Edit

Deploy Azure Container Registry (ACR) from the service catalog into a workload

Azure Enclave is a cloud networking service that provides organizations with highly sensitive data the ability to quickly deploy and manage workloads across Commercial and air-gapped Azure clouds at scale. In this quickstart, you:

  • Deploy a service catalog template for an Azure Container Registry into an existing workload from the Portal.

Note

This sample deployment is just for demo purposes and doesn't represent all the best practices for network, systems, or applications administration.

Warning

If you plan on using this template with the Azure Kubernetes Service (AKS) Template in the same enclave, perform the AKS Templates prerequisite steps first because you delete and recreate the enclave's subnets.

Before you begin

This quickstart assumes a basic understanding of networking and Azure Enclave concepts. For more information, see Best practices of Azure Enclave.

Prerequisites

There are guardrail requirements on the enclaves to ensure enclave resources are using Customer-Managed Keys (CMK) encryption. This requires a key and identity to access the key to be accessible in the enclave. Create the CMK (optional Key Vault) and Managed Identity in the Common Dependencies service catalog template

  1. Subnet for Private Endpoints: You had the option to create subnets during enclave creation or you can create new subnets after enclave creation. The private endpoint subnet should have no subnet delegation for the private endpoints to work properly.

Note

You can't resize a subnet once resources are deployed inside the subnet.

  1. Quickly create these Private DNS Zones based on what you create next:
    • Key Vault required when creating a Key Vault from this template or the more customizable Key Vault template.
    • Storage File, Storage Queue, Storage Blob, and Storage Table are required when making a Storage Account from this template or the more customizable Storage Account template.
    • Container registery which is required to access the container registry privately.
  2. A Key Vault, Customer Managed Key (CMK), and Managed Identity are required for this template. Create a Key Vault, CMK, and Managed Identity in the Common Dependencies service catalog quickstart or create your own.
    • These resources should be created inside a workload resource group.
    • After creating the User Managed Identity, ensure it has access to the CMK key
      • Assign the Key Vault Crypto Service Encryption User RBAC role to the managed identity scoped to the key vault with these instructions. This allows you to then assign the managed identity to another resource, like a Virtual Machine, and that Virtual Machine can encrypt the operating system disk with the CMK in the key vault without having permissions to do other operations on the key vault following least privilege.

Deploy the template

  1. Navigate to the workload for the intended deployment.
  2. Select Add Service button.
  3. Select the Azure Container Registry service template from the service catalog list dropdown, confirm the version you need (default: latest), and select Next.

Screenshot showing the Azure Container Registry template selected from the service catalog list.

  1. Go through each tab and enter all the required parameters. Under the encryption tab, you need to use the CMK Key and User-assigned Identity names and resource group created in the Prerequisites.
  2. Adjust any of the prepopulated parameters as needed.
  3. Select Review + Create then Create.

It can take a few minutes to finish all resource creation. Wait for the deployment to be successfully completed before you take any actions within your deployed resources.

Validate the deployment

Go to the workload resource Group to confirm the intended resources were created. Including: Container registry and Private endpoint.

Delete the deployment

If you don't plan on keeping these resources, clean up unnecessary resources to avoid Azure charges. If no other deployments exist in the resource group, the whole resource group can be deleted.

Recommendations

  • Add tags to service catalog deployments to track important information for that resource such as:
    • Owner: <main POC>
    • Deployer: <yourName>
    • Purpose: <dev/test containers>
    • Service Catalog Name: <Container Registry>
    • Service Catalog Version: <version you deployed>
  • Consider adding an Azure Policy to enforce and inherit tags

Next Steps

  • Deploy any needed tools onto the management VM (examples: docker cli, Azure PowerShell modules, ...)
  • Read the AKS Template documentation to see if you would like to use it.