Azure Container Registry (ACR)
Azure Container Registry (ACR)A managed private registry service based on the open-source Docker platform that stores container images and OCI artifacts, integrates with Microsoft Entra ID for authentication. is a managed private registry service for storing container images and OCI artifacts, with Microsoft Entra ID integration for authentication.
ACR comes in three service tiers:
| SKU | Key Features | Geo-Replication |
|---|---|---|
| Basic | Dev/test, limited storage and throughput | No |
| Standard | Most production scenarios | No |
| Premium | Geo-replication, private endpoints via Private Link, highest throughput | Yes (Premium only) |
Geo-replicationThe ability to replicate a single ACR registry across multiple Azure regions — exclusive to the Premium tier. Enables low-latency image pulls from nearby regions. replicates a single ACR registry across multiple Azure regions (Premium tier only), enabling low-latency image pulls from nearby regions.
Azure Container Instances (ACI)
Azure Container Instances (ACI)A serverless, on-demand container offering that runs a single container or container group (pod equivalent) using Hyper-V isolation. Ideal for simple, short-lived, or burst workloads. Does NOT provide built-in autoscaling, load balancing, or ingress management. is a serverless, on-demand container offering that runs a single container or container group using Hyper-V isolation, ideal for simple or burst workloads. It does NOT provide built-in autoscaling, load balancing, or ingress management.
To scale ACI workloads, you must create multiple separate ACI resources — there is no automatic scale-out.
Azure Container Apps
Azure Container AppsA fully managed serverless platform built on Kubernetes (KEDA + Dapr + Envoy). Supports revisions (immutable snapshots), traffic splitting for blue/green or A/B deployments, built-in HTTPS ingress, and KEDA-powered autoscale that can scale to zero. is a fully managed serverless platform built on Kubernetes (KEDA + Dapr + Envoy), supporting revisions, traffic splitting, built-in HTTPS ingress, and KEDA-powered autoscale that can scale to zero.
Container Apps abstracts Kubernetes API management entirely — unlike AKS, no direct kubectl access is provided.
ACR vs. ACI vs. Container Apps
| Feature | ACI | Container Apps |
|---|---|---|
| Autoscale | No | Yes (KEDA, scale to zero) |
| Traffic splitting / A/B | No | Yes (revisions) |
| Dapr integration | No | Yes |
| Load balancing / ingress | No (manual) | Built-in HTTPS/TCP |
| Best for | Simple / burst tasks | Microservices, event-driven apps |
| Kubernetes API access | No | No (abstracted) |
ACR Authentication
ACR authentication uses Microsoft Entra ID (recommended) or an admin account (disabled by default). To pull from ACR into ACI or Container Apps, assign the AcrPull roleAn Azure RBAC role that grants read-only access to pull container images from Azure Container Registry — should be assigned to the managed identity of the compute resource. to the managed identity of the compute resource.
ACR Tier and Geo-Replication
Exam Trap
"ACR geo-replication is available in all three tiers." → Geo-replication is a Premium-only feature. Basic and Standard registries must be upgraded to Premium to gain geo-replication.
ACI Autoscale Limitations
Exam Trap
"ACI can automatically scale out when CPU usage is high." → ACI has no built-in autoscale. To scale an ACI workload you must create additional instances manually or use Container Apps, which supports KEDA-based autoscale.
Container Apps Revisions
RevisionsImmutable snapshots of a Container App version. Multiple revisions can run simultaneously with traffic split between them — enabling blue/green and A/B deployments with no forced downtime. are immutable snapshots of a Container App version; multiple revisions can run simultaneously with traffic split between them, enabling blue/green and A/B deployments.
Exam Trap
"Deploying a new revision in Container Apps takes down the running app." → Revisions are immutable snapshots. A new revision can be deployed alongside the existing one, with traffic split between them — there is no forced downtime.
ACR Admin Account
Must Memorize
The ACR admin account is disabled by default and is not recommended for production. Microsoft Entra ID with managed identities or service principals is the recommended authentication approach.
ACI vs. Container Apps for Microservices
Exam Trap
"ACI and Container Apps are interchangeable for microservice deployments." → ACI is a low-level primitive without orchestration features. Container Apps is purpose-built for microservices with autoscale, Dapr, ingress, and traffic management. If you need direct Kubernetes API access, use AKS.
Create an Azure Container Registry
- Portal → Create a resource → search Container Registry
- Basics: Registry name (globally unique), Resource group, Location
- Pricing plan: Basic / Standard / Premium (for geo-replication or private endpoints)
- Review + create → Create
- After creation: Repositories blade to view pushed images; Replications blade (Premium) to add geo-replications
Push an Image to ACR (CLI)
az acr login --name myRegistry
docker tag myapp myRegistry.azurecr.io/myapp:v1
docker push myRegistry.azurecr.io/myapp:v1
# Or build and push in one step
az acr build --registry myRegistry --image myapp:v1 .
Provision a Container with ACI
- Portal → Create a resource → Container Instances
- Basics: Container name, Region, Image source (ACR, Docker Hub, other registry), Image, OS type
- Networking: Public IP / DNS label or private VNet
- Review + create → Create
- Container groups blade: view logs, exec into container, restart policy
Provision a Container with Container Apps
- Portal → Create a resource → Container App
- Create or select a Container Apps Environment (shared networking/logging boundary)
- Container: Image, CPU/memory, environment variables
- Scale tab: set min/max replicas; choose KEDA trigger (HTTP, Azure Service Bus, custom)
- Ingress: enable external HTTPS ingress if needed
- Review + create → Create
Configure Scaling in Container Apps
- Navigate to Container App → Scale and replicas blade
- Set minimum replicas (0 for scale-to-zero) and maximum replicas
- Add a scale rule: HTTP concurrency, Azure Queue message count, CPU/memory threshold, or custom KEDA scaler
AZ-104 Exam Focus
Exam Trap
"ACR geo-replication is available in all three tiers." → Geo-replication is a Premium-only feature. Basic and Standard registries must be upgraded to Premium.
Exam Trap
"ACI can automatically scale out when CPU usage is high." → ACI has no built-in autoscale. Use Container Apps for KEDA-based autoscale including scale-to-zero.
Exam Trap
"Container Apps gives you direct access to Kubernetes APIs." → Container Apps abstracts Kubernetes. If you need direct Kubernetes API access (kubectl), use Azure Kubernetes Service (AKS).
Exam Trap
"Deploying a new revision in Container Apps takes down the running app." → Revisions are immutable snapshots deployed alongside existing ones with traffic splitting — no forced downtime.
Exam Trap
"The ACR admin account is enabled by default and is the recommended authentication method." → The admin account is disabled by default and not recommended for production. Use Entra ID with managed identities.
Exam Tip
Use this decision tree: Need autoscale/events/microservices → Container Apps. Need simple one-off burst container → ACI. Need direct Kubernetes control → AKS.
Question — click to flip
Q: Which ACR tier is required to enable geo-replication across multiple regions?
Question — click to flip
Q: What is a 'revision' in Azure Container Apps?
Question — click to flip
Q: Can Azure Container Instances autoscale based on CPU usage?
Question — click to flip
Q: Which role should be assigned to a managed identity so it can pull images from ACR?
Question — click to flip
Q: Is the ACR admin account enabled or disabled by default?
Question — click to flip
Q: What Azure service should you use when you need direct Kubernetes API access (kubectl)?