Container Registry Enterprise Edition gives you full control over who can access your container images and Helm charts. Every new instance starts in a locked-down state — no inbound network traffic is permitted by default. To allow access, configure access control lists (ACLs) that permit traffic over a Virtual Private Cloud (VPC), the public internet, or both.
How it works
Enterprise Edition instances support two independent access modes:
| Access mode | Description | When to use |
|---|---|---|
| VPC access | Routes traffic through your VPC using private IP addresses. No internet gateway, NAT device, or VPN gateway is required. | Internal services, CI/CD pipelines, and workloads already in your VPC |
| Public network access | Allows access over the public internet. | External clients or machines outside your VPC |
You can enable either mode or both simultaneously. Both are configured through ACL rules on the instance.
Considerations before you configure
Review the following constraints before configuring network access:
New instances block all traffic by default. Pull and push operations fail until you enable at least one access mode.
VPC and public access are independent. Enabling one does not automatically disable the other. You must explicitly disable a mode to restrict it.
Disabling public network access affects all external clients. If you restrict access to VPC only, any client that cannot reach the instance through the VPC — including external CI/CD tools and third-party integrations — loses access immediately.
Before disabling public network access, verify that all clients (Docker daemons, CI/CD pipelines, and external integrations) can reach the instance through the VPC. Clients on the public internet will lose access as soon as you disable it.