I am curious about this requirement for running extra agants: "An agent should be able to open HTTP connections to the server (to the same URL as server web UI)". As I understood it, when you run VCS Mode "Automatically on server", the server performs the checkout of the sources and sends it over to the agent.
In a scenario, where you host your VCS and your TC server on your own subnet, and want to run extra agents in the cloud (EC2), you need to make the server accessible from the outside (less secure). Why does the agent need to reach the server, is it because of build results, artifacts etc.? Couldn't that be handled by the server polling the agent?