Edited by Nir Ovadia
When using Artifactory as a Docker registry (which might be behind a firewall and reverse proxy servers, such as Nginx and Apache), you might need to allow access to external hosts, as Docker Hub uses several hosts and its Content Delivery Network (CDN) to serve content.
You may allow traffic to access the following hosts:
- https://auth.docker.io
- https://registry-1.docker.io
- https://production.cloudflare.docker.com
- docker-images-prod.s3.dualstack.<region-name>.amazonaws.com* (Only for AWS VPCs, see note below)
Note: For AWS machines with a VPC handling traffic, dockerhub bypasses the production.cloudflare.docker.com backend and requests go directly to the docker-images-prod S3 bucket in the region the machine is in. In these scenarios, you can add a docker-images-prod* rule to the VPC to allow all of docker’s S3 buckets, or find the specific one your machine is hitting. You can see which redirect you have by getting a token from docker
curl https://auth.docker.io/token?service=registry.docker.io&scope=repository:library/hello-world:pull
and then using that token to hit one of the layers
curl -vvv -L -I https://registry-1.docker.io/v2/library/hello-world/blobs/sha256:feb5d9fea6a5e9606aa995e879d862b825965ba48de054caab5ef356dc6b3412 -H "Authorization: Bearer $TOKEN"
which will show a redirect either to production.cloudflare.docker.com, or docker-images-prod.s3.*