Calls from Quay.io originates from:
220.127.116.11 , 18.104.22.168 , 22.214.171.124 , 126.96.36.199
Please double check IPs by running dig quay.io. HTTPS allows these calls to be signed and verified.
Quay Workers can live on any part of AWS us-east-1, so receiving calls from arbitrary worker nodes requires allowing all public IP ranges of us-east-1. If need be, this can be done by running
curl https://ip-ranges.amazonaws.com/ip-ranges.json | jq -r '.prefixes | select(.region=="us-east-1") | .ip_prefix These calls are also signed with the Quay SSL certificate and can be verified.
sudo watch -d -n1 'netstat -anp | grep -i docker'