Inferensys

Glossary

Geo-Replication

Geo-replication is a registry feature that asynchronously replicates container images across multiple geographically distributed registry instances to ensure high availability and local pull performance.
Data engineer managing feature store on laptop, feature definitions visible, casual data engineering session.
HIGH AVAILABILITY & DATA LOCALITY

What is Geo-Replication?

Geo-replication is a registry feature that asynchronously replicates container images across multiple geographically distributed registry instances to ensure high availability and local pull performance.

Geo-replication is the process of automatically and asynchronously copying container images and OCI artifacts between distinct, geographically separated registry instances. The primary mechanism relies on event-driven or scheduled synchronization jobs that propagate image manifests, layer blobs, and associated metadata—such as signatures and SBOMs—from a source registry to one or more target registries. This ensures that every regional data center or edge location maintains a local, read-only copy of critical artifacts, eliminating the latency and bandwidth bottlenecks associated with pulling large images over wide-area networks.

The architecture supports both push-based and pull-based replication models, often configured through a centralized management plane. In a push model, the source registry actively transfers artifacts to targets; in a pull model, target registries poll the source for updates. This is a foundational capability for air-gapped registry synchronization and sovereign cloud architectures, enabling organizations to enforce jurisdictional data residency while maintaining a globally consistent software supply chain. Effective replication strategies are tightly coupled with retention policies and garbage collection to manage storage across the distributed topology.

RESILIENCY ARCHITECTURE

Key Features of Geo-Replication

Geo-replication ensures container images are available locally across distributed infrastructure, reducing pull latency and eliminating single points of failure in the software supply chain.

01

Asynchronous Push-Based Replication

When an image is pushed to a source registry, the replication engine copies it to target registries in other regions without blocking the push operation. This decouples the developer workflow from the replication process.

  • Event-driven: Triggered by on_push events, not polling
  • Store-and-forward: Queues replication tasks to handle transient network failures
  • Selective filtering: Replicate only images matching specific namespaces, tags, or labels

Example: A build pipeline in us-east pushes app:v1.2. The registry immediately returns success and asynchronously replicates the manifest and all referenced blobs to eu-west and ap-southeast.

02

Pull-Through Proxy Caching

A registry instance acts as a transparent cache for an upstream source. When a client requests an image not present locally, the registry fetches it from the remote, stores a copy, and serves it to the client. Subsequent pulls are served from the local cache.

  • Bandwidth conservation: Eliminates repeated pulls over WAN links
  • Offline resilience: Cached images remain available during upstream outages
  • Immutability guarantee: Content-addressable layers ensure cached blobs match the original

This pattern is critical for air-gapped environments where a registry mirror in the secure network proxies approved external images.

03

Conflict-Free Replication Policies

Replication rules define exactly which artifacts move between registry instances, preventing namespace collisions and ensuring deterministic state across regions.

  • Source/target mapping: Define source-registry/namespace -> target-registry/namespace pairs
  • Tag filtering: Replicate only prod-* tags, excluding ephemeral dev-* builds
  • Override protection: Configure whether existing tags at the target are overwritten or preserved
  • Bandwidth scheduling: Throttle replication during peak hours to avoid saturating inter-region links

A typical policy replicates all production/* images bidirectionally between three regions while excluding staging/* entirely.

04

Blob-Level Deduplication

Geo-replication operates at the content-addressable blob layer, not the image level. When replicating, only unique blobs not already present at the target are transferred.

  • Hash-based identification: Each blob is identified by its SHA256 digest
  • Shared base layers: A Node.js base layer replicated once serves hundreds of derived application images
  • Delta efficiency: Only new or modified layers traverse the network

Example: Replicating 50 microservice images built on the same node:20-alpine base transfers the base layer once, then only the thin application layers for each service. This reduces inter-region bandwidth by up to 90%.

05

Health Monitoring and Auto-Failover

Each replicated registry instance continuously reports its availability status. Client-side tooling or load balancers can automatically route pull requests to the nearest healthy instance.

  • Heartbeat checks: Registry endpoints probed at configurable intervals
  • Latency-aware routing: DNS or Anycast directs clients to the lowest-latency replica
  • Degraded mode handling: If a region is unreachable, clients fall back to the next-closest replica
  • Replication lag visibility: Metrics expose the time delta between source push and target availability

In a Kubernetes cluster, an admission controller can rewrite image references at deploy time to point to the local registry mirror, ensuring pods always pull from the fastest available source.

06

Immutable Replication Logs for Audit

Every replication event is recorded in a tamper-proof log, providing a complete chain of custody for container images as they move across jurisdictions.

  • Event recording: Source digest, target digest, timestamp, and initiating user for each replication
  • SLSA attestation: Replication events can generate signed provenance statements
  • Compliance evidence: Prove to auditors that images in eu-data originated from approved us-build pipelines
  • Drift detection: Compare expected vs. actual state across replicas to identify unauthorized modifications

This is essential for sovereign cloud deployments where regulators require proof that no unauthorized artifacts entered a jurisdiction's registry.

GEO-REPLICATION

Frequently Asked Questions

Common questions about configuring, optimizing, and troubleshooting asynchronous image replication across distributed registry instances.

Geo-replication is a registry feature that asynchronously replicates container images and their associated artifacts across multiple geographically distributed registry instances. The primary mechanism involves a replication rule that triggers when an image is pushed to a source registry; the registry then copies the image's manifest and all referenced layer blobs to one or more target registries. Unlike synchronous mirroring, geo-replication is eventually consistent, meaning there is a brief propagation delay between the push and the image's availability in remote regions. This architecture decouples the write path from the read path, allowing development teams to push to a central registry while global deployments pull from the nearest local replica, dramatically reducing cross-region latency and bandwidth costs.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.