Setting up security groups and Managed Service for GitLab instance access restrictions
Security group rules specify the following:
- IPs that can access the instance, including web access.
- Protocol to work with Git repositories in the GitLab instance: SSH or HTTPS.
- Certificate to work over HTTPS: Let's Encrypt
(by default) or your own certificate . - Whether or not access to GitLab Container Registry
has been provided.
To set traffic rules for a GitLab instance:
- Create a security group in the Yandex Cloud network you selected when creating the instance.
- Add inbound and outbound traffic rules to the security groups. See the list of rules further below.
- Consult the support
to bind a security group to a GitLab instance.
Rules for incoming traffic
Purpose of the rule |
Rule settings |
To access your Git repository over SSH |
|
To enable Let’s Encrypt This certificate is used by default |
|
To access your Git repository over SSH |
|
For health checks by a network load balancer |
|
To connect to GitLab Container Registry |
|
Rules for outgoing traffic
Note
Managed Service for GitLab relies on external resources, so imposing restrictions on outbound traffic may lead to errors and failures. If you still need to restrict outbound traffic, make sure to add the rule described below.
Why use the rule |
Rule settings |
To create backups and store user objects in Yandex Object Storage |
|