Compare container registry services (ECR, ACR, Artifact Registry, OCIR) across clouds.
Showing 20 of 20 features.
| Feature | AWS | Azure | GCP | OCI |
|---|---|---|---|---|
Service Name Core Features | Amazon Elastic Container Registry (ECR) | Azure Container Registry (ACR) | Google Artifact Registry | OCI Container Registry (OCIR) |
Registry Scope Core Features | Per-account, per-region private registries; public ECR for open-source | Per-registry resource with multi-region geo-replication | Per-project registries supporting containers, packages, and OS images | Per-tenancy, per-region registry with compartment-level access |
Supported Artifacts Core Features | Docker images, OCI images, Helm charts | Docker images, OCI artifacts, Helm charts, Singularity images | Docker images, Helm charts, language packages (npm, Maven, Python, etc.) | Docker images, OCI-compliant images |
Pricing Model Core Features | Storage per GB/month + data transfer out | Basic/Standard/Premium tiers with included storage + overage | Artifact Registry: storage per GB + network egress | 5 free repositories; storage charged per GB/month |
Storage Limit Core Features | No hard limit; pay per GB stored | Basic: 10 GB, Standard: 100 GB, Premium: 500 GB (expandable) | No hard limit; pay per GB stored in Cloud Storage | No hard limit; pay per GB stored in Object Storage |
Image Pull Throughput Core Features | Scales automatically; no rate limit on authenticated pulls | Basic: 10 Mbps, Standard: 60 Mbps, Premium: 100+ Mbps | Automatic scaling; served from Cloud Storage edge caches | Scales automatically; no published throughput caps |
Vulnerability Scanning Security | ECR Enhanced Scanning via Amazon Inspector (OS + language packages) | Microsoft Defender for Containers (Qualys-based scanning) | Artifact Analysis with automated vulnerability scanning | Third-party scanning integration; no native scanner |
Image Signing Security | Sigstore/Notation integration; no native signing | Azure Key Vault content trust with Notation and Cosign | Binary Authorization with Cosign and attestation policies | Image signing with OCI Vault keys |
Access Control Security | IAM policies per repository; resource-based policies | Azure RBAC roles (AcrPull, AcrPush, AcrAdmin, etc.) | IAM roles (Artifact Registry Reader, Writer, Admin) | IAM policies at compartment or repository level |
Encryption at Rest Security | AES-256 via AWS KMS (AWS-managed or customer-managed CMK) | Customer-managed keys via Azure Key Vault (Premium tier) | Google-managed or CMEK via Cloud KMS | AES-256 via Oracle-managed or customer-managed keys |
Private Network Access Security | VPC endpoints via AWS PrivateLink | Private endpoints via Azure Private Link | VPC Service Controls; Private Google Access | Private endpoints within VCN subnets |
Lifecycle Policies Operations | Lifecycle rules to expire images by age, count, or tag status | Retention policies and purge tasks for untagged images | Cleanup policies based on tag status, age, and version count | Retention policies for image expiration by age |
Geo-Replication Operations | ECR Replication for cross-region and cross-account image sync | Premium tier geo-replication to multiple Azure regions | Multi-region repositories (us, europe, asia) with edge caching | Manual cross-region replication via OCI CLI/API |
Image Immutability Operations | Image tag immutability setting per repository | Tag locking for immutable image tags | Tag immutability via Artifact Registry settings | No native tag immutability; enforce via IAM policies |
Cache / Pull-Through Operations | Pull-through cache rules for Docker Hub, ECR Public, GitHub, Quay | ACR cache for Docker Hub, GitHub, and other upstream registries | Remote repositories as pull-through cache for upstream registries | No native pull-through cache; manual mirror setup |
Kubernetes Integration Integration | Native EKS integration; image pull via IAM IRSA | Native AKS integration; managed identity image pull | Native GKE integration; Workload Identity for image pull | Native OKE integration; instance principal image pull |
CI/CD Integration Integration | CodeBuild, CodePipeline; Docker CLI, GitHub Actions | ACR Tasks for in-registry builds; Azure DevOps, GitHub Actions | Cloud Build for in-registry builds; GitHub Actions, Jenkins | OCI DevOps build pipelines; Docker CLI, GitHub Actions |
In-Registry Build Integration | No in-registry build; use CodeBuild or external CI | ACR Tasks: quick tasks, multi-step tasks, triggered builds | Cloud Build triggered from Artifact Registry events | No in-registry build; use OCI DevOps Build pipeline |
Webhook / Events Integration | EventBridge events for push, scan completion, delete | ACR webhooks and Event Grid events for push/delete actions | Pub/Sub notifications for Artifact Registry events | OCI Events service for image push/delete notifications |
Terraform Support Integration | aws_ecr_repository, aws_ecr_lifecycle_policy, aws_ecr_replication_configuration | azurerm_container_registry, azurerm_container_registry_webhook | google_artifact_registry_repository, _repository_iam_member | oci_artifacts_container_repository, oci_artifacts_container_image_signature |
Container registries are essential infrastructure for any containerized deployment, storing and distributing container images to orchestration platforms. AWS ECR, Azure ACR, GCP Artifact Registry, and OCI Container Registry each offer different feature sets for image scanning, replication, lifecycle management, and access control. This comparison examines registry capabilities, pricing models, vulnerability scanning integration, geo-replication options, and OCI (Open Container Initiative) artifact support across all four cloud providers.
Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.