Whitelist gitlab webhooks
I'm using gitlab.com as my repository and I'm hosting my own gitlab runner in my own VPC in AWS. This is working fine however, I would like to add some additional layer of security by tightening my NACL to only allow the gitlab.com SaaS to reach my VPC.
Their own documentation states that it should work and list a few ip ranges used by them and cloudflare. However, it still isn't working. It is obvious that it is the NACL because simply adding 0.0.0.0/0 as and allow in the inbound makes the runner job complete as intended. However, removing 0.0.0.0/0 and only allowing the ip's listed below makes the gitlab job get stuck and it behaves as if no connection is established.
34.74.226.0/24
34.74.90.64/28
173.245.48.0/20
103.21.244.0/22
103.22.200.0/22
103.31.4.0/22
141.101.64.0/18
108.162.192.0/18
190.93.240.0/20
188.114.96.0/20
197.234.240.0/22
198.41.128.0/17
162.158.0.0/15
104.16.0.0/13
104.24.0.0/14
172.64.0.0/13
131.0.72.0/22
2400:cb00::/32
2606:4700::/32
2803:f800::/32
2405:b500::/32
2405:8100::/32
2a06:98c0::/29
2c0f:f248::/32
After having added all these ranges to my NACL as inbound rules. It still is unable to connect without allowing 0.0.0.0/0.
Additional information
Here is an overview of my VPC setup:
The public subnet NACL has all the ips listed above as allowed, on all ports for all protocols on inbound connections. The outbound is currently set as 0.0.0.0/0.
The private subnet allows 0.0.0.0/0 for both inbound and outbound.
I seemed to have solved the issue. The problem was that I had not added an allow in the NACL for local connections. Hence the private subnet was unable to connect to the NAT gateway.