- Using GitHub-hosted runners with an Azure VNET is in beta and subject to change.
- Only 4-64 CPU Ubuntu and Windows runners are supported with Azure VNET. For more information on these runner types, see "About larger runners."
- Supported regions include
East US 2, and
West US 2. To request support for a region that is not in this list, fill out the region request form.
- Private networking for GitHub-hosted runners does not support static IP addresses for larger runners. You must use dynamic IP addresses, which is the default configuration for larger runners. For more information about networking for larger runners, see "About larger runners."
If you are using Azure and GitHub Enterprise Cloud, you can use GitHub-hosted runners in your Azure VNET(s) using the Azure private network configuration. For more information about Azure VNET, see What is Azure Virtual Network? in the Azure documentation.
Using GitHub-hosted runners in an Azure VNET enables you to use GitHub-managed infrastructure for CI/CD while providing you with full control over the networking policies of your runners.
You can connect multiple VNET-subnet pairs to GitHub.com and manage private resource access for your runners via runner groups. For more information about runner groups, see "Controlling access to larger runners."
Using GitHub-hosted runners within Azure VNET allows you to perform the following actions.
- Privately connect a runner to resources inside an Azure VNET without opening internet ports, including on-premises resources accessible from the Azure VNET.
- Restrict what GitHub-hosted runners can access or connect to with full control over outbound network policies.
- Monitor network logs for GitHub-hosted runners and view all connectivity to and from a runner.
To facilitate communication between GitHub networks and your VNET, a GitHub-hosted runner's network interface card (NIC) deploys into your Azure VNET.
Because the NIC lives within your VNET, GitHub cannot block inbound connections. By default, Azure virtual machines will accept inbound connections from the same VNET. For more information, see
AllowVNetInBound on Microsoft Learn. It is recommended to explicitly block all inbound connections to the runners. GitHub will never require inbound connections to these machines.
A NIC enables an Azure virtual machine (VM) to communicate with internet, Azure, and on-premises resources. This way, all communication is kept private within the network boundaries, and networking policies applied to the VNET also apply to the runner. For more information on how to manage a network interface, see Change network interface settings on Microsoft Learn.
- A GitHub Actions workflow is triggered.
- The GitHub Actions service creates a runner.
- The runner service deploys the GitHub-hosted runner's network interface card (NIC) into your Azure VNET.
- The runner agent picks up the workflow job. The GitHub Actions service queues the job.
- The runner sends logs back to the GitHub Actions service.
- The NIC accesses on-premise resources.
In order to successfully deploy a NIC and join a NIC to a subnet, the GitHub Actions service maintains the following permissions in your Azure subscription.
- Create deployments
- Read/write/delete NICs
- Join/read network security groups (NSGs)
- Read/write/join public IPs
- Read virtual networks
- Read/write/join subnet
Because the GitHub-hosted runner's NIC is deployed into your Azure VNET, networking policies applied to the VNET also apply to the runner.
For example, if your VNET is configured with an Azure ExpressRoute to provide access to on-premises resources (e.g. Artifactory) or connected to a VPN tunnel to provide access to other cloud-based resources, those access policies also apply to your runners. Additionally, any outbound rules applied to your VNET's network security group (NSG) also apply, giving you the ability to control outbound access for your runners.
If you have enabled any network logs monitoring for your VNET, you can also monitor network traffic for your runners.
To use GitHub-hosted runners with Azure VNET, you will need to configure your Azure resources then create an Azure private network configuration in GitHub. For more information, see "Configuring private networking for GitHub-hosted runners."