This document provides an overview of remote repositories. For instructions on how to create a remote repository, see Create remote repositories.
Artifact Registry Quotas and limits apply to remote repositories.
How remote repositories work
Remote repositories store artifacts from the following upstream sources:
- Standard Artifact Registry repositories.
- External sources such as Docker Hub, Maven Central, the Python Package Index (PyPI), Debian or CentOS.
A remote repository acts as a proxy for the upstream source so that you have more control over your dependencies. The first time that you request a version of a package, Artifact Registry downloads and caches the package in the remote repository. The next time you request the same package version, Artifact Registry serves the cached copy.
If you request an artifact from an upstream source that doesn't exist, or doesn't contain the version you specified, the request will fail.
The other repository modes are:
- Standard: The default repository mode. You upload or publish artifacts such as private packages directly to standard repositories. Although you can download directly from individual standard repositories, accessing groups of repositories with a virtual repository simplifies tool configuration.
- Virtual: A repository that acts as a single access point for multiple upstream repositories, including remote and standard repositories.
Upstream authentication
Artifact Registry remote repositories support basic authentication to upstream sources for supported formats. For more information on how to authenticate to remote repository upstream sources, see Configure authentication to remote repository upstreams.
Use cases and benefits
- Faster, more reliable access to artifacts
- Storing cached copies of your public dependencies in Artifact Registry reduces latency when other Google Cloud services retrieve images. Cached artifacts are also still available if the external public repository is offline due to an outage or other issue.
- Safer dependency resolution
Use remote repositories together with virtual repositories to mitigate risks associated with public dependencies. Some tools do not provide a way to control search order when a mix of private and public repositories are configured in the client. This type of configuration is vulnerable to a dependency confusion attack, where someone uploads a new version of a package with bad code to a public repository to trick clients into choosing the bad version.
Instead of configuring clients directly to search multiple repositories, you can configure virtual repositories to prioritize your private repositories over remote repositories.
- Reduce data transfer cost
Use remote repositories to cache artifacts in the same region or multi-region as your runtimes to reduce data transfer costs.
If Artifact Registry is in a VPC Service Controls service perimeter, Artifact Registry denies access to upstream sources outside the perimeter by default. To allow remote repositories in a specific location to access their configured external sources outside the perimeter, see the instructions for VPC Service Controls configuration.
To learn about other dependency management best practices, see Dependency management.
Updates to package indexes and metadata
Mutable files such as package indexes and metadata are updated from the upstream source when they become more than the default age. Defaults for specific file types are listed in the following table:
| Format | File type | Default update age |
|---|---|---|
| Maven | maven-metadata.xml |
5 minutes |
archetype-catalog.xml |
1 hour | |
| Npm | Manifest files | 5 minutes |
| Python | Index files | 1 hour |
| Docker | List/Get tags cache | 1 hour |
| Apt/Yum (preview) | Index files | 2 minutes |
| Package files | 72 hours |
Supported formats
See the following sections for the formats available for preset and user-defined remote repositories.
Preset upstream URLs
A number of common upstream repository URLs are available as preset selections for convenience in the following formats.
| Format | package types | Upstream URL | Upstream preset name |
|---|---|---|---|
| Docker | Public or private | https://registry-1.docker.io |
DOCKER-HUB |
| Maven | Public or private | https://repo.maven.apache.org/maven2 |
MAVEN-CENTRAL |
| npm | Public or private | https://registry.npmjs.org |
NPMJS |
| Python | Public | https://pypi.io |
PYPI |
| OS packages (preview) | Public | See OS packages supported upstreams | See OS packages supported upstreams |
OS packages preset upstreams
You can create an OS package remote repository by choosing from one of the common preset upstream repository base URLs and customizing the remainder of the URL to the specific repository. The following repository bases are supported:
Apt
| Repository | URL Prefix | Repository Base Name |
|---|---|---|
| Debian | http://deb.debian.org |
DEBIAN |
| Ubuntu LTS or Pro | http://archive.ubuntu.com
|
UBUNTU
|
Yum
| Repository | URL Prefix | Repository Base Name |
|---|---|---|
| CentOS | http://mirror.centos.org
|
CENTOS
|
http://debuginfo.centos.org
|
CENTOS_DEBUG
|
|
https://vault.centos.org
|
CENTOS_VAULT
|
|
https://mirror.stream.centos.org
|
CENTOS_STREAM
|
|
| Rocky | http://dl.rockylinux.org
|
ROCKY
|
| Fedora Extra Packages for Enterprise Linux (EPEL) | https://dl.fedoraproject.org/pub/epel
|
EPEL
|
Artifact Registry repository upstreams
You can create remote repositories with Artifact Registry standard format repositories as upstreams for the following formats:
- Docker
- npm
- Maven
- Python
Custom URLs
You can enter the URL for your remote repository directly, without using one of the preset upstream sources for the following formats.
- Docker
- npm
- Maven
- Python
The following non-exhaustive table lists some common upstream URIs.
| Format | Upstream URI | Registry Name |
|---|---|---|
| Docker | https://registry-1.docker.io |
Docker Hub |
| Docker | https://public.ecr.aws |
AWS ECR Public Gallery |
| Docker | https://registry.k8s.io |
Kubernetes Container Registry |
| Docker | https://MY_NEXUS_IP |
Nexus |
| npm | https://registry.npmjs.org |
npm |
| npm | https://npm.pkg.github.com |
GitHub Npm Registry |
| npm | https://MY_NEXUS_IP/repository/MY_UPSTREAM_REPOSITORY |
Nexus |
| Maven | https://repo.maven.apache.org/maven2 |
Maven Central |
| Maven | https://MY_NEXUS_IP/repository/MY_UPSTREAM_REPOSITORY |
Nexus |
| Python | https://pypi.io |
Python Package Index (PyPI) |
| Python | https://MY_NEXUS_IP/repository/MY_UPSTREAM_REPOSITORY |
Nexus |
Where
- MY_NEXUS_IP is the IP address and port of your Nexus upstream instance.
- MY_UPSTREAM_REPOSITORY is the name of your upstream repository; used in the Nexus examples.
Limitations
In addition to Artifact Registry quotas and limitations, remote repositories have the following limitations:
- Maven remote repositories don't permit setting the version policy to snapshot or release.
- Upstream sources must be internet accessible. Remote repositories don't support on-premise or Virtual Private Cloud (VPC) network upstream sources without a public IP address.
What's next
- Create remote repositories.
- Learn more about Artifact Registry repositories by reading the Repository overview.