Roadmap: ACR Networking - ACR Service should be an Azure Trusted Service from Storage Account Perspective

[johnsonshi]

Today, ACR is not recognized as an Azure Trusted Service by Azure Storage Accounts. Because of this, any ACR feature that interacts with Storage Accounts—such as the future server-side backup and restore, or the existing ACR Transfer Pipelines—fails when interacting with a network restricted Storage Account.

ACR should be recognized as an Azure Trusted Service by Storage Accounts. This would allow key ACR capabilities to work seamlessly with network-restricted Storage Accounts, including:

• Transfer Pipelines (Import and Export)
• Server-side backup and restore (oras backup / oras restore)
• Any other ACR features that rely on Storage Accounts for cross-service operations

For context, when a resource (such as server-side backup-restore resource, or transfer pipeline resource) is MI-enabled, it can be onboarded as a Trusted Azure Service with another Azure Service (such as Storage Account). Users that want to access a network restricted storage account can create the resource (e.g. transfer pipeline or server-side backup-restore) with MI and it can access network restricted Storage Account. ACR would need Azure Storage Team to onboard the ACR Service as an Azure Trusted Service, similar to how Key Vaults has onboarded the ACR Service as an Azure Trusted Service (from their perspective) to enable CMK ACR registries. Once onboarded, the Storage service sees that the incoming request is from the ACR service and lets it bypass the storage account network settings as the user intended.

Related issues:

• https://github.com/Azure/azure-cli-extensions/issues/8706