Static IPs - RunsOn

RunsOn supports private networking on AWS, enabling the use of static IPs for egress traffic originating from GitHub Actions runners. This feature is especially useful for organizations that require strict network controls or need to whitelist IP addresses for accessing external resources.

How it Works

With the default CloudFormation template, enabling Private mode makes RunsOn create private subnets for your GitHub Actions runners and provision one managed NAT Gateway. In common AWS regions, a single NAT Gateway costs about $33/month for the hourly charge alone, plus NAT data processing and standard data transfer charges. Check the AWS VPC pricing page ↗ for current pricing in your region.

If you need a different network topology, such as an existing VPC, multiple NAT gateways, or your own egress design, use the Terraform / OpenTofu module instead of the default CloudFormation template.

The NAT Gateway is assigned an Elastic IP (EIP) - a static IP address provided by AWS. This EIP becomes the source IP for all outbound traffic from your runners, ensuring that your egress traffic has a consistent and whitelistable IP address.

Then, whenever you want your runners to be launched in the private subnet and thus benefit from the static IP, you simply need to add the private=true label to your runs-on: definition:

jobs:
  build:
    runs-on: runs-on=${{ github.run_id }}/runner=2cpu-linux-x64/private=true

Configuration

To take advantage of private networking and static IPs in RunsOn, you need to enable this feature during the setup process, or reconfigure your stack to enable it. RunsOn handles the provisioning and configuration of the necessary AWS resources, including the assignment of the Elastic IPs to the NAT Gateways.

You can easily switch between Public or Private mode by changing the Private CloudFormation parameter to true (Private) or false (Public). By default, RunsOn creates the Stack in Public mode, because NAT gateways incur additional costs and are not needed in most cases.