Quickstart: Create a connected registry using the Azure CLI or Azure portal

2025-05-21

In this quickstart, you use the Azure CLI and Azure portal to create a connected registry resource in Azure. The connected registry feature of Azure Container Registry allows you to deploy a registry remotely or on your premises and synchronize images and other artifacts with the cloud registry.

Here you create two connected registry resources for a cloud registry: one connected registry allows read and write (artifact pull and push) functionality and one allows read-only functionality.

After creating a connected registry, you can follow other guides to deploy and use it on your on-premises or remote infrastructure.

Azure Container registry - If you don't already have a container registry, create one (Premium tier required) in a region that supports connected registries.

To import images to the container registry, use the Azure CLI

Use the Bash environment in Azure Cloud Shell. For more information, see Get started with Azure Cloud Shell.
If you prefer to run CLI reference commands locally, install the Azure CLI. If you're running on Windows or macOS, consider running Azure CLI in a Docker container. For more information, see How to run the Azure CLI in a Docker container.
- If you're using a local installation, sign in to the Azure CLI by using the az login command. To finish the authentication process, follow the steps displayed in your terminal. For other sign-in options, see Authenticate to Azure using Azure CLI.
- When you're prompted, install the Azure CLI extension on first use. For more information about extensions, see Use and manage extensions with the Azure CLI.
- Run az version to find the version and dependent libraries that are installed. To upgrade to the latest version, run az upgrade.

Enable the dedicated data endpoint for the cloud registry

Azure portal
Azure CLI

Enable the dedicated data endpoint for the Azure container registry in the cloud. This step is needed for a connected registry to communicate with the cloud registry.

In the Azure portal, navigate to your container registry.
Select Networking > Public access. Select the Enable dedicated data endpoint checkbox.
Select Save.

Enable the dedicated data endpoint for the Azure container registry in the cloud by using the az acr update command. This step is needed for a connected registry to communicate with the cloud registry.

# Set the REGISTRY_NAME environment variable to identify the existing cloud registry
REGISTRY_NAME=<container-registry-name>

az acr update --name $REGISTRY_NAME \
  --data-endpoint-enabled

Import images to your cloud registry

Import the following container images to your cloud registry using the az acr import command. Skip this step if you already imported these images.

Connected registry image

Use the az acr import command to import the connected registry image into your private registry.

# Use the REGISTRY_NAME variable in the following Azure CLI commands to identify the registry
REGISTRY_NAME=<container-registry-name>

az acr import \
  --name $REGISTRY_NAME \
  --source mcr.microsoft.com/acr/connected-registry:1.0.0

Hello-world image

For testing the connected registry, import the hello-world image. This repository will be synchronized to the connected registry and pulled by the connected registry clients.

az acr import \
  --name $REGISTRY_NAME \
  --source mcr.microsoft.com/hello-world:1.1.2

Create a connected registry resource for read and write functionality

Azure portal
Azure CLI

The following steps create a connected registry in ReadWrite mode that is linked to the cloud registry.

In the Azure portal, navigate to your container registry.
Select Connected registries (Preview) > + Create.
Enter or select the values in the following table, and select Save.

Item	Description
Parent	Select No parent for a connected registry linked to the cloud registry.
Mode	Select ReadWrite.
Name	The connected registry name must start with a letter and contain only alphanumeric characters. It must be 5 to 40 characters long and unique in the hierarchy for this Azure container registry.
Logging properties	Accept the default settings.
Sync properties	Accept the default settings. Because there's no synchronization schedule defined by default, the repositories are synchronized between the cloud registry and the connected registry without interruptions.
Repositories	Select or enter the names of the repositories you imported in the previous step. The specified repositories are synchronized between the cloud registry and the connected registry once deployed.

You can also use the az acr connected-registry create command to create a connected registry with read-only functionality.

# Set the CONNECTED_REGISTRY_READ environment variable to provide a name for the connected registry with read-only functionality
CONNECTED_REGISTRY_RO=<connnected-registry-name>
az acr connected-registry create --registry $REGISTRY_NAME \
  --parent $CONNECTED_REGISTRY_RW \
  --name $CONNECTED_REGISTRY_RO \
  --repository "hello-world" "acr/connected-registry" \
  --mode ReadOnly

This command creates a connected registry resource whose name is the value of $CONNECTED_REGISTRY_RO and links it to the cloud registry named with the value of $REGISTRY_NAME.

The specified repositories are synchronized between the parent registry named with the value of $CONNECTED_REGISTRY_RW and the connected registry once deployed.
The resource is created in the ReadOnly mode, which enables read-only (artifact pull) functionality once deployed.
The repositories are synchronized between the parent registry and the connected registry without interruptions because there's no synchronization schedule defined for this connected registry.

Create a connected registry resource for read-only functionality

Azure portal
Azure CLI

The following steps create a connected registry in ReadOnly mode whose parent is the connected registry you created in the previous section. This connected registry enables read-only (artifact pull) functionality once deployed.

In the Azure portal, navigate to your container registry.
Select Connected registries (Preview) > + Create.
Enter or select the values in the following table, and select Save.

Item	Description
Parent	Select the connected registry you created previously.
Mode	Select ReadOnly.
Name	The connected registry name must start with a letter and contain only alphanumeric characters. It must be 5 to 40 characters long and unique in the hierarchy for this Azure container registry.
Logging properties	Accept the default settings.
Sync properties	Accept the default settings. Because there's no synchronization schedule defined by default, the repositories are synchronized between the cloud registry and the connected registry without interruptions.
Repositories	Select or enter the names of the repositories you imported in the previous step. The specified repositories are synchronized between the parent registry and the connected registry once deployed.

You can also use the az acr connected-registry create command to create a connected registry with read-only functionality.

# Set the CONNECTED_REGISTRY_READ environment variable to provide a name for the connected registry with read-only functionality
CONNECTED_REGISTRY_RO=<connnected-registry-name>
az acr connected-registry create --registry $REGISTRY_NAME \
  --parent $CONNECTED_REGISTRY_RW \
  --name $CONNECTED_REGISTRY_RO \
  --repository "hello-world" "acr/connected-registry" \
  --mode ReadOnly

This command creates a connected registry resource whose name is the value of $CONNECTED_REGISTRY_RO and links it to the cloud registry named with the value of $REGISTRY_NAME.

The specified repositories are synchronized between the parent registry named with the value of $CONNECTED_REGISTRY_RW and the connected registry once deployed.
The resource is created in the ReadOnly mode, which enables read-only (artifact pull) functionality once deployed.
The repositories are synchronized between the parent registry and the connected registry without interruptions because there's no synchronization schedule defined for this connected registry.

Verify that the resources are created

Azure portal
Azure CLI

Select a connected registry in the portal to view its properties, such as its connection status (Offline, Online, or Unhealthy) and whether it activated (deployed on-premises). In the following example, the connected registry isn't deployed. The connection state of "Offline" indicates that it disconnected from the cloud.

From this view, you can also generate a connection string and optionally generate passwords for the sync token. A connection string contains configuration settings used for deploying a connected registry and synchronizing content with a parent registry.

You can use the connected registry az acr connected-registry list command to verify that the resources are created.

az acr connected-registry list \
  --registry $REGISTRY_NAME \
  --output table

You should see a response as follows. Because the connected registries aren't yet deployed, the connection state of "Offline" indicates that they're currently disconnected from the cloud.

NAME                 MODE        CONNECTION STATE    PARENT               LOGIN SERVER    LAST SYNC (UTC)
-------------------  --------    ------------------  -------------------  --------------  -----------------
myconnectedregrw    ReadWrite    Offline
myconnectedregro    ReadOnly     Offline             myconnectedregrw

Next steps

In this quickstart, you used the Azure CLI and Azure portal to create two connected registry resources in Azure. Those new connected registry resources are tied to your cloud registry and allow synchronization of artifacts with the cloud registry.

Continue to the connected registry deployment guides to learn how to deploy and use a connected registry in your infrastructure.

Quickstart: Deploy connected registry to Azure Arc

Share via