Clear Thinking in Data, Cloud, and AI

Practical insights from real-world cloud, data, and applied AI systems

Azure Container Registry (ACR)

Written by

Shahzad Khan

in

on

Azure Container Registry (ACR) can be used for multiple images, apps, and environments.

This is the recommended Azure pattern, and it will not increase cost in any meaningful way.

✅ What one ACR can host

A single ACR can store images for:

  • ✔ WordPress
  • ✔ MariaDB
  • ✔ Future apps (APIs, workers, cron containers)
  • ✔ Dev / test / prod images (via tags)
  • ✔ Multiple Azure Container Apps
  • ✔ Even AKS or App Service (if you add them later)

There is no “one registry per app” requirement.

🧠 How to organize images properly (best practice)

Use repositories + tags, not multiple registries.

Example structure

tanolisacr.azurecr.io/
│
├── wordpress
│   ├── prod
│   ├── staging
│   └── dev
│
├── mariadb
│   ├── 10.6
│   └── 10.11
│
├── cron
│   └── wp-cron
│
└── tools
    └── healthcheck

Example tags

wordpress:prod
wordpress:prod-2025-03-01
wordpress:staging
mariadb:10.11

Tags are cheap. Registries are not meant to be duplicated.

🔐 Security model (important for ACA)

Best option: Managed Identity

For Azure Container Apps, do this:

  1. Enable system-assigned managed identity on ca-wp
  2. Grant AcrPull role on the registry
Registry: tanolisacr
Role: AcrPull
Principal: ca-wp (managed identity)

This lets ACA pull images without secrets.

✔ Works for all images in the registry
✔ No passwords to rotate
✔ Least privilege

💰 Cost impact (almost none)

ACR Basic pricing

  • ~$5/month flat
  • Storage is cheap (first several GBs are pennies)

You do not pay per image or per repository.

Using the same registry for 1 image vs 20 images:

Cost ≈ the same

🚫 What NOT to do

  • ❌ Create a new ACR per app
  • ❌ Hardcode registry passwords
  • ❌ Use latest tags in prod
  • ❌ Push prod + dev images without tags

🧩 When would you need a second ACR?

Rare cases only:

  • Regulatory isolation (gov / fed boundaries)
  • Different Azure tenants
  • Extremely strict prod vs dev separation

For WordPress + ACA, one ACR is perfect.

✅ Final recommendation for your setup

Given everything you’re running:

  • WordPress container
  • MariaDB container
  • Possible future cron / worker containers

👉 Use one ACR
👉 Organize with repositories + tags
👉 Use Managed Identity + AcrPull

This is clean, secure, cheap, and future-proof.

FavoriteLoadingAdd to favorites

RECENT POSTS

Categories

Log in

Tags

ADO ai angular asian asp.net asp.net core azure ACA azure administration Azure Cloud Architect Azure Key Vault Azure Storage Blazor WebAssembly BLOB bootstrap c# containers css datatables design pattern docker excel framework Git HTML JavaScript jQuery json knockout lab LINQ linux power bi powershell REST API smart home SQL Agent SQL server SSIS SSL SVG Icon typescript visual studio Web API window os wordpress

ARCHIVE

DISCLAIMER

The information on this weblog is provided “as is,” without warranties of any kind, and confers no rights. The content reflects my personal views and does not represent the thoughts, intentions, plans, or strategies of any organization with which I am affiliated. Discussion and differing viewpoints are welcome; however, I reserve the right to moderate or remove comments that are abusive, profane, rude, or anonymous. Please keep the conversation respectful and constructive.

More posts