Which firewall openings does an image pull need?
Registries are never one hostname: auth lives on one domain, manifests on another, and layer downloads redirect to a CDN nobody opened. This site lists all of them, per product, with sources and a test script.
| Product | ||
|---|---|---|
| Docker Hub | 5 hosts | Default registry for docker/podman. Pulls touch three hosts minimum. |
| GitHub (ghcr.io) | 2 hosts | GitHub Container Registry. Two hosts, both required. |
| Google (gcr.io / Artifact Registry) | 5 hosts | Google Container Registry (legacy) and Artifact Registry (*.pkg.dev). |
| Kubernetes (registry.k8s.io) | 3 hosts | The Kubernetes project registry - a redirector in front of cloud-regional backends. |
| Microsoft (mcr.microsoft.com) | 2 hosts | Microsoft Artifact Registry - dotnet, SQL Server, AKS components, Windows base images. |
| NVIDIA NGC (nvcr.io) | 3 hosts | NVIDIA's registry for GPU Operator, CUDA, Triton, NIM and other GPU images. |
| Quay.io | 8 hosts | Red Hat's public registry. Hosts most OpenShift platform images and many open source projects. |
| Red Hat (registry.redhat.io) | 11 hosts | Red Hat container registries, used by RHEL, OpenShift operators and all Red Hat products. Blobs redirect to the Quay CDN. |