Any firewall solution on ubuntu uses the same framework in the Linux kernel, and that only supports ips. So your firewall solution resolves hostnames when setting up rules, but unless that is redone quite frequently, using hostnames that point to changing IP’s will cause problems.
In general: It’s a bad idea to uses hostnames in firewall rules (the software that does the resolving might make things less bad, but not all problems can be avoided), the major problem is that you need to have working DNS in order to set firewall rules, depending on specifics, that might mean nothing on the machine gets up if DNS is down - imaging this
being on the DNS server.
If the IPs change as some kind of load balancing scheme, but all IPs work, you can use the same workaround as I’ve used in a similar case: do a standard DNS lookup of the name, select one IP (if multiple are returned, add that to my firewall rules, and put the name into
/etc/hosts to always resolve to that IP. Yes, that breaks the provider’s load balancing, but held against my security, I know what wins for me.
(For GitLab we don’t have a firewall that restrictive.)