openshift-docs/modules/registry-configuring-private-storage-endpoint-azure.adoc

// Module included in the following assemblies:
//
// * post_installation_configuration/configuring-private-cluster.adoc

:_mod-docs-content-type: CONCEPT
[id="registry-configuring-private-storage-endpoint-azure_{context}"]
= Configuring a private storage endpoint on Azure

You can leverage the Image Registry Operator to use private endpoints on Azure, which enables seamless configuration of private storage accounts when {product-title} is deployed on private Azure clusters. This allows you to deploy the image registry without exposing public-facing storage endpoints.

[IMPORTANT]
====
Do not configure a private storage endpoint on {azure-first} Red{nbsp}Hat OpenShift (ARO), because the endpoint can put your {azure-first} Red{nbsp}Hat OpenShift cluster in an unrecoverable state.
====

You can configure the Image Registry Operator to use private storage endpoints on Azure in one of two ways:

* By configuring the Image Registry Operator to discover the VNet and subnet names

* With user-provided Azure Virtual Network (VNet) and subnet names

[id="limitations-configuring-private-storage-endpoint-azure"]
== Limitations for configuring a private storage endpoint on Azure 

The following limitations apply when configuring a private storage endpoint on Azure:

* When configuring the Image Registry Operator to use a private storage endpoint, public network access to the storage account is disabled. Consequently, pulling images from the registry outside of {product-title} only works by setting `disableRedirect: true` in the registry Operator configuration. With redirect enabled, the registry redirects the client to pull images directly from the storage account, which will no longer work due to disabled public network access. For more information, see "Disabling redirect when using a private storage endpoint on Azure".

* This operation cannot be undone by the Image Registry Operator.