Calls from Quay.io originates from:
126.96.36.199 , 188.8.131.52 , 184.108.40.206 , 220.127.116.11
Please double check IPs by running dig quay.io. HTTPS allows these calls to be signed and verified.
Quay Workers can live on any part of AWS us-east-1, so receiving calls from arbitrary worker nodes requires allowing all public IP ranges of us-east-1. If need be, this can be done by running
curl https://ip-ranges.amazonaws.com/ip-ranges.json | jq -r '.prefixes | select(.region=="us-east-1") | .ip_prefix These calls are also signed with the Quay SSL certificate and can be verified.
sudo watch -d -n1 'netstat -anp | grep -i docker'