Deploy to AWS private subnet using Octopus from on-premise VM

We have octopus deploy running on an on-premise VM deploying an ASP.Net MVC website to an AWS window’s EC2 instance via a listening tentacle. The EC2 instance was originally in a public subnet and, providing we added the EC2 IP address to the octopus server firewall, and the opened up port 10933 in AWS, this all worked fine.

However, for security reasons, we have moved the EC2 to a private subnet behind an ALB. This has meant the Octopus deployments have stopped working because they cannot access the EC2 server. We have tried switching to a polling tentacle via NAT gateway, but it is unable to connect to the Octopus Server. This is because the on-premise VM is not exposed to the internet (intranet only) and so the polling tentacle is unable to access the HTTP Octopus Web Portal. We would be unable to change this (i.e. make octopus web portal internet accessible).We have full control of the AWS environment, but not the on-premise VM.

Is there some way to get this working either as a listening or polling tentacle with this setup?

Hi Corun,

If I understand correctly, you have two completely separate private subnet environments (on-premise VM running Octopus Server) and a private subnet with an ALB in Amazon and no real connection between them. (An “air gap” if you will.)

You have a listening tentacle residing on the EC2 instance that needs to communicate with your Octopus Server, however you have limited control over the server in which Octopus Deploy is installed on. (i.e. you can expose port 10933 but not HTTP or HTTPS due to security concerns). You had a working setup, up until you introduced an ALB, and placed the server with the tentacle into a private subnet in Amazon.

It seems like the only new piece of what was a working puzzle, is the ALB.

You shouldn’t have to expose your Octopus Server interface to the internet, but you will need to have a route between the two endpoints - the listening tentacle and the Octopus Server.

Have you considered a proxy to route your Octopus Deploy traffic to your ALB and then using the ALB rules to send that traffic to your Tentacle?

You could also achieve a connection between the two endpoints if you were to create a VPN.

Failing both of these solutions, we have an option called offline package drop, which will package up your solution, ready to execute on your target machine. You will just need to drop the files to your target machine and execute.

Let me know what option you go for and if you need any help putting all the pieces in place.



Thanks for the feedback- very useful.
So I set-up an Application Load Balancer for octopus deployments which forwards the octopus traffic to the tentacle on the EC2 containing the web application.
We are also setting up an EC2 for same web application in a second availability zone, as well as having a windows service running in a separate EC2. Would like to use Octopus for these deployments as well.
Would I be able to use the same ALB to forward to these other tentacles or would I need a separate ALB for each deployment ?
Would be good if it could be done from the same ALB as this will mean we don’t have to keep adding IP addresses to the Octopus Deploy firewall which has substantial lead time.

Hi Corun,

If each tentacle is on it’s own host, then it seems like a single ALB should suffice. You should be able to achieve this by setting Host rules on your ALB. It looks to be fairly straight forward, but not anything that I’ve configured myself.

I would love to know if you get this configured and working, as it seems like an interesting use case.

Let me know if there is anything else I can help with.



This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.