Setting up security groups and Managed Service for GitLab instance access restrictions

Written by

Yandex Cloud

Updated at July 10, 2024

Rules for incoming traffic
Rules for outgoing traffic

Security group rules specify the following:

IPs that can access the instance, including web access.
Protocol to work with Git repositories in the GitLab instance: SSH or HTTPS.
Certificate to work over HTTPS: Let's Encrypt (by default) or your own certificate.
Whether or not access to GitLab Container Registry has been provided.

To set traffic rules for a GitLab instance:

Create a security group in the Yandex Cloud network you selected when creating the instance.
Add inbound and outbound traffic rules to the security groups. See the list of rules further below.
Contact support to bind a security group to a GitLab instance.

If you do not bind a separate security group to an instance, the group created by default in the instance's network will apply to it. The rules of this security group added for other services affect access to the GitLab instance.

If you have no access to the instance or it works incorrectly when using the default security group, add rules for GitLab to this group or bind a new one.

Rules for incoming traffic

Purpose of the rule	Rule settings
To access your Git repository over SSH	Port range: `22` and `2222`. Create a separate rule for each port. Protocol: `TCP`. Source: `CIDR`. CIDR blocks: To provide access, specify subnet IP ranges within Yandex Cloud or public IP addresses of web-connected computers. Examples: `172.16.0.0/12` `85.32.32.22/32` To allow all traffic from any IP, specify `0.0.0.0/0`.
To enable Let’s Encrypt This certificate is used by default when working with Git repositories over HTTPS. If you do not specify this rule, you will need to configure HTTPS manually with your own certificate.	Port range: `80` Protocol: `TCP` Source: `CIDR` CIDR blocks: `0.0.0.0/0`
To access your Git repository over SSH	Port range: `443` Protocol: `TCP` Source: `CIDR` CIDR blocks: To provide access, specify subnet IP ranges within Yandex Cloud or public IP addresses of web-connected computers.
For health checks by a network load balancer	Port range: Target port specified in the load balancer settings. Protocol: `TCP` Source: `Load balancer healthchecks`
To connect to GitLab Container Registry	Port range: `5050` Protocol: `TCP` Source: `CIDR` CIDR blocks: To provide access, specify subnet IP ranges within Yandex Cloud or public IP addresses of web-connected computers. To allow all traffic from any IP, specify `0.0.0.0/0`.

Managed Service for GitLab relies on third-party integrations to provide its services. If you limit the outgoing traffic in the instance's security group, the instance may work incorrectly. To avoid this, add one of the rules presented in the table to the security group. You need them to create backups and store user objects in Yandex Object Storage.

Your choice of rule depends on the certificate you are using: Let's Encrypt (default) or self-signed.

Instance certificate type	Rule settings
Let's Encrypt	Port range: `443` Protocol: `TCP` Source: `CIDR` CIDR blocks: `0.0.0.0/0`
Self-signed certificate	Port range: `443` Protocol: `TCP` Source: `CIDR` CIDR blocks: `213.180.193.243/32`

Setting up security groups and Managed Service for GitLab instance access restrictions

Rules for incoming trafficRules for incoming traffic

Rules for outgoing trafficRules for outgoing traffic

Was the article helpful?

Rules for incoming traffic

Rules for outgoing traffic