Hi Pankaj For incoming connectivity from web clients and agents, GoCD only requires a port for HTTP access to be opened. Generally in order to secure a GoCD deployment (VPN or not) you first need to configure it for TLS; which means fronting it with a reverse proxy, TLS terminating load balancer or cluster ingress etc. Generally this would mean you only need to open whatever port/host you have proxying HTTPS GoCD traffic through to GoCD itself.
If you are planning to keep using HTTP without TLS (not recommended, but possible) you'd just need to open port 8153 for incoming by default (or change the cruise.server.port to a different port of your choice and open that). If you are also asking about required outgoing connectivity it probably varies too much depending on what you are doing with GoCD to comment. I'm not sure what you are referring to regarding iptable rules related to Docker. GoCD server and agents can run inside containers <https://www.gocd.org/download/#docker> or Kubernetes <https://github.com/gocd/helm-chart/tree/master/gocd> if you'd like (or mix and match), but this is your choice. Jobs/tasks running on GoCD agents may need to run/launch containers themselves depending on the needs of your users, however containers/Docker aren't intrinsic to the design of GoCD itself and I can't think of any special firewall requirements related to that. -Chad On Sun, Apr 17, 2022 at 7:46 PM '[email protected]' via go-cd < [email protected]> wrote: > I would like to secure the go-cd deployment in a VPN. It should be > acessible from a few whitelisted ip addresses of > > a) agent machines > b) web acess through vpn > c) anything needed for github auth. > > It should not be accessible from anywhere else. Do we have any > recommendation on iptable firewall rules for this? > > A related question is that does any part of go-cd run as a docker > container. I noticed a few iptable rules for docker. I am not sure if it is > residual from any other experimentation or is a requirement for go-cd. > > Warm regards. > Pankaj > > -- > You received this message because you are subscribed to the Google Groups > "go-cd" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/go-cd/b60dcef5-5bba-4d51-b371-014c14c8f724n%40googlegroups.com > <https://groups.google.com/d/msgid/go-cd/b60dcef5-5bba-4d51-b371-014c14c8f724n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "go-cd" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/go-cd/CAA1RwH-p2CsyN%3Dm85b2%2BkYeVNLy_Rp54N359iWP-OdEmk_0dmQ%40mail.gmail.com.
