As of Cloudify 4.0, the agent installer code tries to access agent VM's using the private IP only. Also, the agent is configured to access the manager using the manager's private IP.
This effectively forces the user to establish routes between the manager and agent VM's and vice versa. For certain organizations, this is not an acceptable workaround.
This is related (though not identical) to which was solved partly in 3.4.2 but dropped in 4.0.