Relocate an Azure Container Registry to another region

This article shows you how to relocate Azure Container Registry resources to another region in the same subscription of the Active Directory tenant.

Предпосылки

• You can only relocate a registry within the same Active Directory tenant. This limitation applies to registries that are encrypted and unencrypted with a customer-managed key.
• If the source registry has availability zones enabled, then the target region must also support availability zones. For more information on availability zone support for Azure Container Registry, see Enable zone redundancy in Azure Container Registry.

Considerations for Service Endpoints

The virtual network service endpoints for Azure Container Registry restrict access to a specified virtual network. Конечные точки также могут ограничить доступ к списку диапазонов адресов IPv4 (интернет-протокол версии 4). Any user connecting to the registry from outside those sources is denied access. If Service endpoints were configured in the source region for the registry resource, the same would need to be done in the target one. The steps for this scenario are:

• For a successful recreation of the registry to the target region, the virtual network and subnet must be created beforehand. If the move of these two resources is being carried out with the Azure Resource Mover tool, the service endpoints can't be configured automatically, and so you need to provide manual configuration.
• Secondly, changes need to be made in the IaC of the Azure Container Registry. In networkAcl section, under virtualNetworkRules, add the rule for the target subnet. Ensure that the ignoreMissingVnetServiceEndpoint flag is set to False, so that the IaC fails to deploy the Azure Container Registry in case the service endpoint isn't configured in the target region. This ensures that the prerequisites in the target region are met

Consideration for private endpoint

Azure Private Link provides private connectivity from a virtual network to Azure platform as a service (PaaS), customer-owned, or Microsoft partner services. Private Link simplifies the network architecture and secures the connection between endpoints in Azure by eliminating data exposure to the public internet.

For a successful recreation of your resource in the target region, the VNet and Subnet must be created before the actual recreation occurs.

Considerations for Azure Private Endpoint DNS integration

It’s important to correctly configure your DNS settings to resolve the private endpoint IP address to the fully qualified domain name (FQDN) of the connection string.

Возможно, существующие службы Microsoft Azure уже используют конфигурацию DNS для общедоступной конечной точки. Эту конфигурацию нужно переопределить для подключения с помощью частной конечной точки.

Сетевой интерфейс, связанный с частной конечной точкой, содержит сведения для настройки DNS. The network interface information includes FQDN and private IP addresses for your private link resource.

Чтобы настраивать параметры DNS для частных конечных точек, можно использовать следующие варианты.

• Используйте файл узла (рекомендуется только для тестирования). Для переопределения DNS можно использовать файл узла на виртуальной машине.
• Используйте частную зону DNS. Вы можете с помощью частных зон DNS переопределять разрешения DNS для частной конечной точки. Частная зона DNS может быть связана с вашей виртуальной сетью для разрешения конкретных доменов.
• Используйте сервер пересылки DNS (необязательно). Чтобы переопределить разрешение DNS для ресурса частной ссылки, можно использовать пересылающий сервер DNS. Создайте правило пересылки DNS, чтобы использовать частную зону DNS на DNS-сервере, размещенном в виртуальной сети.

• Azure Container Registry must be configured in the target region with premium tier.
• When public network access to a registry is disabled, registry access by certain trusted services - including Azure Security Center - requires enabling a network setting to bypass the network rules.
• Если в реестре есть утвержденная частная конечная точка и доступ через общедоступную сеть отключен, репозитории и теги нельзя включить в список за пределами виртуальной сети с помощью портала Azure, Azure CLI или других средств.
• In case the case of a new replica, it's imperative to manually add a new Domain Name System (DNS) record for the data endpoint in the target region.

Время простоя

To understand the possible downtimes involved, see Cloud Adoption Framework for Azure: Select a relocation method.

Подготовьте

To prepare for relocation with data migration:

1. Create a dependency map with all the Azure services used by the registry. For the services that are in scope of the relocation, you must choose the appropriate relocation strategy.

2. Identify the source networking layout for Azure Container Registry (ACR) like firewall and network isolation.

3. Retrieve any required images from the source registry for import into the target registry. To retrieve the images, run the following command:

   Get-AzContainerRegistryRepository -RegistryName registry
   

4. Use ACR Tasks to retrieve automation configurations of the source registry for import into the target registry.

Export template

Чтобы начать, экспортируйте шаблон Resource Manager. This template contains settings that describe your Container Registry. For more information on how to use exported templates, see Use exported template from the Azure portal and the template reference.

1. In the Azure portal, navigate to your source registry.

2. In the menu, under Automation, select Export template>Download.

   

3. Найдите скачанный c портала ZIP-файл и распакуйте его в любую выбранную папку.

   В ZIP-файле содержатся файлы JSON, включающие шаблон и скрипты для развертывания шаблона.

Modify template

Inspect the registry properties in the template JSON file you downloaded, and make necessary changes. At a minimum:

• Change the registry name's defaultValue to the desired name of the target registry

• Update the location to the desired Azure region for the target registry

  {
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
      "registries_myregistry_name": {
        "defaultValue": "myregistry",
        "type": "String"
      }
    },
    "variables": {},
    "resources": [
      {
        "type": "Microsoft.ContainerRegistry/registries",
        "apiVersion": "2020-11-01-preview",
        "name": "[parameters('myregistry_name')]",
        "location": "centralus",
        ...
      }
    ]
  }
  

• Validate all the associated resources detail in the downloaded template such as Registry scopeMaps, replications configuration, Diagnostic settings like log analytics.

• If the source registry is encrypted, then encrypt the target registry using a customer-managed key and update the template with settings for the required managed identity, key vault, and key. You can only enable the customer-managed key when you deploy the registry.

Создать группу ресурсов

Create a resource group for the target registry using the az group create. В следующем примере создается группа ресурсов с именем myResourceGroup в расположении eastus.

az group create --name myResourceGroup --location eastus

Повторное развертывание

Use the az deployment group create command to deploy the target registry, using the template:

az deployment group create \
  --name mydeployment \
  --resource-group myResourceGroup \
  --template-file template.json 

Import registry content in target registry

After creating the registry in the target region:

1. Use the az acr import command, or the equivalent PowerShell command Import-AzContainerImage, to import images and other artifacts you want to preserve from the source registry to the target registry. For command examples, see Import container images to a container registry.

2. Use the Azure CLI commands az acr repository list and az acr repository show-tags, or Azure PowerShell equivalents, to help enumerate the contents of your source registry.

3. Run the import command for individual artifacts, or script it to run over a list of artifacts.

   The following sample Azure CLI script enumerates the source repositories and tags and then imports the artifacts to a target registry in the same Azure subscription. Modify as needed to import specific repositories or tags. To import from a registry in a different subscription or tenant, see examples in Import container images to a container registry.

   #!/bin/bash
   # Modify registry names for your environment
   SOURCE_REG=myregistry
   TARGET_REG=targetregistry
   
   # Get list of source repositories
   REPO_LIST=$(az acr repository list \
       --name $SOURCE_REG --output tsv)
   
   # Enumerate tags and import to target registry
   for repo in $REPO_LIST; do
       TAGS_LIST=$(az acr repository show-tags --name $SOURCE_REG --repository $repo --output tsv);
       for tag in $TAGS_LIST; do
           echo "Importing $repo:$tag";
           az acr import --name $TARGET_REG --source $SOURCE_REG.azurecr.io/$repo":"$tag;
       done
   done
   

4. Associate the dependent resources to the target Azure Container Registry such as log analytics workspace in Diagnostic settings.

5. Configure Azure Container Registry integration with both type of AKS clusters, provisioned or yet to be provisioned by running the following command:

   Set-AzAksCluster -Name myAKSCluster -ResourceGroupName myResourceGroup -AcrNameToAttach <acr-name>
   

6. Make the necessary changes to the Kubernetes manifest file to integrate same with relocated Azure Container Registry (ACR).

7. Update development and deployment systems to use the target registry instead of the source registry.

8. Update any client firewall rules to allow access to the target registry.

Проверьте

Confirm the following information in your target registry:

• Registry settings such as the registry name, service tier, public access, and replications
• Repositories and tags for content that you want to preserve.

Delete original registry

After you deploy the target registry, migrated content, and verified registry settings, you can delete the source registry.

Связанный контент

• To move registry resources to a new resource group either in the same subscription or a [new subscription], see Move Azure resources to a new resource group or subscription.
• Learn more about importing container images to an Azure container registry from a public registry or another private registry.
• See the Resource Manager template reference for Azure Container Registry.