Securing your connection to Container Registry

You can use private network connections to securely route your data in IBM Cloud® Container Registry.

If you use cloud-based services for production workloads, you can use a secure private connection so that you ensure that you adhere to any compliance regulations. You can use IBM Cloud service endpoints to connect to IBM Cloud services over the private IBM Cloud network.

Service endpoints make it easier to securely route network traffic between different IBM Cloud services and your registry over the private IBM Cloud network. This network routing ensures that your data doesn't go over the public internet.

To learn more about IBM Cloud service endpoints, see Secure access to services by using service endpoints.

Using private network connections

You must set up your account with the correct authority so that you can set up a private network connection for pushing and pulling images.

IBM Cloud Container Registry is a multi-tenant offering and you are, therefore, not required to create your own service endpoints to connect to the registry over private connections.

Enabling service endpoint support for the account

To connect to IBM Cloud services over a private network, you must meet the following criteria.

You must be able to access the classic infrastructure.
You must enable virtual routing and forwarding (VRF) and connectivity to service endpoints for your account.
You must also have a billable account.

To enable your IBM Cloud account to use virtual routing and forwarding (VRF) and service endpoints, see Enabling VRF and service endpoints.

Considerations for private network connections

Private domain names aren't used by the container-registry CLI plug-in. If you push an image on the private domain name, and then use the CLI on a public connection to run the ibmcloud cr images command, the image is listed with all the other images that have the same public domain name.
If you have private IBM Cloud Kubernetes Service clusters, you aren't required to change anything. IBM Cloud Kubernetes Service already modifies the connection, which is referenced by the public domain name, to use a private connection. This behavior is unchanged.
- If you use IBM Cloud Kubernetes Service, you can optionally reference your images from private clusters by using the private registry domain name. However, you must create more imagePullSecrets for the extra domain names, see Understanding how to authorize your cluster to pull images from a registry.
Pull traffic is not charged for image pulls that use private connections.
If you use image signing and want to use the private domain names, you must re-sign any images that you already have because the domain name forms part of the signed artifact.

Pushing and pulling images

Private connections are available so that you can push and pull images. You use the same icr.io domain name, with the prefix private., see Regions.

You can't use private connections for image management operations by using the IBM Cloud Container Registry CLI.

Run the docker login command to authenticate with your registry. Replace <apikey> with your API keyA unique code that is passed to an API to identify the calling application or user. An API key is used to track and control how the API is being used, for example, to prevent malicious use or abuse of the API. and <private_registry_domain> with the private domain name where your namespaces are set up. The private domain names are described in Regions.

docker login -u iamapikey -p <apikey> <private_registry_domain>

IBM Cloud Container Registry supports other clients as well as Docker. To log in by using other clients, see Accessing your namespaces in automation.

For more information, see Automating access to IBM Cloud Container Registry.

Enforcing access to your account over a private network

You can prevent or allow image pulls or pushes over public network connections for your account by using the ibmcloud cr private-only command.

You can also use this command to check whether the use of private connections is set for your account.

After you enable the use of private connections on your account, any attempts to pull and push images or access signatures over the public network are rejected.

Because the use of private connections doesn't apply to the management API, you can still use the CLI over a public connection.

To prevent image pulls or pushes over public network connections for your account, run the following command.
```
ibmcloud cr private-only --enable
```
To reinstate image pulls or pushes over public network connections for your account, run the following command.
```
ibmcloud cr private-only --disable
```
To check whether the use of public connections is prevented for image pushes or pulls in your account, run the following command.
```
ibmcloud cr private-only --status
```