Chainguard Containers Network Requirements

This document provides an overview of network requirements for using Chainguard Containers. To use Chainguard tools and Containers in environments with firewalls, VPNs, and IDS/IPS systems, you will need to add some rules to allow traffic into and out of your networks.

Chainguard Containers do not call Chainguard services while running, so no network changes would be required to the runtime environment. Review the Notes column for more info on each Hostname.

Chainguard Containers Hosts

This table lists the DNS hostnames, associated ports, and protocols that will need to be allowed through firewalls and proxies to use Chainguard Containers:

If you experience networking issues while trying to use Chainguard Containers, please ensure that your firewall allows traffic to and from these hosts, and that it doesn’t have any rules to block .dev domains.

Chainguard Containers Third-party Hosts

This table lists the third-party DNS hostnames, associated ports, and protocols that will need to be allowed through firewalls and proxies to use Chainguard Containers:

Note that the 9236a389bd48b984df91adc1bc924620.r2.cloudflarestorage.com host is used to serve both image data and packages via *.cgr.dev.

Ingress and Egress

Connections to the hosts listed on this page are generally initiated as new outbound connections. If you are using stateless firewall rules, then you will need to add symmetric rules to ensure that traffic flows correctly.

You will need egress rules that allow new traffic to the hosts listed here. You will need corresponding ingress rules that allow related and established traffic.

DNS Records and TTLs

Many of the hosts listed on this page use multiple DNS A records or CNAME aliases. Additionally, many A records have a short time to live of 60 seconds, and the majority are less than an hour (3600s).

If your network filters traffic based on IP addresses, ensure that any firewalls update their rules at an appropriate interval to match the TTL for each DNS record.

Minimum TLS requirements

For guaranteed connectivity, the following TLS requirements must be at minimum supported by clients and servers communicating with Chainguard Containers and endpoints:

• TLSv1.3 with the TLS_AES_256_GCM_SHA384 cipher suite
• TLSv1.2 with
  • ECDHE-ECDSA-AES256-GCM-SHA384 cipher string
  • RFC 7627 Extended Master Secret Extension support
• Signatures using P-256 with SHA-256
• Signatures using RSA-PSS with 2048 bits and SHA-256
• Support for encrypted HTTP/2 is required, including by any proxies in use

The requirements can be approximately tested with the following OpenSSL client command:

openssl s_client -cipher @SECLEVEL=2:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384 -ciphersuites TLS_AES_256_GCM_SHA384 -groups P-256 -alpn h2 -connect cgr.dev:443 < /dev/null

Note that in the case of TLSv1.2 connectivity you must check the output for Extended master secret: yes.

You can replace cgr.dev:443 with your own deployments.

Many of the endpoints for Chainguard products require support for the encrypted HTTP/2 protocol. Some decrypting proxies might not support HTTP/2.

Zscaler, a popular decrypting proxy, may not support encrypted HTTP/2 traffic by default. If you are having connection issues using chainctl behind Zscaler, follow these steps to enable support for HTTP/2.

1. Open a Support Ticket with Zscaler

   Before any UI configuration option appears you may need to contact Zscaler Support (TAC) and request that HTTP/2 support be provisioned/activated for your tenant. This is currently a backend setting only Support can toggle.

   You typically need to provide:

   • Your Company ID
   • Tenant details
   • Reason/use case for enabling HTTP/2 inspection

   This will allow HTTP/2 negotiation to be available in policies.

2. Enable HTTP/2 in SSL Inspection Policies

   Once Support has enabled HTTP/2 on your tenant:

   1. Log in to the Zscaler Admin Portal.
   2. Navigate to Policy → SSL Inspection (or Administration → Advanced Settings depending on UI version).
   3. Edit your relevant SSL Inspection Policy.
   4. Look for the option "Enable HTTP/2" and turn it ON for the required rules/policies.

   This setting ensures Zscaler will maintain HTTP/2 where possible rather than downgrading to HTTP/1.1. You may need to enable it on multiple rules if you use granular SSL policies (for example, by URL category).

3. Check Advanced settings for API/CLI traffic

   Zscaler has an advanced setting under Admin → Advanced that controls how non-browser (API or CLI) HTTP/2 traffic is handled. This setting is disabled by default, which means Zscaler will downgrade non-browser HTTP/2 traffic to HTTP/1.1. For chainctl usage, this must be set to Enabled.

See this Zscaler blog post for more details.

If the above approach is not available to you, you may need to reconfigure Zscaler to disable its "Block Undecryptable Traffic" setting. Another option is to configure direct (proxyless) access to HTTP/2 endpoints and use the no_proxy environment variable, depending on your IT policies. Please consult your proxy software's documentation for guidance on adjusting these settings in order to authenticate.