Skip to content

Improve Management Experience for Private Endpoint Configurations #869

New issue
New issue
Open
Open
Improve Management Experience for Private Endpoint Configurations#869
Labels
feature-requestIssues that request new features
@ritchellesap

Description

@ritchellesap
ritchellesap
opened on Feb 19, 2026

Current Behavior: When an Azure Container Registry (ACR) has an approved private endpoint and public network access is disabled, it becomes impossible to list repositories and tags using the Azure portal, Azure CLI, or other management tools from outside the virtual network.

Business Impact: This limitation creates significant operational challenges for enterprises managing containerized workloads:

  1. DevOps workflow disruption: Platform teams managing ACR from outside the VNet cannot perform basic inventory or auditing tasks without going through customized solutions.
  2. Inconsistent management experience: Administrative operations (listing images, viewing tags, auditing repository contents) should be separable from data plane operations (pulling/pushing images).
  3. Increased operational overhead: Organizations must either expose public network access (reducing security posture), provision jump boxes/bastion hosts solely for basic administrative tasks, or provide other workaround alternatives.

To highlight this unfortunate behaviour, let's compare it with Google's Artifact Registry: GAR operates as private by default, with both management and data plane controlled entirely through IAM and RBAC. There is no requirement for the administrative client to be within a specific network boundary to perform read-only management operations. This approach:

  • Separates authorization (who can access) from network policy (where they can access from)
  • Allows centralized management without compromising data plane security
  • Reduces infrastructure complexity for multi-region or hybrid deployments

Suggested Improvement: Consider decoupling control plane operations (list repositories, list tags, view metadata) from data plane operations (push/pull images) when private endpoints are configured. This would allow:

  • RBAC-controlled management operations from any authorized client
  • Network restrictions applied specifically to image push/pull operations
  • Alignment with zero-trust principles where identity, not network location, determines access

Metadata

Metadata

Assignees

No one assigned

    Labels

    feature-requestIssues that request new features

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions