While GitHub Hosted Runners (GHRs) adhere to high security standards, it's understandable that some companies face unique requirements that GHRs might not initially seem to fulfill. However, it's important to recognize that GHRs offer network configurations to meet even the most stringent security demands. With their security measures and adaptability, GHRs are often the superior choice when considering the total cost of ownership of self-hosting infrastructure.
This gist provides a high-level overview of the network aspects of GHRs and compares the different ways GitHub can offer a secure and customizable setup for your CI/CD requirements.
| Considerations | GitHub-Hosted Standard Runners (Virtual Machine Specifications) |
GitHub-Hosted Larger Runners (Virtual Machine Specifications) |
|---|---|---|
| Cloud Host | Micosoft Azure | Micosoft Azure |
| IP Addresses | IP address Range Windows and Ubuntu runners are hosted in Azure and subsequently have the same IP address ranges as the Azure datacenters. These are Microsoft owned, multi-tentant IP ranges and therefore allowlists are not recommended because of the wide range. |
Static IPs Available Customers can configure larger runners to receive a static IP address from GitHub's IP address pool that are unique to your runner, allowing you to use the ranges to configure a firewall allowlist. By default, runners receive a dynamic IP address that changes for each job run. |
| Private Network Integration | Not yet available | Azure VNET Integration A GHR's NIC deploys into your Azure VNET. All communication is kept private within the network boundaries and networking policies applied to the VNET also apply to the runner. Separately, GitHub is developing an AWS/GCP VPC and On-Premises VLAN Integration featuring a site-to-site WireGuard VPN to link your network with GitHub-Hosted runners (coming soon). |
| API Gateway | Option to use OIDC | Option to use OIDC |
| Network Overlay | Option to use WireGaurd | Option to use WireGaurd |
