Ansible Control Node Configuration

Good Afternoon,
My team is in the process of doing a review of our current environment. The question came up, that since the ansible control node has the “keys to the kingdom” that it should not live on public IP space. So I thought I might ask, what are you folks doing in terms of where your control node sits. Are you exposed to the internet, are you on either private IP space ( ie. 10 net or 192.168 space ), or are you behind a firewall, or some other kinds of network security type devices/technologies.

–John

We also investigating the best setup.
On the moment we have a sort of call home system the remote is a linux applianceand the control node is in docker.
The remote appliance makes a ssh tunnel to the main and we use the controle node trought that tunnel.
On the firewall’s the ip’s are added to the rules.