Exposing Rancher to outside world

I have started a single instance of Rancher ( as docker container ). Everything works fine when is comes to creating or importing k8s/k3s clusters running on local network as Rancher is.
The problem that we have at the minute is regarding creating clusters on public AKS/EKS providers.
The resources are created, the cluster seems to be up and running, but yet remains in provisioning state in Rancher UI.
Digging further we’ve noticed that the cattle-agent pod tries to reach the local ( 10.x.x.x ) Rancher ip and obviously cannot reach to the on-prem instance from the public cloud ( this applies for both AKS and EKS scenarios ).
The question is:

  • In case of running Rancher on-prem, does it need to be publicly exposed so that cattle-agent running on public clouds can reach to it ?
    If so, what are the recomended configuration from a security-wise perspective ?
    Thank you,