Reply from the support :
Runners communicate with GitLab over HTTPS, entirely through connections initiated from the Runner to GitLab and never in reverse. The advantage here is that you can install a Runner behind a firewall and as long as the Runner has outbound access to GitLab.com it will work. From there, it really doesn’t matter which executor you use (Shell, Docker, etc).
