What it is
An Azure Container Registry whose publicNetworkAccess property is set to Enabled, so its login server answers connections from any network on the internet. A container registry is upstream of everything that runs: the clusters, app services, and functions that pull from it will execute whatever it serves. When the endpoint is public, the only things standing between the internet and that supply chain are credentials.
Why it happens
Public is the default. A registry created through the portal, CLI, or a plain template comes up with public network access enabled, and nothing about day-to-day pushes and pulls ever prompts you to revisit it.
The path to fixing it has friction, which is why the default survives. Restricting network access on ACR, whether with network rules or a private endpoint, requires the Premium SKU, so a registry created on Basic or Standard has no network restriction option at all short of an upgrade. And the everyday consumers of a registry are often outside your VNets anyway: hosted CI runners, developer laptops, external build agents. Leaving the endpoint public is the configuration that makes all of them work without further thought.
One more trap mirrors Azure Storage: adding a private endpoint does not close the public one. publicNetworkAccess is an independent switch, and it stays Enabled until someone explicitly turns it off.
What it costs / blast radius
The blast radius is your software supply chain. A public registry endpoint means anyone on the internet can attempt to authenticate against the front door of the system that decides what your clusters run. By itself that is exposure, not compromise: credentials are still required. But it converts every credential weakness from an internal problem into an internet-facing one. A leaked admin password or over-scoped token is now usable from anywhere, for pulls that copy your proprietary images out and, worse, for pushes that put someone else's image behind a tag your clusters trust. Combined with the admin user (AZF-0067) or anonymous pull (AZF-0068), the public endpoint stops being a locked door and becomes an open one. (This is an exposure assessment based on Azure behavior, not a measured breach probability.)
See it
resource acr 'Microsoft.ContainerRegistry/registries@2023-07-01' = {
name: 'corpregistry'
location: location
sku: { name: 'Standard' }
properties: {
publicNetworkAccess: 'Enabled' // the whole internet can reach the login server
}
}resource acr 'Microsoft.ContainerRegistry/registries@2023-07-01' = {
name: 'corpregistry'
location: location
sku: { name: 'Premium' } // network restrictions require Premium
properties: {
publicNetworkAccess: 'Disabled' // only private endpoints reach the registry
networkRuleBypassOptions: 'AzureServices' // keep trusted Azure services working
}
}
// Then add a Microsoft.Network/privateEndpoints resource targeting this
// registry so your clusters and build agents pull over Private Link.How StratoLens helps
StratoLens checks the network posture of every container registry across every subscription, continuously and inside your own tenant, and flags the ones answering to the open internet. A registry that quietly shipped with the public default, or drifted back to it, shows up without anyone scheduling an audit.