Skip to main content
Back to the Azure Footguns Database
SecurityMediumCommonAZF-0066

A container registry with public network access enabled exposes your image supply chain to the internet

The registry that feeds your production clusters accepts connections from any internet address. Authentication becomes the only barrier between the world and the images everything runs on.

Footgun ID
AZF-0066 (Azure Footgun No. 66)
Azure service
Azure Container Registry
Resource type
Microsoft.ContainerRegistry/registries
Updated
July 9, 2026

What it is

An Azure Container Registry whose publicNetworkAccess property is set to Enabled, so its login server answers connections from any network on the internet. A container registry is upstream of everything that runs: the clusters, app services, and functions that pull from it will execute whatever it serves. When the endpoint is public, the only things standing between the internet and that supply chain are credentials.

Impact (security)
Registry endpoint reachable from any address on the public internet
Basis: Azure behavior (authored assessment). Figures are estimates, not measurements.

Why it happens

Public is the default. A registry created through the portal, CLI, or a plain template comes up with public network access enabled, and nothing about day-to-day pushes and pulls ever prompts you to revisit it.

The path to fixing it has friction, which is why the default survives. Restricting network access on ACR, whether with network rules or a private endpoint, requires the Premium SKU, so a registry created on Basic or Standard has no network restriction option at all short of an upgrade. And the everyday consumers of a registry are often outside your VNets anyway: hosted CI runners, developer laptops, external build agents. Leaving the endpoint public is the configuration that makes all of them work without further thought.

One more trap mirrors Azure Storage: adding a private endpoint does not close the public one. publicNetworkAccess is an independent switch, and it stays Enabled until someone explicitly turns it off.

What it costs / blast radius

The blast radius is your software supply chain. A public registry endpoint means anyone on the internet can attempt to authenticate against the front door of the system that decides what your clusters run. By itself that is exposure, not compromise: credentials are still required. But it converts every credential weakness from an internal problem into an internet-facing one. A leaked admin password or over-scoped token is now usable from anywhere, for pulls that copy your proprietary images out and, worse, for pushes that put someone else's image behind a tag your clusters trust. Combined with the admin user (AZF-0067) or anonymous pull (AZF-0068), the public endpoint stops being a locked door and becomes an open one. (This is an exposure assessment based on Azure behavior, not a measured breach probability.)

See it

Footgun: registry endpoint reachable from any internet address
resource acr 'Microsoft.ContainerRegistry/registries@2023-07-01' = {
  name: 'corpregistry'
  location: location
  sku: { name: 'Standard' }
  properties: {
    publicNetworkAccess: 'Enabled'   // the whole internet can reach the login server
  }
}
Fix: disable public network access (Premium SKU) and pull over a private endpoint
resource acr 'Microsoft.ContainerRegistry/registries@2023-07-01' = {
  name: 'corpregistry'
  location: location
  sku: { name: 'Premium' }           // network restrictions require Premium
  properties: {
    publicNetworkAccess: 'Disabled'  // only private endpoints reach the registry
    networkRuleBypassOptions: 'AzureServices'  // keep trusted Azure services working
  }
}
// Then add a Microsoft.Network/privateEndpoints resource targeting this
// registry so your clusters and build agents pull over Private Link.

How StratoLens helps

StratoLens checks the network posture of every container registry across every subscription, continuously and inside your own tenant, and flags the ones answering to the open internet. A registry that quietly shipped with the public default, or drifted back to it, shows up without anyone scheduling an audit.

Start Your 28-Day Free Trial

Every feature unlocked. Deploys to your Azure tenant. No data leaves your tenant.

Available now on the Azure Marketplace.

Not ready to install anything? Browse the Azure Footguns Database: 55+ documented ways Azure quietly costs money or creates risk.

Request a demo

StratoLens catches the cost waste, access risk, and config drift across your whole Azure estate, from inside your own tenant, so your data never leaves it.