Security with remote hosts

If you add a remote host with a public ip to a locally installed/running Rancher, what security is there or do you need to put in place to protect the remote host running the rancher-agent?

I’ve configured Access Control on my local Rancher install, but is there anyway you can protect the remote host, for example with ssh keys?

Thanks!
Kevin

I think this post explains what I wanted to know. So between the rancher-server and remote hosts, IPSec VPN tunnels are created automatically?

The IPSec network is only between hosts. The agent opens a websocket connection to the server (at the registration URL), the server does not open a connection to the agents.

Ok, got it. So if my remote host is a VPS publicly accessible on the internet, what do I need to consider to harden the host and it’s use of the rancher agent? What would stop someone else pointing their rancher-server at my rancher agent and taking control of it or deploying their own apps to my host?

Again, the agent opens the connection to the server, not the other way around. So the question is the other way, and the agent must have a valid registration URL/token from that server to connect.

Ok, and the url/token are in the command from the server where it says ‘Copy, paste, and run the command below to register the host with Rancher’ ?

Yes, the token is in the command and is used to give each host a unique API key to talk to the server with.