{"id":220,"date":"2025-11-21T08:07:16","date_gmt":"2025-11-21T08:07:16","guid":{"rendered":"https:\/\/infivit.com\/blog\/?p=220"},"modified":"2025-11-21T08:07:18","modified_gmt":"2025-11-21T08:07:18","slug":"gitlab-runners","status":"publish","type":"post","link":"https:\/\/infivit.com\/blog\/gitlab-runners\/","title":{"rendered":"Multi-Region GitLab Runners on AWS"},"content":{"rendered":"\n<p>Modern software development demands fast, scalable, and fault-tolerant CI\/CD pipelines. To meet these needs, we\u2019ve architected a GitLab CI\/CD solution that combines custom GitLab Runners across multiple AWS regions with robust monitoring and deployment workflows.<\/p>\n\n\n\n<p><strong>This article walks through two core components:<\/strong><\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Multi-Region GitLab Runner Architecture.<\/li>\n\n\n\n<li>CI\/CD Pipeline Flow Using GitLab &amp; AWS.<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">Multi-Region GitLab Runner Architecture (High Availability)<\/h2>\n\n\n\n<p>To ensure high availability and regional redundancy, GitLab Runners are deployed using <strong>Terraform<\/strong> across two AWS regions (<code>us-east-1<\/code> and <code>us-west-2<\/code>). Here&#8217;s how it works:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udd0d Key Features:<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Terraform-Based Provisioning<\/strong><br>Infrastructure is fully automated using Terraform, enabling reproducible and version-controlled deployments.<\/li>\n\n\n\n<li><strong>Auto Scaling Groups (ASGs)<\/strong><br>Each AWS region has an ASG to automatically scale GitLab Runner EC2 instances based on job load and usage.<\/li>\n\n\n\n<li><strong>Lifecycle Hooks<\/strong><br>Lifecycle hooks ensure clean deregistration of runners before instances are terminated, preventing job interruption.<\/li>\n\n\n\n<li><strong>Regional Redundancy<\/strong><br>Runners are deployed in multiple AWS regions (e.g., <code>us-east-1<\/code>, <code>us-west-2<\/code>) to ensure high availability and fault isolation.<\/li>\n\n\n\n<li><strong>IAM Role Isolation<\/strong><br>EC2 instances use a dedicated IAM role (<code>GitlabRunnerRole<\/code>) with least-privilege access to necessary AWS services.<\/li>\n\n\n\n<li><strong>Security Groups<\/strong><br>Instances are secured using AWS Security Groups, allowing only essential inbound\/outbound traffic such as GitLab job execution and Docker image pulls.<\/li>\n\n\n\n<li><strong>Networking (VPC &amp; Subnets)<\/strong><br>Runners are deployed within private subnets of a VPC, ensuring network isolation. NAT Gateways or VPC endpoints enable outbound internet access while restricting direct public exposure.<\/li>\n<\/ul>\n\n\n\n<p>This setup supports GitLab Projects A, B, and C, enabling job distribution and high throughput builds across multiple teams.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img fetchpriority=\"high\" decoding=\"async\" width=\"941\" height=\"801\" src=\"https:\/\/infivit.com\/blog\/wp-content\/uploads\/Untitled-Diagram.drawio.png\" alt=\"\" class=\"wp-image-223\" srcset=\"https:\/\/infivit.com\/blog\/wp-content\/uploads\/Untitled-Diagram.drawio.png 941w, https:\/\/infivit.com\/blog\/wp-content\/uploads\/Untitled-Diagram.drawio-300x255.png 300w, https:\/\/infivit.com\/blog\/wp-content\/uploads\/Untitled-Diagram.drawio-768x654.png 768w\" sizes=\"(max-width: 941px) 100vw, 941px\" \/><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-default\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">GitLab CI\/CD Pipeline Overview<\/h2>\n\n\n\n<p>This diagram illustrates the full CI\/CD flow triggered by GitLab and managed through custom runners:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"488\" src=\"https:\/\/infivit.com\/blog\/wp-content\/uploads\/circle-ci_gitlab.drawio-2-1024x488.png\" alt=\"\" class=\"wp-image-224\" srcset=\"https:\/\/infivit.com\/blog\/wp-content\/uploads\/circle-ci_gitlab.drawio-2-1024x488.png 1024w, https:\/\/infivit.com\/blog\/wp-content\/uploads\/circle-ci_gitlab.drawio-2-300x143.png 300w, https:\/\/infivit.com\/blog\/wp-content\/uploads\/circle-ci_gitlab.drawio-2-768x366.png 768w, https:\/\/infivit.com\/blog\/wp-content\/uploads\/circle-ci_gitlab.drawio-2.png 1052w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udee0\ufe0f Flow Breakdown:<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Code Push &amp; Pipeline Trigger<\/strong><br>Developers push code to GitLab, which triggers the <code>.gitlab-ci.yml<\/code> pipeline.<\/li>\n\n\n\n<li><strong>CI Pipeline Stages<\/strong><br>The pipeline is broken into stages: <strong>Preparation \u2192 Build \u2192 Test<\/strong>.<\/li>\n\n\n\n<li><strong>Runner Execution<\/strong><br>Jobs are executed on shared or specific GitLab Runners using <strong>Docker Executors<\/strong>.<\/li>\n\n\n\n<li><strong>Job Components<\/strong>\n<ul class=\"wp-block-list\">\n<li><strong>Templates<\/strong>: Predefined or custom <code>.yml<\/code> templates define job structure.<\/li>\n\n\n\n<li><strong>Artifacts<\/strong>: Build\/test outputs are stored and passed between jobs.<\/li>\n\n\n\n<li><strong>Variables<\/strong>: Global environment variables and secrets are securely injected.<\/li>\n\n\n\n<li><strong>Docker Containers<\/strong>: Jobs run inside clean, isolated containers.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Deployment to AWS<\/strong><br>After successful builds and tests, code is deployed to AWS.<\/li>\n\n\n\n<li><strong>Monitoring &amp; Notifications<\/strong>\n<ul class=\"wp-block-list\">\n<li><strong>CloudWatch and Audit Logs<\/strong> monitor pipeline and infrastructure health.<\/li>\n\n\n\n<li><strong>Slack\/Email<\/strong> notifications inform developers of pipeline status.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udd10 GitLab Security Templates<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong><code>Security\/SAST<\/code><\/strong> \u2013 Scans your source code for security vulnerabilities during development.<\/li>\n\n\n\n<li><strong><code>Security\/DAST<\/code><\/strong> \u2013 Tests your running application for runtime security issues.<\/li>\n\n\n\n<li><strong><code>Dependency-Scanning<\/code><\/strong> \u2013 Identifies known vulnerabilities in third-party libraries and packages.<\/li>\n\n\n\n<li><strong><code>Container-Scanning<\/code><\/strong> \u2013 Analyzes Docker images for OS-level security flaws.<\/li>\n\n\n\n<li><strong><code>Secret-Detection<\/code><\/strong> \u2013 Detects accidentally committed secrets like API keys or passwords.<\/li>\n\n\n\n<li><strong><code>Coverage-Fuzzing<\/code><\/strong> \u2013 Sends unexpected inputs to find bugs and crash conditions in your code.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"419\" src=\"https:\/\/infivit.com\/blog\/wp-content\/uploads\/Screenshot-2025-07-08-at-2.31.14\u202fPM-1024x419.png\" alt=\"\" class=\"wp-image-231\" srcset=\"https:\/\/infivit.com\/blog\/wp-content\/uploads\/Screenshot-2025-07-08-at-2.31.14\u202fPM-1024x419.png 1024w, https:\/\/infivit.com\/blog\/wp-content\/uploads\/Screenshot-2025-07-08-at-2.31.14\u202fPM-300x123.png 300w, https:\/\/infivit.com\/blog\/wp-content\/uploads\/Screenshot-2025-07-08-at-2.31.14\u202fPM-768x314.png 768w, https:\/\/infivit.com\/blog\/wp-content\/uploads\/Screenshot-2025-07-08-at-2.31.14\u202fPM-1536x629.png 1536w, https:\/\/infivit.com\/blog\/wp-content\/uploads\/Screenshot-2025-07-08-at-2.31.14\u202fPM-2048x838.png 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\u2705 Benefits of This Solution<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Highly Available<\/strong>: Cross-region runners avoid single points of failure.<\/li>\n\n\n\n<li><strong>Scalable<\/strong>: Auto-scaling runners handle varying workloads dynamically.<\/li>\n\n\n\n<li><strong>Secure &amp; Isolated<\/strong>: Each job runs in containers with limited IAM roles.<\/li>\n\n\n\n<li><strong>End-to-End Visibility<\/strong>: Logs, metrics, and alerts offer full transparency.<\/li>\n\n\n\n<li><strong>Developer Friendly<\/strong>: Fully automated with reusable templates and fast feedback loops.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n","protected":false},"excerpt":{"rendered":"<p>Modern software development demands fast, scalable, and fault-tolerant CI\/CD pipelines. To meet these needs, we\u2019ve architected a GitLab CI\/CD solution that combines custom GitLab Runners across multiple AWS regions with robust monitoring and deployment workflows. This article walks through two core components: Multi-Region GitLab Runner Architecture (High Availability) To ensure high availability and regional redundancy, &#8230; <a title=\"Multi-Region GitLab Runners on AWS\" class=\"read-more\" href=\"https:\/\/infivit.com\/blog\/gitlab-runners\/\" aria-label=\"Read more about Multi-Region GitLab Runners on AWS\">Read more<\/a><\/p>\n","protected":false},"author":7,"featured_media":335,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[14],"tags":[22,5,27,29,18,30,28,4,25],"class_list":["post-220","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ci-cd","tag-aws","tag-cloudsecurity","tag-gitlab","tag-gitlab-runner","tag-gitops","tag-ha","tag-multiregion","tag-security","tag-terraform"],"_links":{"self":[{"href":"https:\/\/infivit.com\/blog\/wp-json\/wp\/v2\/posts\/220","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infivit.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infivit.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infivit.com\/blog\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/infivit.com\/blog\/wp-json\/wp\/v2\/comments?post=220"}],"version-history":[{"count":3,"href":"https:\/\/infivit.com\/blog\/wp-json\/wp\/v2\/posts\/220\/revisions"}],"predecessor-version":[{"id":336,"href":"https:\/\/infivit.com\/blog\/wp-json\/wp\/v2\/posts\/220\/revisions\/336"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/infivit.com\/blog\/wp-json\/wp\/v2\/media\/335"}],"wp:attachment":[{"href":"https:\/\/infivit.com\/blog\/wp-json\/wp\/v2\/media?parent=220"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infivit.com\/blog\/wp-json\/wp\/v2\/categories?post=220"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infivit.com\/blog\/wp-json\/wp\/v2\/tags?post=220"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}