If you’re provisioning RKE1 clusters, it will SSH into the nodes to deploy Kubernetes components; other than that all communication is inbound to rancher. RKE2 and K3s only require outbound connectivity, as the installation is embedded in the cloud-init metadata.