What is Container Registry? - Container Registry - Alibaba Cloud Documentation Center

Choose your edition

ACR offers two editions designed for different workloads and team sizes.

	Personal Edition (for individuals)	Enterprise Basic Edition	Enterprise Advanced Edition
Best for	Individual developers, learning, experimentation	Production workloads, teams, regulated environments	Production workloads, teams, regulated environments
Instance type	Shared infrastructure	Dedicated instance, no shared resources	Dedicated instance, no shared resources
SLA	None	99.95%	99.95%
Key limit	3 namespaces, 300 repositories	15 namespaces, 1,000 repositories	50 namespaces, 5,000 repositories
Get started	Try Personal Edition	Create an Enterprise Edition instance	Create an Enterprise Edition instance

Warning

Container Registry Personal Edition carries no SLA guarantee, and Alibaba Cloud does not provide compensation for SLA violations. It is subject to usage limits. Do not use Personal Edition in production environments.

For a full feature and quota comparison, see Specifications below or Instance edition features and differences.

Container Registry Enterprise Edition

Container Registry Enterprise Edition is a dedicated, enterprise-grade registry for production workloads. Each instance is isolated at the resource level, with no shared infrastructure, giving you predictable performance and strong security boundaries.

Key characteristics:

Dedicated instance with no shared resources
99.95% SLA with cross-zone high availability included by default in multi-zone regions
Supports container images, Helm Charts (v2/v3), and any OCI-compliant artifact
Configurable network access controls (VPC isolation, allowlists)
Full audit trail via ActionTrail
Available in Basic Edition and Advanced Edition tiers (see Specifications for a full feature comparison)

Recommended for: Teams running production services on ACK or any Kubernetes-based environment.

Container Registry Personal Edition (for individuals)

Container Registry Personal Edition provides basic image hosting, image building, and image authorization services for individual developers and exploratory use.

Recommended for: Individual developers learning container workflows or experimenting with ACR features.

Key features

Artifact hosting

ACR stores multi-architecture container images (Linux, Windows, Arm), Helm Charts (v2/v3), and any artifact conforming to the Open Container Initiative (OCI) specification. You can enforce version immutability on tags to prevent accidental overwrites and use automated tag cleanup rules to control storage consumption.

Accelerated distribution

Container Registry Enterprise Edition supports global synchronization to replicate images across multiple Alibaba Cloud regions. The Advanced Edition adds P2P (peer-to-peer) distribution acceleration and on-demand distribution (lazy pulling), which significantly reduce the time to start container workloads at scale across large node pools.

Pull throughput guarantees by tier:

Edition	Pull throughput (QPS)
Personal Edition	Not guaranteed
Enterprise Basic	250
Enterprise Advanced	1,000

Security and compliance

Vulnerability scanning: Multi-engine scanning generates multi-dimensional vulnerability reports on stored images, helping you catch known CVEs before deployment.
Vulnerability fixing: Enterprise Edition identifies fixable vulnerabilities and guides remediation.
Threat blocking: Advanced Edition only. Policy-based automatic blocking prevents images that fail your security policy from being pulled.
Image signing: Advanced Edition only. Cosign-compatible signing and signature verification protect your software supply chain.
Network access control: Restrict instance access to specific VPCs and CIDR ranges.
Audit logging: All image push, pull, and management events are logged to ActionTrail for compliance reporting.
Credential-free pull: Supported on Container Registry Enterprise Edition instances. Note: instances created on or after September 4, 2024 support credential-free pull on Enterprise Edition only; Container Registry Personal Edition instances created on or after that date do not support this feature.

Build and CI/CD integration

ACR provides a managed image build service that can compile source code from connected repositories and produce container images directly, with up to 10 concurrent build jobs on the Advanced Edition. Built images proceed directly into your scan-and-sign workflow before reaching your ACK clusters.

Artifact subscription and event notifications

You can subscribe to upstream public repositories and receive updates automatically when new versions are published. Event notifications integrate with downstream automation, triggering deployment pipelines or alert systems when images are pushed or scan results are available.

Multi-region disaster recovery

Container Registry Enterprise Edition instances in multi-zone Alibaba Cloud regions include cross-zone high availability by default. For cross-region disaster recovery, deploy separate instances in each target region. Storage-level redundancy is available using OSS zone-redundant storage (ZRS) for cross-zone data protection and OSS cross-region replication (CRR) for cross-region data backup.

How ACR works

Note

REVIEW REQUIRED (Finding 50): The following section was added during optimization and is not sourced from the original product documentation. The four specific claims marked below require verification by the product team before publication: (a) "standard Docker Registry HTTP API V2 protocol"; (b) "stores the image layers as OCI-compliant artifacts in Alibaba Cloud Object Storage Service (OSS)"; (c) "ACR deduplicates layers across images in the same namespace"; (d) "all stored artifacts are encrypted at rest".

When a developer or CI/CD system pushes a container image, ACR receives it over the standard Docker Registry HTTP API V2 protocol and stores the image layers as OCI-compliant artifacts in Alibaba Cloud Object Storage Service (OSS). ACR deduplicates layers across images in the same namespace, keeping storage costs low.

From there, ACR makes the image available for pull operations to authorized clients — whether that is an ACK cluster pulling an image for a rolling deployment, a developer's workstation pulling a base image, or a remote region pulling a synchronized copy. For Container Registry Enterprise Edition instances, ACR can replicate images across Alibaba Cloud regions using global synchronization rules, reducing pull latency for distributed services. P2P (peer-to-peer) distribution and on-demand distribution (lazy pulling) are available in the Advanced Edition to further accelerate large-scale deployments at the node level.

Security controls apply throughout: all stored artifacts are encrypted at rest; vulnerability scanning runs against pulled images using a multi-engine scanner; and network access control rules can restrict which VPCs and IP ranges can reach your instance.

Common use cases

CI/CD pipeline integration

Connect ACR to your source repositories to automatically build images on every commit. Vulnerability scanning runs immediately after build, and you can configure threat blocking rules to prevent non-compliant images from reaching your ACK clusters. This gives you a repeatable, auditable path from source code to production.

Multi-region and global deployments

Use global synchronization rules to automatically replicate images from a primary region to one or more secondary regions. Combined with P2P distribution (Advanced Edition), you can dramatically reduce image pull times for services running across geographically distributed Kubernetes clusters.

Enterprise security and compliance

Apply network access controls to restrict registry access to specific VPCs. Enforce tag immutability to maintain a reliable audit trail. Sign images with Cosign and verify signatures at deployment time. Export ActionTrail logs to your SIEM for centralized compliance reporting.

Migration from self-managed registries

Use the fast image import feature to migrate images from Harbor to Container Registry Enterprise Edition without re-pushing through a local client. Artifact subscription can replace manual sync scripts for external public images you depend on.

Specifications

The following tables list the key quotas and feature availability for each edition. For a complete specification comparison, see Instance edition features and differences.

Warning

Container Registry Personal Edition carries no SLA guarantee, and Alibaba Cloud does not provide compensation for SLA violations. It is subject to usage limits. Do not use Personal Edition in production environments.

Note

To select the right edition and configure disaster recovery, see Instance edition features and differences. Then follow the disaster recovery guides to set up a cross-zone recovery solution, cross-region recovery solution, and data backup solution.

Quotas

Feature	Personal Edition	Enterprise Basic	Enterprise Advanced
Namespace quota (container images)	3	15	50
Public repository quota (container images)	300	1,000	5,000
Helm Chart namespace quota	Not supported	15	50
Helm Chart public repository quota	Not supported	1,000	5,000
OCI artifact support	Not supported	Supported	Supported
Version immutability	Not supported	Supported	Supported
Tag management (automatic cleanup)	Not supported	Supported	Supported
Concurrent build quota	1	3	10
Artifact subscription	Not supported	5	30
Synchronization rules	Not supported	Not supported	60
VPC access control	Not supported	Purchase separately	Purchase separately
Custom domain name	Not supported	Supported	Supported
Fast image import from Harbor	Not supported	Supported	Supported
ActionTrail audit logging	Not supported	Supported	Supported
Event notification	Not supported	Supported	Supported

Distribution and security

Feature	Personal Edition	Enterprise Basic	Enterprise Advanced
Pull throughput guarantee (pull QPS)	Not guaranteed	250	1,000
Intelligent acceleration	Not supported	Supported	Supported
Multi-architecture image building	Not supported	Supported	Supported
P2P (peer-to-peer) distribution	Not supported	Not supported	Supported
On-demand distribution (lazy pulling)	Not supported	Not supported	Supported
Global synchronization	Not supported	Not supported	Supported
Multi-engine vulnerability scanning	Not supported	Supported	Supported
Vulnerability fixing	Not supported	Supported	Supported
Threat blocking (policy-based)	Not supported	Not supported	Supported
Image signing and signature verification	Not supported	Not supported	Supported
Network access control	Not supported	Supported	Supported
Cloud-native application delivery chain	Not supported	Not supported	Supported
Credential-free pull (instances before Sep 4, 2024)	Supported	Supported	Supported
Credential-free pull (instances on/after Sep 4, 2024)	Not supported	Supported	Supported

Disaster recovery

Module	Feature	Personal Edition	Enterprise Basic	Enterprise Advanced
Instance	Cross-zone disaster recovery	None	Supported by default in multi-zone regions	Supported by default in multi-zone regions
Instance	Cross-region disaster recovery	None	Create separate instances per region	Create separate instances per region
Instance storage	Cross-zone redundancy	None	Use OSS zone-redundant storage (ZRS)	Use OSS zone-redundant storage (ZRS)
Instance storage	Cross-region backup	None	Use OSS cross-region replication (CRR)	Use OSS cross-region replication (CRR)
Service guarantee	SLA	None	99.95%	99.95%

Get started

I want to...	Where to go
Try ACR quickly	Quickstart: Create a Container Registry Enterprise Edition instance
Compare editions and pricing	Instance types and pricing
Migrate images from Docker Hub or Harbor	Migrate images to ACR
Secure my registry with network controls	Configure network access control
Integrate ACR with my ACK cluster and CI/CD pipeline	Integrate ACR with ACK and DevOps pipelines
Configure disaster recovery	Instance edition features and differences — disaster recovery