Blog

How to Choose a Container Registry: The Top 9 Picks

Written By

Florian Pialoux

The invention of the open-source Docker Engine in 2013 resulted in containerization being one of the first steps towards modernizing the process of developing cloud applications. Before the invention of the Docker Engine, you had to configure applications for a specific computer/hardware. The downside of this approach was that it could be time-consuming to move an application from one server to another if the need arose.  

But, with the launch of the Docker Registry,  the longstanding challenge of managing and organizing container registries was solved.  In fact, the Docker Registry rapidly became the software industry standard. Today, container registries help firms to collect, store, and deliver container images for different phases through their software development process within a central location.‍ 


In this article, we outline the core features you need to know to help you choose the right container registry for your software development needs.

Table of Contents

What is a Container Registry? 

A container registry is a highly scalable server-side application that allows CI/CD systems, developers, and testers to store images created during app development. The images stored in a container registry are for Kubernetes, DevOps, and container-based app development.  Examples include Docker Hub, Amazon ECR, and Azure. 


How Do I Choose the Right Container Registry? 

The market is not short of options when it comes to choosing a container registry,  which can make choosing one a difficult task. But, before you set out to pick one, the core questions you need to consider beforehand are: 

  • Do I want to host additional artifacts in addition to container images? Some container registries support other types of files such as Java, Node.js, or even Python packages. On the other hand,  some only support container images.
  • Do I need extra security? A feature that only a few container registries offer is a vulnerability scan whenever you push an image to the registry.
  • Should I go with an on-prem or hosted container registry?

 If you decide to migrate from one container to another, the task is relatively easy in case you change your mind.

What are the Top Container Registries Available?

How to choose a container registry- Amazon ECR

1. Amazon Elastic Container Registry (ECR)

Amazon’s ECR can be configured to support private and public Docker registries. These registries can be used with AWS IAM to control users' access levels, services, and applications. Essentially, you can define which users have access to the protected container images. 

AWS ECR also comes equipped with vulnerability image scanning, making it an essential feature for DevSecOps. This is because it uses the Common Vulnerabilities and Exposures (CVEs) database from Clair to assess the severity of issues found. Another great feature of AWS ECR is the Immutable Image tags. When enabled, this feature ensures that no one can override an image once it has been pushed to the container registry.

 You can find the Pricing information for Amazon Elastic Container Registry (AWS ECR) here:https://aws.amazon.com/ecr/pricing/


How to choose a container registry - Azure Container Registry (ACR)

2. Azure Container Registry (ACR)

Microsoft’s Azure Container Registry  is based on Docker Registry 2.0, where authentication is managed by Azure RBAC. Azure’s container registry comes with features that most competitors are not offering yet, such as;  

It is important to note that content trust is based on a concept created by Docker in that it allows you to sign images that you push to your Azure Container Registry.

Essentially, applications/users that may use your image can configure their clients to only pull signed images. Meanwhile,  the Docker client can verify the integrity of the image so they can be assured the image has been published by you and has not been modified after it was published. Other than hosting Docker container images, the Azure Container Registry supports OCI Images, OCI Artifacts, and Helm charts.

When it comes to pricing information, Microsoft plays it differently as it uses a tier system, for more information, visit: https://azure.microsoft.com/en-us/pricing/details/container-registry/


How to choose a container registry-Docker Hub Container Registry

3. Docker Hub Container Registry

Docker Hub is probably the most popular container registry as it is the default Docker Repository. It functions as a marketplace for public container images which makes it the best choice if you decide to publicly distribute an image. Interestingly,  Docker Hub’s free option was very attractive for a while until some users started to abuse it to mine cryptocurrencies with the auto-build feature.  

As a result, they set some limits on Docker’s pull/push image and a rethink of how they monetize Docker Hub. You can read more about the changes to the rate limits in this article, and the shift to Docker Hub auto builds here. One way to avoid Docker’s pull image rate limit is by using a caching proxy.  You can find more information about how to do it here

https://github.com/rpardini/docker-registry-proxy

In terms of pricing, the tier system allows you to unlock some specific features with a paid plan. However,  the overall cost won't be as effective as using some of the other solutions such as AWS ECR or Microsoft’s Azure Container Registry. 

To learn more about Docker Hub’s pricing, check out their website here:

https://www.docker.com/pricing


How to choose a container registry- GitHub Package Regisitry

4. GitHub Package Registry

In May 2019, GitHub launched its package registry solution. Owing to the success of this package registry solution, they released support for container images in September 2020, first as a beta option. A notable aspect of GitHub’s container registry is the fact that it offers a seamless experience, especially for developers. Basically, authentication is managed with a personal access token, and that's all you need.

Another option is using a  public repository, although in this case,  you need your users to authenticate with a GitHub user account. Overall, GitHub Packages is certainly not the container registry packed with the most features.  However, its pricing is competitive if you intend to use GitHub Actions because you don’t get charged for ingress. Here’s a more detailed look at GitHub Packages’ features and pricing;

https://github.com/features/packages#pricing


How to choose a container registry - Gitlab Container Registry

5. GitLab Container Registry

GitLab has its own container registry that’s free to use and supports Docker container images as well as Helm Chart (still in beta). It can be self-hosted if you use the self-hosted version of GitLab or cloud-based through GitLab.com. One of GitLab Container Registry’s great features is its cleanup policy that removes tags matching a certain regex pattern. 

Alternatively, you can try their Package Registry which is also free and supports Composer, Conan, Generic, Maven, npm, NuGet, PyPI, and RubyGem. Without a doubt, it is a great option to consider if you already use GitLab for your project repository.


How to choose a container registry - Google Artifact Registry

6. Google Artifact Registry (GAR)

Previously Google Container Registry (GCR) was the recommended option,  but since summer 2021, Google has been asking their clients to transition to the Google Artifact Registry because GCR only receives critical security fixes. Essentially, the Google Artifact Registry is their new way to handle container images and non-container artifacts such as Maven, npm, Python, Apt, or even Yum packages. 

Primarily, GAR can be easily integrated with CI/CD pipelines to streamline the build and deployment of containers. Additionally, it also provides a scan for vulnerabilities in images that you can manually enable. 

This article sheds more light on Google Artifact Registry and its vulnerability scanning features: 

https://cloud.google.com/artifact-registry/pricing

How to choose a container registry -Harbor Container Registry

7. Harbor Container Registry

Created in 2014 and switched to an open-source model in 2016, Harbor is surely one of the most successful open-source projects by VMware. Harbor is a container registry that needs to be installed, configured, and managed by the user. Easy to deploy with its Docker container, you can use it with any Linux distribution that supports Docker. Note that you can also deploy Harbor with a Helm Chart on your Kubernetes Cluster.

The Harbor container registry also supports most of the  features you expect to get from a container registry such as; 

  • vulnerability scanning
  • garbage collection
  • cross-region replication
  • content trust

Overall, it is a solid option to consider if you plan on hosting your container registry.


How to Choose a Container Registry - Red Hat Quay

8. Red Hat Quay

Originally created in 2012, Quay has seen major changes in the past few years. Firstly, this container registry was purchased by CoreOS in 2014, and later by RedHat in 2018.

It can be quite confusing to understand the difference between Quay, Project Quay, or Red Hat Quay. Here’s a brief look at what each one entails:

  • Project Quay: standalone container registry which is the open-source distribution of Red Hat Quay comparable to Sonatype Nexus Repository OSS or Harbor.
  • Red Hat Quay.io: enterprise solution, hosted on Red Hat's cloud that is priced per number of private repositories. However, the public repositories are still free.
  • Red Hat Quay: enterprise container registry for private-cloud deployments available through Red Hat OpenShift as a built-in Operator.

Essentially, Quay offers a variety of products for different environments, all rich in features such as security scanning (using Clair), repository mirroring, audit logging, etc.

You can find the pricing details for Red Hat Quay.io here: https://quay.io/plans/


How to choose a container registry - Sonatype Nexus Repository oss

9. Sonatype Nexus Repository OSS

Similar to Harbor, Nexus Repository is another self-hosted container registry solution that supports other language packages as well. Sonatype has a Docker image that allows you to deploy it easily in your infrastructure. This container registry offers a pro version of its Nexus Repository which offers a few extra features. You can read about it here: https://www.sonatype.com/products/repository-oss-vs-pro-features

This can be a good option to choose if you are hoping to self-host a package/container registry, since it provides rich documentation that will cover many many scenarios; https://help.sonatype.com/repomanager3

Comparison

Amazon ECR Azure CR Docker Hub Google AR GitHub Packages GitLab CR Harbor RedHat Quay Sonatype Nexus Repository
Pricing Storage:
free (for 1year with AWS Free Usage Tier) until 0.5GB then $0.10 per GB/mo

Data Transfer ingress:
$0.09 per GB/mo
Storage:
$0.167 per day for 10GB under Basic tier

$0.667 per day for 100GB under Standard tier

$1.667 per day for 500GB under Premium tier
Their pricing isn't based on storage.3 Storage:
free until 0.5GB then $0.10 per GB/mo
Data Transfer ingress:
potentially free, see network egress pricing info.
Storage:
500MB for Free tier

2GB for Pro tier

2GB for Team tier

50GB for Enterprise Tier

$0.25/GB for additional storage

Data Transfer ingress:
Free if used through GitHub Actions otherwise
1GB/month (Free tier)
10GB/month (Pro tier)
10GB/month (Team tier)
100GB/month (Enterprise tier)
$0.5/GB for additional transfer
🆓 🆓
(needs to be self-hosted)
Red Hat Quay.io:
$15/mo for 5 private repos.
$30/mo for 10 private repos
$60/mo for 20 private repos
$125/mo for 50 private repos.
🆓
(needs to be self-hosted)
Support language packages (npm, Maven, yum, etc.)
(AWS CodeArtifact will help with that)

(but support OCI artifacts)

6

(but support OCI artifacts)

(but support OCI artifacts)
Authentication AWS IAM Azure RBAC Password or Access Token GCP IAM Access token Personal Access Token or Deploy Token AD, LDAP, RBAC, and OIDC LDAP, Keystone, OIDC, Google and Github Atlassian Crowd, LDAP, RUT, SAML
Cross-region replication ✅ (only available with Premium tier) ❌ (not available on their SaaS but available on their Self-Hosted solution)
MFA for Image Push/Pull ✅ (beta)
SLA Availability 99.9% 99.9% n/a 99.9% n/a n/a self-hosted n/a self-hosted
Garbage collection ✅ (tag expiration)
Image Scanning ✅🆓 ✅🆓 ✅ (free but limited see pricing plan) ✅ ($0.26/image)
(only with Ultimate tier)
Rate Limits
- Pull
- Push
- 120 000/minute
- 120 000/minute1
- up to 10 000/minute depending on the tier used.

- up to 2000/minute depending on the tier used.2
- up to 1 440/minute depending on the tier used.

- Unknown4
- 60 000/minute
- 18 000/minute5
n/a n/a self-hosted n/a self-hosted

1 https://docs.aws.amazon.com/AmazonECR/latest/userguide/service-quotas.html
2 https://docs.microsoft.com/en-ca/azure/container-registry/container-registry-skus#service-tier-features-and-limits
3 https://www.docker.com/pricing
4 https://www.docker.com/pricing
5 https://cloud.google.com/artifact-registry/quotas
6 Package Registry: https://docs.gitlab.com/ee/user/packages/package_registry/
7 If you have multiple Harbor instances: https://goharbor.io/docs/2.3.0/administration/configuring-replication/

Conclusion

All in all, the key factor you need to consider is Network-close deployment since it is critical to minimizing cost and latency when using a container registry.

Preferably, we always advise our clients to use the container registry offered by their cloud provider. For instance, if your infrastructure is entirely based on AWS, we will advise you to use AWS ECR.

This is due to the fact, all cloud resources share a common authentication model and images will be pulled quicker as they won't need to travel long distances from different cloud providers.

You may also be interested in:

Best Infrastructure as Code Tools (IaC): The Top 11 for 2023

Infracost - How to get started

DevOps Engineer Salary: GCP Guide for 2021

How to Integrate Infracost with Terraform Cloud

Bluelight Consulting is a nearshore DevOps & Software Outsourcing company that helps startups, SaaS, and enterprises with cutting-edge solutions.

More cost-effective than hiring in-house, with Nearshore Boost, our nearshore software development service, you can ensure your business stays competitive with an expanded team and a bigger global presence, you can be flexible as you respond to your customers’ needs.

Learn more about our services by booking a free consultation with us today!

Let us solve your business’ biggest challenges

Book a free Consultation

Get In Touch

We’re here to help! Reach out to us today to schedule a free consultation.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.