Azure Container Registry service tiers

Azure Container Registry is available in multiple service tiers (also known as SKUs). These tiers provide predictable pricing and several options for aligning to the capacity and usage patterns of your private Docker registry in Azure.

Tier Description
Basic A cost-optimized entry point for developers learning about Azure Container Registry. Basic registries have the same programmatic capabilities as Standard and Premium (such as Azure Active Directory authentication integration, image deletion, and webhooks). However, the included storage and image throughput are most appropriate for lower usage scenarios.
Standard Standard registries offer the same capabilities as Basic, with increased included storage and image throughput. Standard registries should satisfy the needs of most production scenarios.
Premium Premium registries provide the highest amount of included storage and concurrent operations, enabling high-volume scenarios. In addition to higher image throughput, Premium adds features such as geo-replication for managing a single registry across multiple regions, content trust for image tag signing, private link with private endpoints to restrict access to the registry.

The Basic, Standard, and Premium tiers all provide the same programmatic capabilities. They also all benefit from image storage managed entirely by Azure. Choosing a higher-level tier provides more performance and scale. With multiple service tiers, you can get started with Basic, then convert to Standard and Premium as your registry usage increases.

Service tier features and limits

The following table details the features and registry limits of the Basic, Standard, and Premium service tiers.

Resource Basic Standard Premium
Included storage1 (GiB) 10 100 500
Storage limit (TiB) 20 20 20
Maximum image layer size (GiB) 200 200 200
Maximum manifest size (MiB) 4 4 4
ReadOps per minute2, 3 1,000 3,000 10,000
WriteOps per minute2, 4 100 500 2,000
Download bandwidth2 (Mbps) 30 60 100
Upload bandwidth 2 (Mbps) 10 20 50
Webhooks 2 10 500
Geo-replication N/A N/A Supported
Availability zones N/A N/A Supported
Content trust N/A N/A Supported
Private link with private endpoints N/A N/A Supported
• Private endpoints N/A N/A 200
Public IP network rules N/A N/A 100
Service endpoint VNet access N/A N/A Preview
• Virtual network rules N/A N/A 100
Customer-managed keys N/A N/A Supported
Repository-scoped permissions N/A N/A Preview
• Tokens N/A N/A 20,000
• Scope maps N/A N/A 20,000
• Repositories per scope map5 N/A N/A 500
Anonymous pull access N/A Preview Preview

1 Storage included in the daily rate for each tier. Additional storage may be used, up to the registry storage limit, at an additional daily rate per GiB. For rate information, see Azure Container Registry pricing. If you need storage beyond the registry storage limit, please contact Azure Support.

2ReadOps, WriteOps, and Bandwidth are minimum estimates. Azure Container Registry strives to improve performance as usage requires. Both resources, ACR, and the device must be in the same region to achieve a fast download speed.

3A docker pull translates to multiple read operations based on the number of layers in the image, plus the manifest retrieval.

4A docker push translates to multiple write operations, based on the number of layers that must be pushed. A docker push includes ReadOps to retrieve a manifest for an existing image.

5 Individual actions of content/delete, content/read, content/write, metadata/read, metadata/write corresponds to the limit of Repositories per scope map.

Registry throughput and throttling

Throughput

When generating a high rate of registry operations, use the service tier's limits for read and write operations and bandwidth as a guide for expected maximum throughput. These limits affect data-plane operations including listing, deleting, pushing, and pulling images and other artifacts.

To estimate the throughput of image pulls and pushes specifically, consider the registry limits and these factors:

  • Number and size of image layers
  • Reuse of layers or base images across images
  • additional API calls that might be required for each pull or push

For details, see documentation for the Docker HTTP API V2.

When evaluating or troubleshooting registry throughput, also consider the configuration of your client environment:

  • your Docker daemon configuration for concurrent operations
  • your network connection to the registry's data endpoint (or endpoints, if your registry is geo-replicated).

If you experience issues with throughput to your registry, see Troubleshoot registry performance.

Example

Pushing a single 133 MB nginx:latest image to an Azure container registry requires multiple read and write operations for the image's five layers:

  • Read operations to read the image manifest, if it exists in the registry
  • Write operations to write the configuration blob of the image
  • Write operations to write the image manifest

Throttling

You may experience throttling of pull or push operations when the registry determines the rate of requests exceeds the limits allowed for the registry's service tier. You may see an HTTP 429 error similar to Too many requests.

Throttling could occur temporarily when you generate a burst of image pull or push operations in a very short period, even when the average rate of read and write operations is within registry limits. You may need to implement retry logic with some backoff in your code or reduce the maximum rate of requests to the registry.

Show registry usage

Use the az acr show-usage command in the Azure CLI, Get-AzContainerRegistryUsage in Azure PowerShell, or the List Usages REST API, to get a snapshot of your registry's current consumption of storage and other resources, compared with the limits for that registry's service tier. Storage usage also appears on the registry's Overview page in the portal.

Usage information helps you make decisions about changing the service tier when your registry nears a limit. This information also helps you manage consumption.

Note

The registry's storage usage should only be used as a guide and may not reflect recent registry operations. Monitor the registry's StorageUsed metric for up-to-date data.

Depending on your registry's service tier, usage information includes some or all of the following, along with the limit in that tier:

1In a geo-replicated registry, storage usage is shown for the home region. Multiply by the number of replications for total storage consumed.

Changing tiers

You can change a registry's service tier with the Azure CLI or in the Azure portal. You can move freely between tiers as long as the tier you're switching to has the required maximum storage capacity.

There is no registry downtime or impact on registry operations when you move between service tiers.

Azure CLI

To move between service tiers in the Azure CLI, use the az acr update command. For example, to switch to Premium:

az acr update --name myContainerRegistry --sku Premium

Azure PowerShell

To move between service tiers in Azure PowerShell, use the Update-AzContainerRegistry cmdlet. For example, to switch to Premium:

Update-AzContainerRegistry -ResourceGroupName myResourceGroup -Name myContainerRegistry -Sku Premium

Azure portal

In the container registry Overview in the Azure portal, select Update, then select a new SKU from the SKU drop-down.

Update container registry SKU in Azure portal

Pricing

For pricing information on each of the Azure Container Registry service tiers, see Container Registry pricing.

For details about pricing for data transfers, see Bandwidth Pricing Details.

Next steps

Azure Container Registry Roadmap

Visit the ACR Roadmap on GitHub to find information about upcoming features in the service.

Azure Container Registry UserVoice

Submit and vote on new feature suggestions in ACR UserVoice.