Deploy to AWS private subnet using Octopus from on-premise VM

We have octopus deploy running on an on-premise VM deploying an ASP.Net MVC website to an AWS window’s EC2 instance via a listening tentacle. The EC2 instance was originally in a public subnet and, providing we added the EC2 IP address to the octopus server firewall, and the opened up port 10933 in AWS, this all worked fine.

However, for security reasons, we have moved the EC2 to a private subnet behind an ALB. This has meant the Octopus deployments have stopped working because they cannot access the EC2 server. We have tried switching to a polling tentacle via NAT gateway, but it is unable to connect to the Octopus Server. This is because the on-premise VM is not exposed to the internet (intranet only) and so the polling tentacle is unable to access the HTTP Octopus Web Portal. We would be unable to change this (i.e. make octopus web portal internet accessible).We have full control of the AWS environment, but not the on-premise VM.

Is there some way to get this working either as a listening or polling tentacle with this setup?

Hi Corun,

If I understand correctly, you have two completely separate private subnet environments (on-premise VM running Octopus Server) and a private subnet with an ALB in Amazon and no real connection between them. (An “air gap” if you will.)

You have a listening tentacle residing on the EC2 instance that needs to communicate with your Octopus Server, however you have limited control over the server in which Octopus Deploy is installed on. (i.e. you can expose port 10933 but not HTTP or HTTPS due to security concerns). You had a working setup, up until you introduced an ALB, and placed the server with the tentacle into a private subnet in Amazon.

It seems like the only new piece of what was a working puzzle, is the ALB.

You shouldn’t have to expose your Octopus Server interface to the internet, but you will need to have a route between the two endpoints - the listening tentacle and the Octopus Server.

Have you considered a proxy to route your Octopus Deploy traffic to your ALB and then using the ALB rules to send that traffic to your Tentacle?

You could also achieve a connection between the two endpoints if you were to create a VPN.

Failing both of these solutions, we have an option called offline package drop, which will package up your solution, ready to execute on your target machine. You will just need to drop the files to your target machine and execute.

Let me know what option you go for and if you need any help putting all the pieces in place.