Mirror inside corporate network

When running a registry mirror inside a corporate network (with MIRROR_SOURCE=https://registry-1.docker.io and MIRROR_SOURCE_INDEX=https://index.docker.io) what “holes” should I punch into my corporate firewall/proxy for this specific host?

I am assuming that opening access to “index.docker.io” and “registry-1.docker.io” isn’t enough, for when I monitor a regular “docker pull” command I see requests to other hosts (like “dseasb33srnrn.cloudfront.net:443”, for example).