Reading Time: 4 minutes
Follow by Email

In this article, i am going to walk through how to create an Azure container registry using the Azure CLI. I will also show you how to grant permission for your AKS cluster to connect to the ACR.

Create the ACR

First make sure you are logged in to Azure using az login and select the subscription you want to create the ACR in.

Now that you are logged in its time to start the creation. So ACR like every other resource needs to reside in a Resource Group. You can use the following command to create one.

Now that you have a Resource Group you can use the following command to create the ACR.

The name for your ACR must be unique within Azure and contain 5-50 alphanumeric characters.

That’s your ACR created. Now to login.

A little note about the different SKU’s. There are 3 different ones Basic, Standard and Premium.

Below is a table that details the features and limits.

Resource Basic Standard Premium
Storage 10 GiB 100 GiB 500 GiB
Max image layer size 20 GiB 20 GiB 50 GiB
ReadOps per minute 1,000 3,000 10,000
WriteOps per minute 100 500 2,000
Download bandwidth MBps 30 60 100
Upload bandwidth MBps 10 20 50
Webhooks 2 10 100
Geo-replication N/A N/A Supported
Content trust (preview) N/A N/A Supported

From <>

You can switch between SKU’s by using the following command.

Let’s log in to the ACR

To log in use the following command. Just make sure to change the name to your ACR.

To be able to push your container images to your new ACR you need to make sure you tag them correctly.

Time to Tag

For this bit, I am going to assume you have a docker image on your local machine. To view your docker image you can use the command docker images

So to actually use your ACR the images you want to push to it need to be tagged with the login server address of your ACR. This tag is what is used to rote the container image to the correct registry.

To find the login server address use the following command.

Now that you have the login server address you can tag you docker images using it. To do this use the docker tag command.

To check that the tagging has worked just run docker images again.

Push to the ACR

To do this we use the docker push command. Just make sure you change the ARC login server and image to match yours.

Depending on the size of the image and your internet connection it could take some time to upload.

List images in the ACR

This ones a nice easy command.

If you want to see what tags are available for a certain container you can use the following command.

OK great you have your ACR created and a docker image pushed to it. Now lets allow AKS access to it.

Allow AKS access to ACR

When you created your AKS cluster you would have created a service principal. To give AKS access to ACR we are going to use this for authentication. The below script will create an Azure AD role assignment that grants the service principle access to the ACR. Just change the variables at the top to match your setup.

And there you have it you can now deploy containers from your Azure Container Registry. If you have any questions please reach out.

Follow by Email

Pixel Robots.

I’m Richard Hooper aka Pixel Robots. I started this blog in 2016 for a couple reasons. The first reason was basically just a place for me to store my step by step guides, troubleshooting guides and just plain ideas about being a sysadmin. The second reason was to share what I have learned and found out with other people like me. Hopefully, you can find something useful on the site.


Peter K · March 19, 2019 at 2:13 pm

Great post! Not the first time I’ve been visiting it for help.

Edward Pius · May 5, 2019 at 4:56 am

Hello Richard,

I have configured an ACR in a different subscription. My intention is to create one K8S cluster per subscription. We want to have different subscriptions per environment (dev/uat/stage/prod). The ACR will live on a “shared” subscription. So, in this case, I am guessing that I have to create a service principal which has access to all the required subscriptions?

Before reading this article, I was creating a K8S secret with the ACR information to access the images per subscription/namespace. If this can be done using across multiple subscriptions, that would be really nice.



    Pixel Robots. · May 5, 2019 at 8:38 am

    Hello, As long as your subscriptions are under the same tenant, then yes create a Service Principal that is scopes to all your subscriptions.

Leave a Reply

Your email address will not be published. Required fields are marked *


I agree