What is Container Registry (ACR) - Editions, Features, Specifications - Container Registry

Choose your edition

ACR offers two editions designed for different workloads and team sizes.

	Personal Edition (for individuals)	Enterprise Basic Edition	Enterprise Advanced Edition
Best for	Individual developers, learning, experimentation	Production workloads, teams, regulated environments	Production workloads, teams, regulated environments
Instance type	Shared infrastructure	Dedicated instance, no shared resources	Dedicated instance, no shared resources
SLA	None	99.95%	99.95%
Key limit	3 namespaces, 300 repositories	15 namespaces, 1,000 repositories	50 namespaces, 5,000 repositories
Get started	Try Personal Edition	Create an Enterprise Edition instance	Create an Enterprise Edition instance

Warning

Container Registry Personal Edition has no SLA guarantee, and Alibaba Cloud does not compensate for SLA violations. Usage limits apply. Do not use Personal Edition in production environments.

Compare features and quotas in Specifications below or Instance edition features and differences.

Container Registry Enterprise Edition

Container Registry Enterprise Edition provides a dedicated, resource-isolated registry instance with no shared infrastructure, delivering predictable performance and strong security boundaries.

Key characteristics:

Dedicated instance with no shared resources
99.95% SLA with cross-zone high availability included by default in multi-zone regions
Supports container images, Helm Charts (v2/v3), and any OCI-compliant artifact
Configurable network access controls (VPC isolation, allowlists)
Full audit trail via ActionTrail
Available in Basic Edition and Advanced Edition tiers — compare in Specifications

Recommended for: Teams running production services on ACK or any Kubernetes-based environment.

Container Registry Personal Edition (for individuals)

Container Registry Personal Edition provides basic image hosting, image building, and image authorization services for individual developers and exploratory use.

Recommended for: Individual developers learning container workflows or experimenting with ACR features.

Key features

Artifact hosting

ACR stores multi-architecture container images (Linux, Windows, Arm), Helm Charts (v2/v3), and any Open Container Initiative (OCI) artifact. Tag immutability prevents accidental overwrites, and automated cleanup rules control storage consumption.

Accelerated distribution

Container Registry Enterprise Edition replicates images across Alibaba Cloud regions through global synchronization. The Advanced Edition adds P2P (peer-to-peer) distribution and on-demand distribution (lazy pulling) to accelerate large-scale deployments.

Pull throughput guarantees by edition:

Edition	Pull throughput (QPS)
Personal Edition	Not guaranteed
Enterprise Basic	250
Enterprise Advanced	1,000

Security and compliance

Vulnerability scanning: Multi-engine scanning detects known CVEs in stored images before deployment.
Vulnerability fixing: Enterprise Edition identifies fixable vulnerabilities and guides remediation.
Threat blocking: Advanced Edition only. Automatically blocks images that violate your security policy from being pulled.
Image signing: Advanced Edition only. Cosign-compatible signing and verification for supply chain security.
Network access control: Restrict instance access to specific VPCs and CIDR ranges.
Audit logging: All image push, pull, and management events are logged to ActionTrail for compliance reporting.
Credential-free pull: Supported on Container Registry Enterprise Edition instances. Note: instances created on or after September 4, 2024 support credential-free pull on Enterprise Edition only; Container Registry Personal Edition instances created on or after that date do not support this feature.

Build and CI/CD integration

ACR builds container images from connected source repositories, with up to 10 concurrent builds on the Advanced Edition. Built images flow through your scan-and-sign workflow before reaching ACK clusters.

Artifact subscription and event notifications

Subscribe to upstream public repositories for automatic updates when new versions are published. Event notifications trigger deployment pipelines or alerts when images are pushed or scans complete.

Multi-region disaster recovery

Container Registry Enterprise Edition instances in multi-zone regions include cross-zone high availability by default. For cross-region disaster recovery, deploy separate instances per target region. Storage redundancy options include OSS zone-redundant storage (ZRS) for cross-zone protection and OSS cross-region replication (CRR) for cross-region backup.

How ACR works

Note

REVIEW REQUIRED (Finding 50): The following section was added during optimization and is not sourced from the original product documentation. The four specific claims marked below require verification by the product team before publication: (a) "standard Docker Registry HTTP API V2 protocol"; (b) "stores the image layers as OCI-compliant artifacts in Alibaba Cloud Object Storage Service (OSS)"; (c) "ACR deduplicates layers across images in the same namespace"; (d) "all stored artifacts are encrypted at rest".

When a developer or CI/CD system pushes a container image, ACR receives it over the Docker Registry HTTP API V2 protocol and stores image layers as OCI artifacts in Alibaba Cloud Object Storage Service (OSS). ACR deduplicates layers within the same namespace to reduce storage costs.

ACR then serves images to authorized clients — ACK clusters, developer workstations, or synchronized remote regions. Container Registry Enterprise Edition replicates images across regions through global synchronization rules, reducing pull latency for distributed services. The Advanced Edition adds P2P distribution and on-demand distribution (lazy pulling) for large-scale node-level deployments.

Security applies throughout: artifacts are encrypted at rest, vulnerability scanning runs against images using a multi-engine scanner, and network access controls restrict which VPCs and IP ranges can reach your instance.

Common use cases

CI/CD pipeline integration

Connect ACR to source repositories to build images on every commit. Vulnerability scanning runs after each build, and threat blocking rules prevent non-compliant images from reaching ACK clusters — creating an auditable path from source to production.

Multi-region and global deployments

Replicate images from a primary region to secondary regions with global synchronization rules. Combined with P2P distribution (Advanced Edition), this reduces pull times across geographically distributed Kubernetes clusters.

Enterprise security and compliance

Restrict registry access to specific VPCs, enforce tag immutability, sign images with Cosign, and verify signatures at deployment. Export ActionTrail logs to your SIEM for compliance reporting.

Migration from self-managed registries

Import images from Harbor to Container Registry Enterprise Edition without re-pushing through a local client. Artifact subscription replaces manual sync scripts for external public images.

Specifications

The following tables list key quotas and feature availability by edition. Instance edition features and differences provides a complete specification comparison.

Warning

Container Registry Personal Edition has no SLA guarantee, and Alibaba Cloud does not compensate for SLA violations. Usage limits apply. Do not use Personal Edition in production environments.

Note

Instance edition features and differences covers edition selection and disaster recovery options. Follow the disaster recovery guides to set up cross-zone recovery, cross-region recovery, and data backup.

Quotas

Feature	Personal Edition	Enterprise Basic	Enterprise Advanced
Namespace quota (container images)	3	15	50
Public repository quota (container images)	300	1,000	5,000
Helm Chart namespace quota	Not supported	15	50
Helm Chart public repository quota	Not supported	1,000	5,000
OCI artifact support	Not supported	Supported	Supported
Version immutability	Not supported	Supported	Supported
Tag management (automatic cleanup)	Not supported	Supported	Supported
Concurrent build quota	1	3	10
Artifact subscription	Not supported	5	30
Synchronization rules	Not supported	Not supported	60
VPC access control	Not supported	Purchase separately	Purchase separately
Custom domain name	Not supported	Supported	Supported
Fast image import from Harbor	Not supported	Supported	Supported
ActionTrail audit logging	Not supported	Supported	Supported
Event notification	Not supported	Supported	Supported

Distribution and security

Feature	Personal Edition	Enterprise Basic	Enterprise Advanced
Pull throughput guarantee (pull QPS)	Not guaranteed	250	1,000
Intelligent acceleration	Not supported	Supported	Supported
Multi-architecture image building	Not supported	Supported	Supported
P2P (peer-to-peer) distribution	Not supported	Not supported	Supported
On-demand distribution (lazy pulling)	Not supported	Not supported	Supported
Global synchronization	Not supported	Not supported	Supported
Multi-engine vulnerability scanning	Not supported	Supported	Supported
Vulnerability fixing	Not supported	Supported	Supported
Threat blocking (policy-based)	Not supported	Not supported	Supported
Image signing and signature verification	Not supported	Not supported	Supported
Network access control	Not supported	Supported	Supported
Cloud-native application delivery chain	Not supported	Not supported	Supported
Credential-free pull (instances before Sep 4, 2024)	Supported	Supported	Supported
Credential-free pull (instances on/after Sep 4, 2024)	Not supported	Supported	Supported

Disaster recovery

Module	Feature	Personal Edition	Enterprise Basic	Enterprise Advanced
Instance	Cross-zone disaster recovery	None	Supported by default in multi-zone regions	Supported by default in multi-zone regions
Instance	Cross-region disaster recovery	None	Create separate instances per region	Create separate instances per region
Instance storage	Cross-zone redundancy	None	Use OSS zone-redundant storage (ZRS)	Use OSS zone-redundant storage (ZRS)
Instance storage	Cross-region backup	None	Use OSS cross-region replication (CRR)	Use OSS cross-region replication (CRR)
Service guarantee	SLA	None	99.95%	99.95%

Get started

I want to...	Where to go
Try ACR quickly	Quickstart: Create a Container Registry Enterprise Edition instance
Compare editions and pricing	Instance types and pricing
Migrate images from Docker Hub or Harbor	Migrate images to ACR
Secure my registry with network controls	Configure network access control
Integrate ACR with my ACK cluster and CI/CD pipeline	Integrate ACR with ACK and DevOps pipelines
Configure disaster recovery	Instance edition features and differences — disaster recovery