Red Hat (registry.redhat.io)
Red Hat container registries, used by RHEL, OpenShift operators and all Red Hat products. Blobs redirect to the Quay CDN.
| Host | Ports | Purpose | |
|---|---|---|---|
| registry.redhat.io | 443 | Authenticated registry (manifests, auth, blob requests) | required |
| registry.access.redhat.com | 443 | Unauthenticated legacy registry (UBI and older paths) | required |
| registry.connect.redhat.com | 443 | Partner / certified third-party images | optional |
| sso.redhat.com | 443 | Authentication for registry.redhat.io | required |
| cdn.quay.io | 80 443 | Blob CDN (redirect target) | required |
| cdn01.quay.io | 80 443 | Blob CDN (redirect target) | required |
| cdn02.quay.io | 80 443 | Blob CDN (redirect target) | required |
| cdn03.quay.io | 80 443 | Blob CDN (redirect target) | required |
| cdn04.quay.io | 80 443 | Blob CDN (redirect target, added 2025) | required |
| cdn05.quay.io | 80 443 | Blob CDN (redirect target, added 2025) | required |
| cdn06.quay.io | 80 443 | Blob CDN (redirect target, added 2025) | required |
Notes
The Red Hat registries answer blob requests with an HTTP 302 redirect to a short-lived signed URL on the Quay CDN hosts. If cdn01-06.quay.io are not open, manifest pulls succeed but image config / layer downloads fail with "connection refused" or i/o timeout (ImagePullBackOff in OpenShift). Red Hat recommends hostname-based rules, not IP-based - the IPs are not static. cdn04-06.quay.io were added in 2025 and are a common gap in allowlists created before that.
Copy-paste
Plain domain list: redhat.txt · JSON: redhat.json · connectivity test: check-redhat.sh
registry.redhat.io registry.access.redhat.com registry.connect.redhat.com sso.redhat.com cdn.quay.io cdn01.quay.io cdn02.quay.io cdn03.quay.io cdn04.quay.io cdn05.quay.io cdn06.quay.io
Verify from inside the network
curl -fsSL https://pullist.d0t.se/check-redhat.sh | sh