Google (gcr.io / Artifact Registry)
Google Container Registry (legacy) and Artifact Registry (*.pkg.dev).
| Host | Ports | Purpose | |
|---|---|---|---|
| gcr.io | 443 | Legacy Container Registry API | required |
| *.gcr.io | 443 | Regional GCR mirrors (us.gcr.io, eu.gcr.io, asia.gcr.io, k8s.gcr.io) | required |
| *.pkg.dev | 443 | Artifact Registry (regional, e.g. us-docker.pkg.dev, europe-north1-docker.pkg.dev) | required |
| storage.googleapis.com | 443 | Blob storage (redirect target for GCR layer downloads) | required |
| oauth2.googleapis.com | 443 | Authentication (private repositories only) | optional |
Notes
GCR redirects layer downloads to storage.googleapis.com - the most commonly missed host. Artifact Registry (*.pkg.dev) serves blobs from the registry hostname itself, so it is simpler to allowlist; if the firewall cannot do wildcards, open the specific regional endpoints in use.
Copy-paste
Plain domain list: google.txt · JSON: google.json · connectivity test: check-google.sh
gcr.io *.gcr.io *.pkg.dev storage.googleapis.com oauth2.googleapis.com
Verify from inside the network
curl -fsSL https://pullist.d0t.se/check-google.sh | sh