Octopus server security - public internet accessibility

Hi, my current setup is done in an isolated network where the octopus server and tentacles are all on the same network.

I would however like to expand this to some servers in Azure that don’t have access to this local network. That means I may need to set up polling tentacles in Azure to connect to the Octopus server which then needs to be accessible over the internet.

Is this safe? What is the suggested way of doing this kind of configuration?

Hi Johannes,

You certainly can do that safely, if configured correctly.

However, if possible we would recommend creating your Azure Tentacles in Listening mode. Then, in Azure you need to configure security rules to open the port the Tentacle will listen on (10933 by default). You can lock this down to only allow access from the Octopus server.

This way you don’t need to open inbound communications to your internal Octopus server.

Was there a reason you needed to use Polling Tentacles?

Either way, we also support using a proxy for Tentacle communications, if that helps.


Main reason was not needing to set up inbound mapping rules for every Azure server.

Listening is still the best and we may still go that direction.

I guess the polling port is secure as the system is using certificates for security right?

Can I configure a certificate on the octopus server so it can be accessed via https? For the polling setup I had to open ports to the server and the listening port to set up the tentacle, so just need to make sure both entries are secure before going ahead with polling from outside the network.


Awesome thanks, this will surely help

Listening and polling are both equally as secure from an encryption perspective. The only difference is in the network configuration.

If you are referring to exposing the Octopus Web Portal via HTTPS, then absolutely: https://octopus.com/docs/how-to/expose-the-octopus-web-portal-over-https

Please don’t hesitate to ask if you have any further questions.