This chapter covers securing Azure Container Registry (ACR) and Azure Kubernetes Service (AKS), a critical combination for containerized workloads in Azure. The AZ-500 exam devotes approximately 15-20% of questions to compute security, with container security being a significant subset. You will learn how to harden ACR with role-based access control, firewall rules, private endpoints, and content trust, and how to secure AKS clusters using Azure AD integration, network policies, Pod Security Standards, and Microsoft Defender for Containers. Mastering these topics is essential for the 'Manage security operations' and 'Secure compute' domains.
Jump to a section
Imagine a corporate library that stores reference books for a company's engineering teams. The library has strict access controls: only authorized employees can enter, and each book (container image) has a unique barcode (tag) and ISBN (digest). When a team needs a specific edition of a book, they request it from the librarian (Azure Container Registry). The librarian checks their credentials (RBAC) and logs the request (audit trail). The library is in a secure building with fire alarms (firewall rules) and a backup vault (geo-replication). If someone tries to slip in a counterfeit book (malicious image), the librarian uses a special scanner (Microsoft Defender for Cloud) to inspect it. The library also has a restricted section (network isolation) that only certain teams can access via a private tunnel (private endpoint). The librarian keeps a ledger (Azure Policy) to enforce rules like 'no books older than 90 days' (image retention) or 'only books from approved publishers' (trusted registries). This ensures only safe, authorized images are deployed into production.
Azure Container Registry (ACR) Security Overview
Azure Container Registry is a managed, private Docker registry service that stores container images and artifacts. ACR is built on top of Azure Blob Storage and provides a secure, scalable repository for your container workloads. The exam focuses on securing ACR at multiple layers: access control, network security, content trust, and vulnerability scanning.
Access Control: RBAC and Entra ID Integration
ACR uses Azure RBAC for authentication and authorization. The built-in roles are: - AcrPull: Allows pulling (downloading) images. - AcrPush: Allows pushing (uploading) images and Helm charts. - AcrDelete: Allows deleting images and tags. - AcrImageSigner: Allows signing images for content trust. - Contributor and Owner: Provide full management of the registry, including role assignments.
Authentication methods include:
- Azure AD authentication: Use az acr login to authenticate with your Azure AD identity. This is the recommended method for human users.
- Admin account: A legacy account with username and password (two passwords). Disabled by default; enable only for legacy scenarios. The exam warns against using admin accounts in production.
- Service principal: Use a service principal with a client ID and secret or certificate for automated deployments (e.g., CI/CD pipelines).
- Managed identity: Assign a managed identity to an Azure resource (e.g., AKS cluster) and grant it AcrPull role for seamless authentication.
Network Security: Firewall, Service Endpoints, and Private Endpoints
By default, ACR accepts connections from all networks. To restrict access: - Firewall rules: Configure IP-based access rules. Only allow traffic from specific IP ranges (e.g., your corporate VPN). - Service endpoints: Use Azure Service Endpoints to restrict traffic to your virtual network. This is a legacy approach; private endpoints are preferred. - Private endpoints: Assign a private IP address to ACR from your virtual network. Traffic never traverses the public internet. This is the most secure option and recommended for production. Requires a Private DNS Zone for resolution. - Public network access: You can disable public access entirely, forcing all traffic through private endpoints or trusted Azure services (like AKS).
Content Trust: Image Signing and Verification
ACR implements Docker Content Trust (Notary v2) to ensure image integrity. When enabled, only signed images can be pushed. The workflow:
1. A signer (user with AcrImageSigner role) signs the image using a delegation key.
2. The registry verifies the signature before accepting the image.
3. Clients configure DOCKER_CONTENT_TRUST=1 to pull only signed images.
On the exam, remember that content trust prevents tampering and ensures that images come from a trusted source. It does NOT scan for vulnerabilities.
Vulnerability Scanning: Microsoft Defender for Cloud
Microsoft Defender for Cloud provides vulnerability scanning for images in ACR. When enabled, it scans images on push and periodically. It detects vulnerabilities in OS packages and libraries, and provides remediation steps. The exam tests that scanning is enabled via Defender for Cloud (formerly Security Center) and that it is a prerequisite for AKS security assessments.
Azure Kubernetes Service (AKS) Security Overview
AKS is a managed Kubernetes service. Security responsibilities are shared between Microsoft and you. Microsoft manages the control plane (API server, etcd, scheduler) and you secure worker nodes, pods, and network policies.
Identity and Access Management: Azure AD Integration
AKS integrates with Azure AD for authentication. You can enable Azure AD integration (managed or legacy) to allow users to authenticate with their Azure AD credentials. Key points:
- Managed Azure AD integration: Default option. Creates a managed Azure AD application. Users get cluster-admin or namespace-level roles via Kubernetes RBAC.
- Azure RBAC for Kubernetes: Allows granting Azure AD users/groups roles like Azure Kubernetes Service RBAC Cluster Admin at the subscription or resource group level.
- Kubernetes RBAC: Uses Role and ClusterRole objects. The exam tests that you can use both Azure RBAC and Kubernetes RBAC together.
Network Security: Network Policies and Azure CNI
AKS supports two network plugins: kubenet and Azure CNI. For security, Azure CNI is recommended because it assigns a VNet IP to each pod, enabling Network Policies.
- Network Policies: Kubernetes resources that control pod-to-pod traffic. Use Calico or Azure network policy engine. Policies define ingress/egress rules based on pod labels, namespaces, IP blocks, and ports.
- Azure Policy for AKS: Apply Azure Policy to enforce security rules (e.g., disallow hostNetwork, require readOnlyRootFilesystem).
Pod Security Standards (PSS) and Pod Security Admission
Pod Security Standards define three levels: Privileged, Baseline, and Restricted. AKS uses Pod Security Admission (PSA) to enforce these standards at the namespace level. The exam tests: - Privileged: Unrestricted (least secure). - Baseline: Minimally restrictive (prevents known privilege escalations). - Restricted: Heavily restrictive (follows pod hardening best practices).
You can set PSA via labels on namespaces: pod-security.kubernetes.io/enforce.
Microsoft Defender for Containers
Microsoft Defender for Containers provides threat detection for AKS clusters, including: - Runtime threat detection: Alerts on suspicious activities like crypto mining, port scanning, or privileged container execution. - Vulnerability assessment: Scans container images in ACR and running pods. - Kubernetes audit logs: Analyzes API server logs for malicious commands.
Enable Defender for Cloud with the 'Containers' plan to get these features.
Secrets Management: Azure Key Vault with CSI Driver
AKS can mount secrets from Azure Key Vault using the Secret Store CSI Driver. This avoids storing secrets in etcd. The driver uses a managed identity to authenticate to Key Vault. Key points:
- CSI Driver: A Kubernetes CSI driver that mounts secrets as volumes or environment variables.
- Rotation: Key Vault supports automatic rotation; the driver can sync secrets without pod restart.
- Access: Grant the AKS cluster's managed identity Get and List permissions on Key Vault secrets.
Cluster Security Best Practices
Enable Azure Policy for AKS: Use built-in policies like 'Kubernetes clusters should not use the default namespace' or 'Containers should listen only on allowed ports'.
Use private clusters: Disable public API server endpoint. Access only from peered networks or via a jump box.
Enable cluster autoscaler and node security: Use Azure Disk Encryption for OS and data disks. Apply OS security updates automatically.
Network segmentation: Use Azure Firewall or NSGs to restrict egress traffic from nodes.
Immutable infrastructure: Use AKS node image auto-upgrade to keep nodes patched.
Monitoring and Auditing
Azure Monitor for containers: Collects metrics and logs from containers (CPU, memory, disk).
Kubernetes audit logs: Send to Log Analytics for analysis. Enable auditing via az aks enable-addons --addons monitoring.
Container insights: Provides a dashboard for cluster health and performance.
Integration with Azure Policy and Microsoft Defender
Azure Policy can enforce security rules on AKS clusters. For example, a policy can require that all pods have resource limits. Microsoft Defender for Cloud provides a security score for AKS clusters and recommends fixes. The exam tests that you can use these tools together to achieve compliance.
Exam-Relevant Commands and Configuration
Enable managed identity on AKS: az aks create -g MyRG -n MyCluster --enable-managed-identity
Attach ACR to AKS: az aks update -n MyCluster -g MyRG --attach-acr MyRegistry
Enable Azure AD integration: az aks create -g MyRG -n MyCluster --enable-aad
Enable private cluster: az aks create -g MyRG -n MyCluster --enable-private-cluster
Create network policy: Use YAML with podSelector, policyTypes, ingress, egress.
Enable Defender for Cloud: az security pricing create -n Containers --tier standard
Summary of Key Numbers and Defaults
ACR admin account: disabled by default.
ACR storage: 5 GB (Basic), 100 GB (Standard), 500 GB (Premium). Premium supports geo-replication.
AKS default node size: Standard_DS2_v2.
AKS default network plugin: kubenet (Azure CNI is recommended).
AKS default pod CIDR: 10.244.0.0/16 (kubenet).
Network policy engines: Calico (default) and Azure.
Pod Security Standards: Privileged, Baseline, Restricted.
Content trust: requires AcrImageSigner role.
Private endpoint: requires Private DNS Zone.
Defender for Containers: standard tier pricing applies.
Common Exam Traps
Trap 1: Assuming admin account is secure. It is not; use Azure AD or managed identity.
Trap 2: Confusing content trust with vulnerability scanning. Content trust is about integrity; scanning is about vulnerabilities.
Trap 3: Thinking that enabling private cluster automatically restricts API server access. You must also configure authorized IP ranges or a VPN.
Trap 4: Believing that Azure RBAC for Kubernetes replaces Kubernetes RBAC. They work together.
Trap 5: Overlooking that AKS node pools need network security groups (NSGs) for egress filtering.
This core explanation covers the essential mechanisms and configurations you need to know for the AZ-500 exam. Focus on understanding the 'why' behind each security control and the specific Azure services involved.
Create ACR with Private Endpoint
When creating an Azure Container Registry, you can enable a private endpoint to connect the registry to your virtual network. In the Azure portal, navigate to ACR -> Networking -> Private endpoint connections. Create a new private endpoint: select your VNet and subnet, and choose the target sub-resource 'registry'. This assigns a private IP from the subnet to the registry. You must also create a Private DNS Zone (privatelink.azurecr.io) and link it to the VNet so that DNS resolution returns the private IP. Once configured, you can disable public network access. The result is that all traffic to ACR stays within the Microsoft backbone and your VNet, never traversing the internet. This is the most secure network configuration for ACR and is a common exam scenario.
Grant AKS Managed Identity AcrPull Role
To allow an AKS cluster to pull images from ACR, you need to grant the AKS cluster's managed identity the AcrPull role on the registry. First, get the principal ID of the AKS cluster's managed identity using `az aks show -g MyRG -n MyCluster --query identity.principalId`. Then assign the role: `az role assignment create --assignee <principal-id> --role AcrPull --scope /subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.ContainerRegistry/registries/<acr-name>`. Alternatively, use `az aks update -g MyRG -n MyCluster --attach-acr MyRegistry` which does this automatically. This step is crucial for automated deployments; without it, the cluster cannot pull images, and pods will fail with ImagePullBackOff errors. The exam tests that you understand the need for RBAC assignment, not just the command.
Enable Content Trust on ACR
Content trust ensures that only signed images can be pushed to the registry. To enable, you must first have a user with the AcrImageSigner role. Then, push a signed image using Docker Content Trust. Set environment variable `DOCKER_CONTENT_TRUST=1` before running `docker push`. The client signs the image using a delegation key. The registry verifies the signature before accepting. When pulling, clients with `DOCKER_CONTENT_TRUST=1` will only pull signed images. This prevents tampering. On the exam, remember that content trust does not scan for vulnerabilities; it only verifies integrity. Also, you need to manage root keys and delegation keys. If you lose the root key, you cannot sign new images. Azure Key Vault can be used to store keys securely.
Enable Azure AD Integration on AKS
To enable managed Azure AD integration on an existing AKS cluster, use the command `az aks update -g MyRG -n MyCluster --enable-aad`. This creates a managed Azure AD application and configures the cluster to use Azure AD for authentication. Users can then authenticate using `kubectl` with their Azure AD credentials. After integration, you can grant users Kubernetes RBAC roles like `cluster-admin` using Azure RBAC assignments. For example, assign the `Azure Kubernetes Service RBAC Cluster Admin` role to an Azure AD group at the cluster scope. This allows group members to run kubectl commands. The exam tests that you can enable this feature and that it is the recommended authentication method. Legacy AAD integration (with a server app) is still supported but not preferred.
Apply Pod Security Standards via Namespace Labels
Pod Security Standards (PSS) are enforced using Pod Security Admission (PSA), which is enabled by default on AKS. To apply a standard to a namespace, add a label: `kubectl label ns <namespace> pod-security.kubernetes.io/enforce=restricted`. This tells the PSA controller to reject any pod that violates the Restricted standard. You can also use `warn` and `audit` modes to log violations without blocking. The three levels are Privileged (no restrictions), Baseline (prevents known privilege escalations), and Restricted (heavily hardened). For example, Restricted requires `runAsNonRoot: true`, `seccompProfile: RuntimeDefault`, and drops all capabilities. On the exam, know the differences between the three levels and how to apply them. Common questions ask which level to use for a given security requirement.
Enterprise Scenario 1: E-Commerce Platform with Microservices
A large e-commerce company runs hundreds of microservices on AKS across multiple regions. They use ACR Premium with geo-replication to ensure low-latency pulls in each region. Security is paramount: they enable private endpoints for ACR and AKS, disable public access, and use Azure Firewall to control egress. They integrate Azure AD for AKS authentication and use Azure RBAC to grant developers namespace-level access. For image security, they enable Microsoft Defender for Containers to scan images on push and run time. They also enforce Pod Security Standards: the 'restricted' level for production namespaces and 'baseline' for development. They use Azure Policy to enforce that all pods have resource limits and that images come only from approved registries. A common misconfiguration they've encountered is forgetting to assign AcrPull role to the AKS managed identity, causing deployments to fail with ImagePullBackOff. They also learned to use network policies to isolate microservices, preventing lateral movement if a container is compromised. At scale, they monitor cluster performance with Container Insights and set alerts for any security events from Defender for Cloud. This setup meets PCI-DSS compliance requirements for cardholder data environments.
Enterprise Scenario 2: Financial Services with Compliance Requirements
A bank deploys a containerized trading application on AKS. They have strict regulatory requirements: all container images must be signed (content trust) and scanned for vulnerabilities. They use ACR with content trust enabled, and only users with AcrImageSigner role can push signed images. The build pipeline (Azure DevOps) uses a service principal with AcrPush and AcrImageSigner roles to push signed images. The AKS cluster is private (no public API endpoint) and integrated with Azure AD. Developers access the cluster via a jump box in a management VNet. They use Azure Key Vault CSI driver to mount secrets (like database passwords) without storing them in etcd. They also use network policies to restrict pod-to-pod communication: only the frontend pods can talk to backend pods on specific ports. A major challenge was rotating the signing keys; they now store root keys in Azure Key Vault with hardware security module (HSM) backing. They also enable Defender for Containers runtime threat detection, which alerted them to a cryptominer in a compromised container. The incident response involved isolating the pod using network policies and revoking the compromised service principal. This scenario is typical for regulated industries and tests your knowledge of layered security.
Enterprise Scenario 3: DevOps CI/CD Pipeline Integration
A SaaS company automates deployments using GitHub Actions. Their CI/CD pipeline builds container images, pushes them to ACR, and deploys to AKS. Security is integrated at every step: the pipeline uses OpenID Connect (OIDC) to authenticate to Azure without storing secrets. The GitHub Actions runner is assigned a managed identity that has AcrPush role on ACR. After push, a separate job triggers Defender for Cloud scanning; if vulnerabilities are found, the pipeline fails. For deployment, the pipeline uses az aks get-credentials with Azure AD authentication. They use Azure Policy to enforce that all deployments must have at least two replicas and that containers run as non-root. They also use GitOps with Flux to ensure cluster state matches git repository. A common mistake they've seen is disabling public network access on ACR but forgetting to configure the private endpoint, causing the pipeline to fail. They also learned to use az acr check-health to diagnose connectivity issues. This scenario highlights the importance of integrating security into CI/CD and understanding the authentication flow between services.
What AZ-500 Tests on Container Registry and AKS Security
The AZ-500 exam objectives for this topic fall under 'Secure compute' (objective 2.2) and 'Manage security operations' (objective 3.2). Specifically, you should be able to:
Configure security for container registries (ACR) including RBAC, network isolation, and content trust.
Secure AKS clusters using Azure AD integration, network policies, pod security, and Azure Policy.
Implement vulnerability management using Microsoft Defender for Containers.
Manage secrets with Key Vault and CSI driver.
Common Wrong Answers and Why Candidates Choose Them
Wrong answer: 'Enable admin account on ACR for CI/CD pipelines.' Candidates think a simple username/password is easier. Reality: admin accounts are insecure, not recommended, and Azure AD authentication (service principal or managed identity) should be used. The exam will test that you know admin accounts are disabled by default and should remain disabled.
Wrong answer: 'Content trust scans images for vulnerabilities.' Candidates confuse integrity with vulnerability scanning. Content trust only signs images to verify they haven't been tampered with; it does not scan for CVEs. Vulnerability scanning is done by Microsoft Defender for Cloud. The exam may ask what content trust prevents (tampering) and what it does not (vulnerability detection).
Wrong answer: 'Azure RBAC for Kubernetes replaces Kubernetes RBAC.' Candidates think they are mutually exclusive. Reality: they work together. Azure RBAC controls who can access the cluster (authentication and authorization at Azure level), while Kubernetes RBAC controls what they can do within the cluster (authorization at Kubernetes level). The exam tests that you can use both.
Wrong answer: 'Private cluster means the API server is not accessible from the internet.' This is actually correct, but candidates often think that's enough. The trap is that you still need to configure authorized IP ranges or a VPN to allow access from your management network. A private cluster only assigns a private IP to the API server; you must still control inbound access.
Specific Numbers and Terms That Appear on the Exam
ACR SKUs: Basic (5 GB), Standard (100 GB), Premium (500 GB). Premium supports geo-replication and private endpoints.
ACR roles: AcrPull, AcrPush, AcrDelete, AcrImageSigner.
Content trust: requires DOCKER_CONTENT_TRUST=1.
AKS default node size: Standard_DS2_v2.
AKS network plugins: kubenet (default), Azure CNI.
Pod Security Standards: Privileged, Baseline, Restricted.
Defender for Containers: part of Microsoft Defender for Cloud (standard tier).
Private endpoint DNS zone: privatelink.azurecr.io.
az aks enable-addons --addons monitoring for Container Insights.
Edge Cases and Exceptions
If you attach an ACR to AKS using --attach-acr, it assigns the AcrPull role to the AKS kubelet identity. But if the AKS cluster is in a different subscription, you must manually assign the role.
Content trust keys: if you lose the root key, you must reset content trust entirely. There is no recovery.
AKS private cluster: you cannot convert a non-private cluster to private; you must create a new one.
Network policies: they are only supported with Azure CNI. If you use kubenet, you cannot use network policies (except Calico with certain configurations).
Pod Security Admission: it is enabled by default on AKS 1.23+. Older clusters may need to enable the admission controller manually.
How to Eliminate Wrong Answers Using the Underlying Mechanism
When faced with a question, ask yourself: 'What is the mechanism that solves this security requirement?' For example, if the question asks about preventing unauthorized image tampering, the mechanism is content trust (signing). If it asks about restricting network access, the mechanism is private endpoint or service endpoint. If it asks about vulnerability scanning, the mechanism is Defender for Cloud. If it asks about authentication, the mechanism is Azure AD integration. By mapping the requirement to the correct Azure service or feature, you can eliminate answers that use a different mechanism (e.g., using RBAC to prevent tampering is wrong because RBAC controls who can push, not whether the image is tampered). Also, remember that some features are mutually exclusive or have prerequisites: e.g., network policies require Azure CNI; content trust requires AcrImageSigner role. Use these relationships to eliminate inconsistent answers.
ACR admin account is disabled by default and should remain disabled; use Azure AD authentication instead.
Content trust ensures image integrity via signing; it does NOT scan for vulnerabilities.
AKS Azure AD integration is the recommended authentication method; legacy AAD integration is deprecated.
Network policies require Azure CNI; kubenet does not support them.
Pod Security Standards are enforced via Pod Security Admission labels on namespaces.
Microsoft Defender for Containers provides runtime threat detection and vulnerability scanning.
Private endpoints for ACR and AKS provide the most secure network isolation.
Azure Key Vault CSI driver mounts secrets without storing them in etcd.
Azure Policy for AKS enforces security rules at scale.
Attach ACR to AKS using `az aks update --attach-acr` to grant AcrPull role automatically.
Private cluster API server is not publicly accessible, but you must still configure authorized IP ranges or VPN.
Content trust requires AcrImageSigner role and `DOCKER_CONTENT_TRUST=1`.
These come up on the exam all the time. Here's how to tell them apart.
ACR Admin Account
Static username and two passwords
Disabled by default
No integration with Azure AD
Cannot use managed identity
Not recommended for production
Azure AD Authentication
Uses Azure AD identity (user, SP, or managed identity)
Enabled by default
Supports conditional access and MFA
Can use managed identity for automated access
Recommended for all scenarios
Mistake
ACR admin account is secure for production use.
Correct
The admin account uses static passwords that are shared and cannot be rotated easily. It should be disabled by default. Use Azure AD authentication via managed identity or service principal for production.
Mistake
Content trust scans images for vulnerabilities.
Correct
Content trust only ensures image integrity by signing. Vulnerability scanning is done by Microsoft Defender for Cloud (or third-party tools). Content trust does not detect CVEs.
Mistake
Azure RBAC for Kubernetes completely replaces Kubernetes RBAC.
Correct
Azure RBAC controls access to the cluster and can grant Kubernetes roles, but Kubernetes RBAC still governs permissions within the cluster. They are complementary; you can use both.
Mistake
Private AKS cluster automatically restricts all access to the API server.
Correct
A private cluster assigns a private IP to the API server, but you still need to configure authorized IP ranges or a VPN to allow access from your management network. Private endpoint alone does not block all internet access.
Mistake
Network policies work with any AKS network plugin.
Correct
Network policies require Azure CNI (or Calico with certain configurations). The default kubenet plugin does not support network policies. You must choose Azure CNI or Calico for network policy enforcement.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
In the Azure portal, go to your ACR -> Networking -> Private endpoint connections, click '+ Private endpoint'. Select the subscription, resource group, name, and region. In 'Resource', select 'Microsoft.ContainerRegistry/registries' and target sub-resource 'registry'. Then select your VNet and subnet. For DNS, create a Private DNS Zone 'privatelink.azurecr.io' and link it to the VNet. Once created, you can disable public network access. This ensures all traffic to ACR stays within your VNet.
Service endpoints extend your VNet to Azure service over the Microsoft backbone but still use a public IP for the service. Private endpoints assign a private IP from your VNet to the service, making it part of your VNet. Private endpoints are more secure because traffic never leaves your VNet and you can disable public access. Service endpoints are a legacy feature; private endpoints are recommended for production.
AKS supports managed Azure AD integration (default). When enabled, users authenticate using `kubectl` with their Azure AD credentials. The cluster uses Azure AD as the identity provider. You can then assign Kubernetes RBAC roles to Azure AD users or groups via Azure RBAC (e.g., 'Azure Kubernetes Service RBAC Cluster Admin'). This is the recommended method. Legacy AAD integration (with a server application) is still available but not preferred.
Pod Security Standards (PSS) define three levels: Privileged, Baseline, and Restricted. They are enforced via Pod Security Admission (PSA), which is enabled by default on AKS. To apply a level to a namespace, add a label: `kubectl label ns <namespace> pod-security.kubernetes.io/enforce=restricted`. This rejects any pod that violates the level. You can also use 'warn' or 'audit' modes. Use 'restricted' for production workloads to enforce strict security.
No, ACR does not scan images by default. You must enable Microsoft Defender for Cloud with the 'Containers' plan. Once enabled, Defender scans images on push and periodically. It detects vulnerabilities in OS packages and libraries. You can also use third-party scanners like Twistlock or Aqua. The exam tests that you know Defender for Cloud provides this scanning.
Use Azure Key Vault with the Secret Store CSI driver. Install the CSI driver on your AKS cluster, then create a SecretProviderClass that references a Key Vault and a managed identity. Mount secrets as volumes or environment variables in pods. The driver automatically rotates secrets when they change in Key Vault. This avoids storing secrets in Kubernetes etcd.
No, you cannot convert an existing cluster to private. You must create a new cluster with the `--enable-private-cluster` flag. The private cluster assigns a private IP to the API server. You can then access it from peered networks or a jump box. This is a common exam point: private cluster must be enabled at creation time.
You've just covered Container Registry and AKS Security — now see how well it sticks with free AZ-500 practice questions. Full explanations included, no account needed.
Done with this chapter?