Merge pull request #53081 from MicrosoftDocs/NEW-store-manage-containers-azure-container-registry

New store manage containers azure container registry module

Author: AnnaMHuff

learn-pr/wwl-data-ai/store-manage-containers-azure-container-registry/1-introduction.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.store-manage-containers-azure-container-registry.introduction
+title: Introduction
+metadata:
+  title: Introduction
+  description: Introduction
+  ms.date: 01/05/2026
+  author: jeffkoms
+  ms.author: jeffko
+  ms.topic: unit
+durationInMinutes: 3
+content: |
+  [!include[](includes/1-introduction.md)]

learn-pr/wwl-data-ai/store-manage-containers-azure-container-registry/2-image-storage.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.store-manage-containers-azure-container-registry.image-storage
+title: Registries, repositories, and artifacts
+metadata:
+  title: Registries, Repositories, and Artifacts
+  description: Registries, repositories, and artifacts
+  ms.date: 01/05/2026
+  author: jeffkoms
+  ms.author: jeffko
+  ms.topic: unit
+durationInMinutes: 8
+content: |
+  [!include[](includes/2-image-storage.md)]

learn-pr/wwl-data-ai/store-manage-containers-azure-container-registry/3-build-run-acr-tasks.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.store-manage-containers-azure-container-registry.build-run-acr-tasks
+title: Build and run images with ACR Tasks
+metadata:
+  title: Build and Run Images with ACR Tasks
+  description: Build and run images with ACR Tasks
+  ms.date: 01/05/2026
+  author: jeffkoms
+  ms.author: jeffko
+  ms.topic: unit
+durationInMinutes: 10
+content: |
+  [!include[](includes/3-build-run-acr-tasks.md)]

learn-pr/wwl-data-ai/store-manage-containers-azure-container-registry/4-tag-version-images.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.store-manage-containers-azure-container-registry.tag-version-images
+title: Tag and version images
+metadata:
+  title: Tag and Version Images
+  description: Tag and version images
+  ms.date: 01/05/2026
+  author: jeffkoms
+  ms.author: jeffko
+  ms.topic: unit
+durationInMinutes: 8
+content: |
+  [!include[](includes/4-tag-version-images.md)]

learn-pr/wwl-data-ai/store-manage-containers-azure-container-registry/5-exercise-build-manage-acr-tasks.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.store-manage-containers-azure-container-registry.exercise-build-manage-acr-tasks
+title: Exercise - Build and manage a container image with ACR Tasks
+metadata:
+  title: Exercise - Build and Manage a Container Image with ACR Tasks
+  description: Exercise - Build and manage a container image with ACR Tasks
+  ms.date: 01/05/2026
+  author: jeffkoms
+  ms.author: jeffko
+  ms.topic: unit
+durationInMinutes: 30
+content: |
+  [!include[](includes/5-exercise-build-manage-acr-tasks.md)]

learn-pr/wwl-data-ai/store-manage-containers-azure-container-registry/6-module-assessment.yml

@@ -0,0 +1,69 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.store-manage-containers-azure-container-registry.module-assessment
+title: Module assessment
+metadata:
+  title: Module Assessment
+  description: Module assessment
+  ms.date: 01/05/2026
+  author: jeffkoms
+  ms.author: jeffko
+  ms.topic: unit
+durationInMinutes: 5
+content: |
+quiz:
+  questions:
+  - content: "Your team builds container images on developer workstations, leading to inconsistent results. You need to ensure all images are built in a controlled environment. Which Azure Container Registry feature addresses this requirement?"
+    choices:
+    - content: "ACR Tasks quick build"
+      isCorrect: true
+      explanation: "ACR Tasks quick build offloads image building to Azure, providing a consistent cloud environment that eliminates 'works on my machine' problems. Quick tasks use the az acr build command to build images in a controlled Azure environment."
+    - content: "Geo-replication"
+      isCorrect: false
+      explanation: "Geo-replication distributes images across multiple Azure regions for faster pulls but doesn't affect how images are built."
+    - content: "Repository namespaces"
+      isCorrect: false
+      explanation: "Repository namespaces organize images using forward-slash notation for logical grouping. They help with access control and organization but don't affect how images are built."
+  - content: "You need to deploy a container image to production and ensure every node in your Kubernetes cluster runs the exact same image version, even if someone pushes a new image with the same tag. How should you reference the image?"
+    choices:
+    - content: "By manifest digest"
+      isCorrect: true
+      explanation: "Manifest digests are immutable SHA-256 hashes that uniquely identify an image regardless of tags. Pulling by digest guarantees you get the exact image, even if someone pushes a new image with the same tag."
+    - content: "By the latest tag"
+      isCorrect: false
+      explanation: "The latest tag can change whenever a new image is pushed without specifying a tag. This makes deployments unpredictable and can result in different nodes running different image versions."
+    - content: "By semantic version tag"
+      isCorrect: false
+      explanation: "Semantic version tags like v1.2.0 can be overwritten with new images. While this is less common than overwriting latest, only digests provide guaranteed immutability."
+  - content: "Your AI application depends on a base image containing PyTorch. When the PyTorch team releases security patches to the base image, you want your application image to rebuild automatically. Which ACR Tasks trigger type provides this capability?"
+    choices:
+    - content: "Base image update trigger"
+      isCorrect: true
+      explanation: "Base image update triggers detect changes to parent images and automatically rebuild dependent images. This capability keeps your application images current with security patches in base images."
+    - content: "Source code commit trigger"
+      isCorrect: false
+      explanation: "Source code triggers respond to commits in your application's Git repository. They don't detect changes to base images in the registry."
+    - content: "Scheduled trigger"
+      isCorrect: false
+      explanation: "Scheduled triggers run at fixed intervals using cron expressions. While they can periodically rebuild images, they don't respond immediately to base image updates."
+  - content: "You're implementing a tagging strategy for production deployments. Your requirements include traceability to the source code commit and the ability to roll back to any previous version. Which tagging pattern best meets these requirements?"
+    choices:
+    - content: "Unique tags with Git commit SHA"
+      isCorrect: true
+      explanation: "Unique tags with Git commit SHA provide direct traceability to source code and guarantee each build is distinct for rollback. The immutable nature of unique tags ensures you can reference any specific build."
+    - content: "Stable tags like v1 and v2"
+      isCorrect: false
+      explanation: "Stable tags are reused across multiple image pushes, causing the tag to point to new images over time. This approach doesn't preserve previous versions for rollback."
+    - content: "Using only the latest tag"
+      isCorrect: false
+      explanation: "The latest tag provides no version tracking or rollback capability. It changes with each push and can't reference specific builds."
+  - content: "You deployed a critical AI inference API to production and need to prevent the container image from being accidentally deleted. Which ACR feature should you use?"
+    choices:
+    - content: "Image locking with write-enabled false"
+      isCorrect: true
+      explanation: "Setting write-enabled to false locks the image to prevent deletion or modification. Locked images remain available even when retention policies run, ensuring production deployments are protected."
+    - content: "Repository namespaces"
+      isCorrect: false
+      explanation: "Repository namespaces organize images using forward-slash notation but don't provide protection against deletion. Any image in a namespace can still be deleted by users with appropriate permissions."
+    - content: "Geo-replication"
+      isCorrect: false
+      explanation: "Geo-replication creates copies of images across regions for faster pulls. However, deleting an image in one region removes it from all replicated regions, so it doesn't protect against accidental deletion."

learn-pr/wwl-data-ai/store-manage-containers-azure-container-registry/7-summary.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.store-manage-containers-azure-container-registry.summary
+title: Summary
+metadata:
+  title: Summary
+  description: Summary
+  ms.date: 01/05/2026
+  author: jeffkoms
+  ms.author: jeffko
+  ms.topic: unit
+durationInMinutes: 2
+content: |
+  [!include[](includes/7-summary.md)]

learn-pr/wwl-data-ai/store-manage-containers-azure-container-registry/includes/1-introduction.md

@@ -0,0 +1,12 @@
+AI applications require a secure, scalable location to store container images that serve inference APIs, data pipelines, and backend services. This module guides you through using Azure Container Registry (ACR) to store, build, and manage container images for AI solutions on Azure.
+
+Imagine you're a developer building an AI inference service that processes customer requests in real time. Your team maintains several container images: a model serving API, a preprocessing service, and a monitoring sidecar. Each image requires updates as models improve and dependencies change. Currently, your team builds images locally and pushes them from developer workstations, leading to inconsistent builds and unclear versioning. Your client expects reliable deployments with traceable image versions and the ability to roll back to previous releases. You need a centralized registry that supports cloud-based builds, enforces consistent tagging, and integrates with your deployment pipelines.
+
+## Learning objectives
+
+After completing this module, you'll be able to:
+
+- Explain how Azure Container Registry organizes images using registries, repositories, and artifacts
+- Build and manage container images in the cloud using ACR Tasks
+- Implement tagging and versioning strategies for reliable container deployments
+- Use the Azure CLI to manage container images and run ACR quick tasks

learn-pr/wwl-data-ai/store-manage-containers-azure-container-registry/includes/2-image-storage.md

@@ -0,0 +1,108 @@
+Understanding how Azure Container Registry (ACR) organizes container images helps you design an effective storage strategy for AI applications. This unit explains the registry hierarchy and shows how manifests, layers, and digests enable efficient storage and retrieval of container artifacts.
+
+## Understand Azure Container Registry
+
+Azure Container Registry is a managed, private Docker registry service that stores and distributes container images and related artifacts. Unlike public registries such as Docker Hub, ACR provides direct control over access, geo-replication for global distribution, and integration with Azure services like Azure Kubernetes Service  and Azure Container Apps.
+
+For AI workloads, ACR offers several important capabilities:
+
+- **Private storage:** Keep model serving images, preprocessing containers, and inference APIs secure within your Azure environment
+- **Geo-replication:** Distribute images close to deployment regions for faster pulls and reduced latency
+- **Integration:** Connect directly to Azure Kubernetes Service, Azure Container Apps, and Azure App Service for seamless deployments
+- **Content formats:** Store Docker images, Helm charts, and OCI artifacts in a single registry
+
+ACR supports Basic, Standard, and Premium service tiers. Most developer workflows work identically across tiers, though features like content trust and private endpoints require Premium tier. The Basic tier works well for development and learning scenarios. Standard adds more storage and throughput for production workloads. Premium includes geo-replication, private endpoints, and content trust for enterprise deployments.
+
+## Registry hierarchy
+
+ACR uses a three-level hierarchy to organize content. Understanding this structure helps you plan how to arrange images for your AI applications.
+
+### Registry
+
+The registry is the top-level resource that hosts all container content. Each registry has a unique login server URL in the format `<registry-name>.azurecr.io`. When you create a registry, you choose a name that becomes part of this URL. For example, a registry named `contosoinference` has the login server `contosoinference.azurecr.io`.
+
+A registry contains multiple repositories and provides authentication, access control, and management capabilities. You can configure who has access to push and pull images, set retention policies, and enable features like geo-replication at the registry level.
+
+### Repository
+
+A repository is a collection of container images with the same name but different tags. For example, a repository named `inference-api` contains all versions of your inference API image. Each time you push a new version with a different tag, it appears in the same repository.
+
+Repositories support namespaces using forward slashes for organization. This feature lets you group related images logically:
+
+- `production/inference-api` for production-ready images
+- `staging/inference-api` for images under validation
+- `ml-team/model-server` for team-specific images
+
+Namespaces help with access control. You can grant a team permission to push images only to their namespace while restricting access to production images.
+
+### Artifact
+
+An artifact is the actual container image or other content stored in a repository. Each artifact has tags that identify it, layers that make up its content, and a manifest that describes its structure. Artifacts can include Docker images, Helm charts, or any OCI-compliant content.
+
+## Tags, layers, and manifests
+
+Each component of an artifact serves a specific purpose. Understanding these components helps you make informed decisions about image management.
+
+### Tags
+
+Tags identify specific versions of an artifact within a repository. The format `repository:tag` provides a human-readable reference. For example, `inference-api:v1.2.0` refers to version 1.2.0 of the inference API image. If you push or pull without specifying a tag, Docker uses `latest` by default.
+
+A single artifact can have multiple tags pointing to it. You might tag an image as both `inference-api:v1.2.0` and `inference-api:stable` to indicate it's the current stable release. Both tags reference the same underlying image.
+
+Tags are mutable. When you push a new image with an existing tag, the tag moves to point to the new image. This behavior is useful for tags like `latest` but can cause problems in production deployments where consistency matters.
+
+### Layers
+
+Container images consist of one or more layers. Each layer corresponds to an instruction in the Dockerfile that modifies the filesystem. For example, installing a package or copying files creates a new layer. Layers are content-addressable, meaning you can identify them by a hash of their content.
+
+ACR shares common layers across images, reducing storage costs and speeding up pulls. When multiple images share a base layer such as `python:3.11`, only one copy exists in the registry. This deduplication is valuable for AI applications where many images might share common ML framework layers.
+
+### Manifests
+
+Every artifact has a manifest that lists its layers and configuration. The manifest is identified by a SHA-256 digest in the format `sha256:abc123...`. Unlike tags, digests are immutable. Once an image is pushed, its digest never changes.
+
+Pulling by digest guarantees you get the exact image you expect, even if someone pushes a new image with the same tag. This immutability is critical for production AI deployments where you need consistency across all nodes.
+
+## Address artifacts for push and pull operations
+
+ACR supports two addressing formats for pushing and pulling images. Each approach has different use cases.
+
+### By tag
+
+Tag-based addressing uses the format `registry/repository:tag`. This approach provides human-readable references that are easy to remember and use in deployment configurations.
+
+```azurecli
+# Pull an image by tag
+docker pull myregistry.azurecr.io/inference-api:v1.2.0
+
+# Push an image with a tag
+docker push myregistry.azurecr.io/inference-api:v1.2.0
+```
+
+Tag-based addressing works well during development and for images where you want to receive automatic updates. However, tags can change, so deployments using tags might not be perfectly reproducible.
+
+### By digest
+
+Digest-based addressing uses the format `registry/repository@sha256:hash`. This approach guarantees you reference a specific, immutable image regardless of tag changes.
+
+```azurecli
+# Pull an image by digest
+docker pull myregistry.azurecr.io/inference-api@sha256:0a2e01852872580b2c2fea9380ff8d7b637d3928783c55beb3f21a6e58d5d108
+```
+
+Pull by digest when you need guaranteed reproducibility. Production deployments where consistency across nodes is critical should use digests. You can find an image's digest in the Azure portal, through the Azure CLI, or in the output when pushing an image.
+
+## Best practices for organizing registries
+
+Following these practices helps you maintain an organized and efficient registry:
+
+- **Use namespaces:** Organize repositories by team, environment, or project using forward-slash notation. This structure simplifies access control and makes it easier to find related images.
+- **Plan repository structure:** Group related images logically. Consider whether images belong together based on deployment patterns, team ownership, or lifecycle management needs.
+- **Enable geo-replication:** For global AI deployments, replicate images to regions where your services run. This reduces pull latency and improves deployment reliability.
+- **Monitor storage:** Track storage consumption and implement retention policies to remove untagged manifests. Container images accumulate over time, and cleanup policies prevent unnecessary storage costs.
+
+## Additional resources
+
+- [About registries, repositories, and artifacts](/azure/container-registry/container-registry-concepts)
+- [Azure Container Registry service tiers](/azure/container-registry/container-registry-skus)
+- [Best practices for Azure Container Registry](/azure/container-registry/container-registry-best-practices)