Accessing Container Registry through a firewall

To permit worker nodes to communicate with IBM Cloud® Container Registry, allow outgoing network traffic from the worker nodes to IBM Cloud Container Registry regions.

If you are using IBM Cloud Kubernetes Service or Red Hat® OpenShift® on IBM Cloud®, by default the connection to Container Registry is private. Therefore, you don't need to allow public access to Container Registry. For more information about private connectivity, see Private network connection to icr.io registries.

You can configure your firewall to allow connections to Container Registry by using a Layer 7 firewall with the domains listed in the following table.

When you access IBM Cloud Container Registry over the public internet, you must not have any allowlist restrictions that are based on IP addresses in place. If you have any concerns about opening your allowlist, you can configure private access to IBM Cloud Container Registry by using the private IBM Cloud network, see Securing your connection to Container Registry. Note that IP address lists are not provided because they can change frequently.

In addition to the following regional subdomains, you must also allow traffic from your worker nodes to port 443 on all subdomains of icr.io in case of redirection to other subdomains for delivery optimization. You must allow TCP port 443 FROM <each_worker_node_publicIP> TO *.icr.io, where <each_worker_node_publicIP> is the public IP address for each worker node. If you use the deprecated domain names, you must allow those domains too.