Duo Agent Platform should correctly accomodate IP enforcement for customers

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Per https://handbook.gitlab.com/handbook/engineering/architecture/design-documents/duo_workflow/#gitlabcom-architecture we send requests to GitLab Rails from Duo Workflow Service. These will be blocked if the customer uses IP address enforcement.

We probably need to consider:

1. Requests probably shouldn't be routed via the internet anyway as this is costing us egress traffic and maybe we already correctly handle IP restrictions for internal traffic
2. If we have a range of IP Addresses for our internal runway service we should always allowlist this and not leave it up to the customer.
3. We could also look into proxying via the executor for IP restricted groups but the code at https://gitlab.com/gitlab-org/modelops/applied-ml/code-suggestions/ai-assist/-/blob/2a239c356a917c669b65f3450e535b74c956bc3b/duo_workflow_service/gitlab/http_client_factory.py#L12 does not yet allow for this as any requests for https://gitlab.com are direct from Duo Workflow Service