Open security group entry required for Rancher hosts to register?

Hi, we have our Rancher server configured behind an ALB, and it all works well, however for various reasons we would like to use Rancher with no auth. Our idea was to simply restrict access via an IP entry (or entries) in the Rancher ALB ec2 security group, but we have found that unless the ALB security group has an open entry for TCP/8080 that hosts will not register, not even if we nest both server and hosts security groups in the ALB security group.

This isn’t how we would expect our configuration to behave and wondered if we are missing something, or if that is how it is?

The host security group has UDP ports 4500 & 500 + TCP 22, all open (0.0.0.0/0) however this doesn’t seem relevant as it’s only when we remove the open entry on the ALB that the hosts disconnect, opening it up again and they re-connect.

The agents open the connection to the server. So you need “allow from [agent IPs] to [server IP] on 8080” in some form.

I’m curious what your various reasons are…

Hi Vincent, we thought that a nested security group would facilitate that, but it doesn’t seem to.

Our main reason is that we are trying to automate host deployment and we thought it may be easier for forego token based registration (in favour of security group entries), but it is seeming not to be the case.

To further explain, when we say automate we mean full stack deployment to an empty AWS account using Terraform.

We know it is easy enough to automate further down the line by configuring a launch config + autoscaling group using the reg/token details from within a running version of rancher server, but we would like to automate the full process dynamically, even through to deploying stacks/envs (using the Terraform providers).

There’s not really any magic here, there has to be something wrong with the rule definition or application of the target security group to the hosts…

Hi Vincent, yes, that’s what we thought, not sure what’s going on. This is what we have (all groups have egress All Traffic on 0.0.0.0/0). The host security group is named demo1-rancher-secRancherHST -

The hosts security group (the greyed areas are for GOCD to my home/office IPs). This group we don’t alter -

The ALB security group config that works (the greyed area again is for my home IP) -

The ALB security group config that doesn’t work (with the host security group nested + my home IP). When we drop to this the hosts disconnect, reverting to the open entry group and they reconnect -

Confusing.