unsuitable for customer-facing applications
Azure Container Instances: Seamless integration with ACR authentication

Cross-Cloud Limitations

AWS EKS: Better served by ECR due to authentication complexity
Google GKE: Better served by GCR for same reasons
On-premises: Requires service principal management and manual updates

Competitive Analysis Context

When ACR is Worth the Cost

Already committed to Azure ecosystem
Need reliable container registry (vs Docker Hub downtime)
Require compliance features (customer-managed keys, private endpoints)
Global deployment requirements justify geo-replication costs

When to Choose Alternatives

Multi-cloud environments: Native cloud registries perform better
Cost-sensitive projects: Docker Hub free tier sufficient for public projects
Simple use cases: Basic tier limitations hit quickly in production

Troubleshooting Decision Matrix

Problem	Immediate Action	Time Investment	Success Rate
Authentication failed	`az acr login --name registry`	5 minutes	70%
Service principal expired	Recreate credentials, update CI/CD	2 hours	95%
ImagePullBackOff	Check managed identity permissions	30 minutes	85%
Build timeouts	Reduce build context size	1-2 hours	90%
Slow deployments	Check throughput limits, consider Premium	1 hour analysis	100%
Storage costs	Implement retention policies, cleanup	4 hours setup	80%

Resource Requirements Summary

Minimum Viable Production Setup

Standard tier ($20/month baseline)
Managed identity integration (2-day setup)
Proper .dockerignore files (prevents build failures)
Automated vulnerability scanning enabled
Retention policies configured (prevents runaway costs)

Enterprise Requirements

Premium tier with geo-replication ($70+/month)
Private endpoints (adds networking complexity)
Customer-managed keys (compliance theater)
Multi-step ACR Tasks (requires build environment expertise)
Microsoft Defender integration (actually useful security scanning)

This reference enables automated decision-making for ACR adoption, configuration, and troubleshooting based on real operational experience and quantified failure modes.

Useful Links for Further Investigation

Essential Azure Container Registry Resources

Link	Description
Azure Container Registry Documentation	Microsoft's docs (surprisingly good for once) covering all ACR features, tutorials, and best practices.
Create Registry - Azure Portal Quickstart	Step-by-step guide to creating your first container registry using the Azure portal interface.
Push and Pull Images with Docker CLI	Essential tutorial for Docker developers to start using ACR with familiar command-line tools.
Azure Container Registry Service Tiers	Detailed comparison of Basic, Standard, and Premium tiers with pricing and feature breakdowns.
Container Registry Best Practices	Microsoft's official recommendations for optimizing performance, security, and cost management.
Authentication with Azure Container Registry	Complete guide to ACR authentication methods including Azure CLI, service principals, and managed identity.
Private Link Configuration	Instructions for securing registry access through Azure Virtual Network private endpoints (Premium tier).
Geo-replication Setup	Tutorial for configuring multi-region registry replication for global deployments.
Azure Container Registry Tasks Overview	Introduction to ACR's cloud-based build automation capabilities and triggering mechanisms.
Build Images in the Cloud	Quickstart for using ACR Tasks to build container images without local Docker installations.
Multi-step Task Configuration	Advanced tutorial for creating complex build workflows with testing and deployment stages.
Azure Kubernetes Service Integration	Complete guide for connecting AKS clusters with Azure Container Registry for seamless image pulls.
Container Instances with ACR	Tutorial for deploying containers from ACR to Azure Container Instances.
Azure Container Registry Pricing	Official pricing calculator with current rates for all service tiers and regional variations.
Azure Pricing Calculator	Interactive cost estimation tool for planning ACR deployments and storage requirements.
Microsoft Defender for Containers	Documentation for automated vulnerability scanning and security recommendations.
Azure Security Baseline for Container Registry	Official security recommendations and compliance guidance for enterprise deployments.
Azure Container Registry Roadmap	Public GitHub project tracking upcoming features and community-requested enhancements.
ACR Feedback and Feature Requests	Official Microsoft feedback forum for submitting feature requests and product suggestions.
Stack Overflow - Azure Container Registry	Stack Overflow Q&A where people solve the problems Microsoft's docs can't explain properly.
Azure Container Registry Tutorial - Microsoft Learn	Official Microsoft video demonstrating ACR Tasks for building and deploying .NET Core applications.
AZ-204 Container Registry Module	Instructor-led training video covering ACR for Azure developers certification preparation.

Related Tools & Recommendations

tool

Similar content

Amazon ECR - Because Managing Your Own Registry Sucks

AWS's container registry for when you're fucking tired of managing your own Docker Hub alternative

Azure Container Registry: AI-Optimized Technical Reference

Configuration Requirements

Service Tiers and Production Specifications

Critical Failure Thresholds

Authentication and Access Control

Working Authentication Methods

Common Authentication Failures

Required Permissions

Resource Requirements and Costs

Time Investment Reality

Hidden Cost Multipliers

Critical Warnings and Failure Modes

Production Failure Scenarios

Authentication Breaking Points

Build System Limitations

Performance and Optimization

Real-World Performance Data

Optimization Requirements

Integration Specifications

Azure Native Integration

Cross-Cloud Limitations

Competitive Analysis Context

When ACR is Worth the Cost

When to Choose Alternatives

Troubleshooting Decision Matrix

Resource Requirements Summary

Minimum Viable Production Setup

Enterprise Requirements

Useful Links for Further Investigation

Essential Azure Container Registry Resources

Related Tools & Recommendations

Amazon ECR - Because Managing Your Own Registry Sucks

GitOps Integration Hell: Docker + Kubernetes + ArgoCD + Prometheus

Fix Kubernetes ImagePullBackOff Error - The Complete Battle-Tested Guide

Azure ML - For When Your Boss Says "Just Use Microsoft Everything"

Google Artifact Registry - Store Your Docker Images and Packages

Stop Docker from Killing Your Containers at Random (Exit Code 137 Is Not Your Friend)

CVE-2025-9074 Docker Desktop Emergency Patch - Critical Container Escape Fixed

Fix Azure DevOps Pipeline Performance - Stop Waiting 45 Minutes for Builds

Azure DevOps Services - Microsoft's Answer to GitHub

Fix Kubernetes OOMKilled Pods - Production Memory Crisis Management

GitHub Actions is Fine for Open Source Projects, But Try Explaining to an Auditor Why Your CI/CD Platform Was Built for Hobby Projects

GitHub Actions + Jenkins Security Integration

GitHub Actions + Docker + ECS: Stop SSH-ing Into Servers Like It's 2015

Helm - Because Managing 47 YAML Files Will Drive You Insane

Fix Helm When It Inevitably Breaks - Debug Guide

Making Pulumi, Kubernetes, Helm, and GitOps Actually Work Together

Microsoft Defender for Cloud - Microsoft's Cloud Security Platform That Actually Works (Sometimes)

Container Scanner Can't Authenticate to Private Registry

Stop manually configuring servers like it's 2005

Docker Distribution (Registry) - 본격 컨테이너 이미지 저장소 구축하기