Connect Private Resources to AAP Service on AWS

Red Hat Ansible Automation Platform (AAP) Service on AWS routes outbound traffic based on the destination IP address of the target resource. To configure firewalls correctly, it is critical to understand which network interface the Automation Controller will use to reach your services.

There is only one distinct path for traffic leaving the Automation Controller:

Public Internet Path (NAT Gateway)

• Destination: Public IP addresses or FQDNs that resolve to Public IPs (e.g., github.com, registry.redhat.io, or enterprise endpoints like gitlab.company.com if they resolve publicly).
• Source IP: The traffic will originate from the Managed NAT Gateway Public IPs, not the VPC CIDR block.

Connectivity to Private Source Control

A common connectivity block occurs when a customer whitelists the Peering CIDR on their firewall but connects to their internal tool using a Public FQDN.

The Scenario

1. You have allowed the AAP VPC CIDR (e.g., 100.22.x.x) on your GitLab firewall.
2. You configure the Project in AAP to connect to https://gitlab.company.com.

• The Issue: If gitlab.company.com resolves to a Public IP address (even if that IP is blocked for the general public), AWS routing forces the traffic out the NAT Gateway.
• The Result: Your firewall blocks the connection because it sees the request coming from an unknown NAT Gateway IP, not the allowed Peering CIDR.

Requesting Egress IP Addresses

If your security policy requires you to use the Public FQDN for your tools, you must allowlist the specific NAT Gateway IPs associated with your AAP Service on AWS cluster.

Because these IPs are specific to your deployment region and cluster configuration, they are not published in a general list.

1. Open a Support Case: Log in to the Red Hat Customer Portal and open a case for Red Hat Ansible Automation Platform on AWS.
2. Request Egress IPs: Explicitly request the "NAT Gateway / Egress IP addresses" for your specific cluster to unblock connectivity to your Source Control.
3. Update Firewalls: Add the IPs provided by Red Hat Support to your allowlist.

Important: Monitoring is Still Required

Providing the Egress IPs is a starting point. It is critical that you actively monitor your firewall logs to identify which path the traffic is taking.

If you intend for traffic to stay private (using the Peering CIDR), ensure you are targeting the Private IP address of your resource, or that your DNS resolves the FQDN to a Private IP within the peered network.