Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Setting up security groups and access restrictions to a Managed Service for GitLab instance

Written by
Updated at August 11, 2025

Security group rules determine the following:

Warning

The security group's setup determines the Managed Service for GitLab instance performance and availability.

To configure a security group for a Managed Service for GitLab instance:

  1. Add rules for incoming and outgoing traffic to the existing security group or create a new group with such rules.
  2. Apply the security group to the GitLab instance when creating or modifying it.

If you do not bind a separate security group to an instance, the group created by default in the instance's network will apply to it. The rules of this security group added for other services affect access to the GitLab instance.

If you have issues with setting up a security group, contact support.

Rules for incoming traffic

Rule purpose

Rule settings

To access Git repositories over SSH.

  • Port range: 22 and 2222. Create a separate rule for each port.

  • Protocol: TCP.

  • Source: CIDR.

  • CIDR blocks: To provide access, specify subnet IP ranges within Yandex Cloud or public IP addresses of web-connected computers. Examples:

    • 172.16.0.0/12
    • 85.32.32.22/32

    To allow all traffic from any IP, specify 0.0.0.0/0.

To access Git repositories over HTTPS.
  • Port range: 443
  • Protocol: TCP
  • Source: CIDR
  • CIDR blocks: To provide access, specify subnet IP ranges within Yandex Cloud or public IP addresses of web-connected computers.

To enable Let’s Encrypt certificate.

This certificate is used by default when using Git repositories over HTTPS. If you do not specify this rule, add your own certificate to work over HTTPS.
  • Port range: 80 and 443. Create a separate rule for each port.
  • Protocol: TCP
  • Source: CIDR
  • CIDR blocks: 0.0.0.0/0

For creating instance backups.
  • Port range: 443
  • Protocol: TCP
  • Source: CIDR
  • CIDR blocks: 213.180.193.243/32

For health checks by a network load balancer.
  • Port range: 80
  • Protocol: TCP
  • Source: Load balancer healthchecks

To connect to GitLab Container Registry.

  • Port range: 5050

  • Protocol: TCP

  • Source: CIDR

  • CIDR blocks: To provide access, specify subnet IP ranges within Yandex Cloud or public IP addresses of web-connected computers.

    To allow all traffic from any IP, specify 0.0.0.0/0.

Rules for outgoing traffic

Managed Service for GitLab relies on third-party integrations to provide its services. If you limit the outgoing traffic in the instance's security group, the instance may work incorrectly. To avoid this, add the following rules to the security group:

Rule purpose

Rule settings

To enable Let’s Encrypt certificate.
  • Port range: 443
  • Protocol: TCP
  • Source: CIDR
  • CIDR blocks: 0.0.0.0/0

For creating instance backups.
  • Port range: 443
  • Protocol: TCP
  • Source: CIDR
  • CIDR blocks: 213.180.193.243/32

For requests to the metadata service when updating an instance.
  • Port range: 80
  • Protocol: TCP
  • Source: CIDR
  • CIDR blocks: 169.254.169.254/32

For requests to the DNS service.

  • Port range: 53

  • Protocol: UDP

  • Source: CIDR

  • CIDR blocks — <second_IP_address_in_subnet>/32. For example, for the 10.128.0.0/24 subnet, this will be the 10.128.0.2/32 CIDR.

    If your subnet has its own DNS server, allow outgoing traffic to it, e.g., DNS_server_IP_address/32.

For requests to NTP servers to support two-factor authentication.
  • Port range: 123
  • Protocol: UDP
  • Source: CIDR
  • CIDR blocks: 0.0.0.0/0

For access to workers managed by a runner created via the management console.
  • Port range: 22
  • Protocol: TCP
  • Source: CIDR
  • CIDR blocks: CIDR of the subnet containing the Managed Service for GitLab instance (and hosting the workers), e.g., 10.128.0.0/24.
Previous
Creating and activating an instance
Next
Stopping and starting an instance