--- title: Ansible Tower exposed to the internet description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Ansible Tower exposed to the internet --- # Ansible Tower exposed to the internet {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). (). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `1b2bf3ff-31e9-460e-bbfb-45e48f4f20cc` **Cloud Provider:** Ansible Inventory **Platform:** Ansible **Severity:** Medium **Category:** Best Practices #### Learn More{% #learn-more %} - [Provider Reference](https://docs.ansible.com/ansible-tower/latest/html/administration/security_best_practices.html#understand-the-architecture-of-ansible-and-tower) ### Description{% #description %} Ansible Tower hosts must not be assigned public IP addresses. Exposing Tower to the public internet increases the risk of unauthorized access and credential compromise of your automation infrastructure. Check the Ansible inventory resource (`ansible_inventory`) for entries under `all.children.tower.hosts` and ensure each host value is a private IP address (RFC1918) or an internal DNS name rather than a public IP. Resources with hosts set to public IPs are flagged. Use private IP ranges (`10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16`) or internal hostnames, and place Tower behind a VPN, bastion host, or firewall/security-group restrictions to limit exposure. Secure inventory example with a private IP: ```yaml all: children: tower: hosts: tower.internal.example.com: ansible_host: 10.0.1.5 ``` ## Compliant Code Examples{% #compliant-code-examples %} ```yaml all: children: automationhub: hosts: automationhub.acme.org: admin_password: pg_database: awx pg_host: database-01.acme.org pg_password: pg_port: '5432' pg_sslmode: prefer pg_username: awx database: hosts: database-01.acme.org: admin_password: pg_database: awx pg_host: database-01.acme.org pg_password: pg_port: '5432' pg_sslmode: prefer pg_username: awx tower: hosts: 172.27.0.5: admin_password: pg_database: awx pg_host: database-01.acme.org pg_password: pg_port: '5432' pg_sslmode: prefer pg_username: awx ungrouped: {} ``` ```ini [tower] 172.27.0.2 172.27.0.3 172.27.0.4 ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```yaml all: children: automationhub: hosts: automationhub.acme.org: admin_password: pg_database: awx pg_host: database-01.acme.org pg_password: pg_port: '5432' pg_sslmode: prefer pg_username: awx database: hosts: database-01.acme.org: admin_password: pg_database: awx pg_host: database-01.acme.org pg_password: pg_port: '5432' pg_sslmode: prefer pg_username: awx tower: hosts: 139.50.1.1: admin_password: pg_database: awx pg_host: database-01.acme.org pg_password: pg_port: '5432' pg_sslmode: prefer pg_username: awx ungrouped: {} ``` ```ini [tower] 150.50.1.1 [automationhub] automationhub.acme.org [database] database-01.acme.org [all:vars] admin_password='' pg_host='database-01.acme.org' pg_port='5432' pg_database='awx' pg_username='awx' pg_password='' pg_sslmode='prefer' ```