From 8e3f6c738fb24cf3745af0ea1b63c3e7af7a918d Mon Sep 17 00:00:00 2001 From: Joe Clark <31087804+jc-clark@users.noreply.github.com> Date: Tue, 2 Apr 2024 09:25:15 -0700 Subject: [PATCH] Documentation for "Actions: Private networking with Azure VNET - [GA]" (#49834) Co-authored-by: Sarah Edwards Co-authored-by: Steve-Glass <84886334+Steve-Glass@users.noreply.github.com> Co-authored-by: Larissa Fortuna <56982181+lkfortuna@users.noreply.github.com> --- .../about-larger-runners.md | 2 +- .../controlling-access-to-larger-runners.md | 20 +- ...e-networking-with-github-hosted-runners.md | 27 +- ...ithub-hosted-runners-in-your-enterprise.md | 51 +++ ...ted-compute-products-in-your-enterprise.md | 31 ++ ...-networking-for-hosted-compute-products.md | 27 -- ...d-runners-in-your-azure-virtual-network.md | 66 ---- ...ithub-hosted-runners-in-your-enterprise.md | 41 +++ .../index.md | 7 +- ...ithub-hosted-runners-in-your-enterprise.md | 23 ++ ...ucing-github-actions-to-your-enterprise.md | 4 +- ...hub-hosted-runners-in-your-organization.md | 50 +++ ...d-compute-products-in-your-organization.md | 30 ++ ...hub-hosted-runners-in-your-organization.md | 34 ++ .../managing-organization-settings/index.md | 4 + ...hub-hosted-runners-in-your-organization.md | 23 ++ data/allowed-topics.js | 1 + .../actions-private-networking-azure-vnet.yml | 1 + .../actions/about-network-configurations.md | 3 + ...ctions-azure-vnet-resources-config-link.md | 1 - .../azure-vnet-about-larger-runners.md | 3 + .../azure-vnet-actions-service-permissions.md | 40 +++ ...et-configure-azure-resources-procedures.md | 326 +++++++++++------- .../azure-vnet-configuring-overview.md | 5 + ...eating-network-configuration-procedures.md | 60 ++++ .../actions/azure-vnet-deleting-a-subnet.md | 25 ++ ...ure-vnet-hosted-compute-troubleshooting.md | 81 +++++ .../azure-vnet-injected-runners-intro.md | 3 - .../actions/azure-vnet-intro-capabilities.md | 6 + .../azure-vnet-network-communication.md | 16 + .../azure-vnet-network-configuration-intro.md | 3 + .../actions/azure-vnet-networking-policies.md | 5 + .../actions/azure-vnet-next-steps-links.md | 1 + .../azure-vnet-over-provisioning-resources.md | 1 + .../actions/azure-vnet-supported-regions.md | 23 ++ ...ation-for-github-hosted-runners-warning.md | 1 - ...networking-actions-azure-vnet-beta-note.md | 10 - 37 files changed, 798 insertions(+), 257 deletions(-) create mode 100644 content/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-azure-private-networking-for-github-hosted-runners-in-your-enterprise.md create mode 100644 content/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-networking-for-hosted-compute-products-in-your-enterprise.md delete mode 100644 content/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-networking-for-hosted-compute-products.md delete mode 100644 content/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-using-github-hosted-runners-in-your-azure-virtual-network.md create mode 100644 content/admin/configuration/configuring-private-networking-for-hosted-compute-products/configuring-private-networking-for-github-hosted-runners-in-your-enterprise.md create mode 100644 content/admin/configuration/configuring-private-networking-for-hosted-compute-products/troubleshooting-azure-private-network-configurations-for-github-hosted-runners-in-your-enterprise.md create mode 100644 content/organizations/managing-organization-settings/about-azure-private-networking-for-github-hosted-runners-in-your-organization.md create mode 100644 content/organizations/managing-organization-settings/about-networking-for-hosted-compute-products-in-your-organization.md create mode 100644 content/organizations/managing-organization-settings/configuring-private-networking-for-github-hosted-runners-in-your-organization.md create mode 100644 content/organizations/managing-organization-settings/troubleshooting-azure-private-network-configurations-for-github-hosted-runners-in-your-organization.md create mode 100644 data/reusables/actions/about-network-configurations.md delete mode 100644 data/reusables/actions/actions-azure-vnet-resources-config-link.md create mode 100644 data/reusables/actions/azure-vnet-about-larger-runners.md create mode 100644 data/reusables/actions/azure-vnet-actions-service-permissions.md rename content/admin/configuration/configuring-private-networking-for-hosted-compute-products/configuring-private-networking-for-github-hosted-runners.md => data/reusables/actions/azure-vnet-configure-azure-resources-procedures.md (51%) create mode 100644 data/reusables/actions/azure-vnet-configuring-overview.md create mode 100644 data/reusables/actions/azure-vnet-creating-network-configuration-procedures.md create mode 100644 data/reusables/actions/azure-vnet-deleting-a-subnet.md create mode 100644 data/reusables/actions/azure-vnet-hosted-compute-troubleshooting.md delete mode 100644 data/reusables/actions/azure-vnet-injected-runners-intro.md create mode 100644 data/reusables/actions/azure-vnet-intro-capabilities.md create mode 100644 data/reusables/actions/azure-vnet-network-communication.md create mode 100644 data/reusables/actions/azure-vnet-network-configuration-intro.md create mode 100644 data/reusables/actions/azure-vnet-networking-policies.md create mode 100644 data/reusables/actions/azure-vnet-next-steps-links.md create mode 100644 data/reusables/actions/azure-vnet-over-provisioning-resources.md create mode 100644 data/reusables/actions/azure-vnet-supported-regions.md delete mode 100644 data/reusables/actions/network-configuration-for-github-hosted-runners-warning.md delete mode 100644 data/reusables/actions/private-networking-actions-azure-vnet-beta-note.md diff --git a/content/actions/using-github-hosted-runners/about-larger-runners/about-larger-runners.md b/content/actions/using-github-hosted-runners/about-larger-runners/about-larger-runners.md index b363a78b08d2..b3ee3319e986 100644 --- a/content/actions/using-github-hosted-runners/about-larger-runners/about-larger-runners.md +++ b/content/actions/using-github-hosted-runners/about-larger-runners/about-larger-runners.md @@ -142,7 +142,7 @@ You can configure the maximum job concurrency, which allows you to control your **Notes:** - Assigning static IP addresses to runners is only available for {% data variables.actions.hosted_runners %} with Linux or Windows operating systems. -- {% data reusables.actions.static-ip-limitation-vnet %} For more information about private networking for {% data variables.product.company_short %}-hosted runners, see "[AUTOTITLE](/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-using-github-hosted-runners-in-your-azure-virtual-network)." +- {% data reusables.actions.static-ip-limitation-vnet %} For more information about private networking for {% data variables.product.company_short %}-hosted runners, see "[AUTOTITLE](/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-azure-private-networking-for-github-hosted-runners-in-your-enterprise)." {% endnote %} diff --git a/content/actions/using-github-hosted-runners/about-larger-runners/controlling-access-to-larger-runners.md b/content/actions/using-github-hosted-runners/about-larger-runners/controlling-access-to-larger-runners.md index 253364afd2d8..a1a6a0bd8153 100644 --- a/content/actions/using-github-hosted-runners/about-larger-runners/controlling-access-to-larger-runners.md +++ b/content/actions/using-github-hosted-runners/about-larger-runners/controlling-access-to-larger-runners.md @@ -84,16 +84,6 @@ For runner groups in an organization, you can change what repositories in the or - [Changing which workflows can access an organization runner group](#changing-which-workflows-can-access-an-organization-runner-group) - [Changing which workflows can access an enterprise runner group](#changing-which-workflows-can-access-an-enterprise-runner-group) -{% ifversion actions-private-networking-azure-vnet %} - -## Configuring private network access for larger runners - -{% data reusables.actions.azure-vnet-injected-runners-intro %} - -If you have configured your enterprise to connect to an Azure VNET, you can give runner groups access to the virtual network. For more information, see "[AUTOTITLE](/actions/using-github-hosted-runners/connecting-to-a-private-network#using-an-azure-virtual-network-vnet)." - -{% endif %} - ### Changing which workflows can access an organization runner group {% data reusables.actions.runner-groups-org-navigation %} @@ -106,6 +96,16 @@ If you have configured your enterprise to connect to an Azure VNET, you can give {% endif %} +{% ifversion actions-private-networking-azure-vnet %} + +## Configuring private network access for larger runners + +{% data reusables.actions.azure-vnet-network-configuration-intro %} + +If you have configured your {% ifversion ghec %}enterprise or {% endif %}organization to connect to an Azure VNET, you can give runner groups access to the virtual network. For more information, see "[AUTOTITLE](/actions/using-github-hosted-runners/connecting-to-a-private-network/about-private-networking-with-github-hosted-runners#using-an-azure-virtual-network-vnet)." + +{% endif %} + ## Changing the name of a runner group {% ifversion ghec %} diff --git a/content/actions/using-github-hosted-runners/connecting-to-a-private-network/about-private-networking-with-github-hosted-runners.md b/content/actions/using-github-hosted-runners/connecting-to-a-private-network/about-private-networking-with-github-hosted-runners.md index 4aef4e496f34..bc93e1fbeaec 100644 --- a/content/actions/using-github-hosted-runners/connecting-to-a-private-network/about-private-networking-with-github-hosted-runners.md +++ b/content/actions/using-github-hosted-runners/connecting-to-a-private-network/about-private-networking-with-github-hosted-runners.md @@ -9,7 +9,12 @@ versions: type: overview topics: - Actions + - Action development + - Azure Virtual Network + - Administrator - Developer + - CI + - CD --- {% data reusables.actions.enterprise-github-hosted-runners %} @@ -18,7 +23,7 @@ topics: {% data reusables.actions.about-private-networking-github-hosted-runners %} - There are a few different approaches you could take to configure this access, each with different advantages and disadvantages. +There are a few different approaches you could take to configure this access, each with different advantages and disadvantages. ## Using an API Gateway with OIDC @@ -32,8 +37,24 @@ topics: ## Using an Azure Virtual Network (VNET) -{% data reusables.actions.private-networking-actions-azure-vnet-beta-note %} +{% data reusables.actions.azure-vnet-network-configuration-intro %} -{% data reusables.actions.azure-vnet-injected-runners-intro %} For more information, see "[AUTOTITLE](/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-using-github-hosted-runners-in-your-azure-virtual-network)." +{% ifversion fpt %} + +Organization owners using the {% data variables.product.prodname_team %} plan can configure {% data variables.product.company_short %}-hosted runners at the organization level. For more information, see "[AUTOTITLE](/organizations/managing-organization-settings/about-azure-private-networking-for-github-hosted-runners-in-your-organization)." + +Enterprise owners using {% data variables.product.prodname_ghe_cloud %} can configure Azure private networking at the enterprise level. For more information about upgrading to {% data variables.product.prodname_ghe_cloud %}, see "[AUTOTITLE](/billing/managing-the-plan-for-your-github-account/upgrading-your-accounts-plan)." + +For more information about configuring Azure private networking at the enterprise level, see "[AUTOTITLE](/enterprise-cloud@latest/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-azure-private-networking-for-github-hosted-runners-in-your-enterprise)." + +{% endif %} + +{% ifversion ghec %} + +Enterprise owners can configure Azure private networking at the enterprise level. For more information, see "[AUTOTITLE](/enterprise-cloud@latest/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-azure-private-networking-for-github-hosted-runners-in-your-enterprise)." + +Organization owners for organizations in an enterprise can configure {% data variables.product.company_short %}-hosted runners at the organization level. For more information, see "[AUTOTITLE](/organizations/managing-organization-settings/about-azure-private-networking-for-github-hosted-runners-in-your-organization)." + +{% endif %} {% endif %} diff --git a/content/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-azure-private-networking-for-github-hosted-runners-in-your-enterprise.md b/content/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-azure-private-networking-for-github-hosted-runners-in-your-enterprise.md new file mode 100644 index 000000000000..6d9289078dae --- /dev/null +++ b/content/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-azure-private-networking-for-github-hosted-runners-in-your-enterprise.md @@ -0,0 +1,51 @@ +--- +title: About Azure private networking for GitHub-hosted runners in your enterprise +shortTitle: About Azure private networking +intro: 'You can create create a private network configuration for your enterprise to use {% data variables.product.company_short %}-hosted runners in your Azure Virtual Network(s) (VNET).' +versions: + ghec: '*' +type: overview +topics: + - Actions + - Action development + - Azure Virtual Network + - Administrator + - Developer + - CI + - CD + - Enterprise +permissions: 'Enterprise owners can create private network configurations at the enterprise level to use {% data variables.product.company_short %}-hosted runners with an Azure VNET.' +redirect_from: + - /actions/using-github-hosted-runners/connecting-to-a-private-network/about-using-github-hosted-runners-in-your-azure-virtual-network + - /admin/configuration/configuring-private-networking-for-hosted-compute-products/about-using-github-hosted-runners-in-your-azure-virtual-network +--- + +## About Azure private networking for {% data variables.product.company_short %}-hosted runners + +{% data reusables.actions.azure-vnet-network-configuration-intro %} + +{% data reusables.actions.azure-vnet-intro-capabilities %} + +## About using larger runners with Azure VNET + +{% data reusables.actions.azure-vnet-about-larger-runners %} + +## About network communication + +{% data reusables.actions.azure-vnet-network-communication %} + +## About supported regions + +{% data reusables.actions.azure-vnet-supported-regions %} + +## About the {% data variables.product.prodname_actions %} service permissions + +{% data reusables.actions.azure-vnet-actions-service-permissions %} + +## Using your VNET's network policies + +{% data reusables.actions.azure-vnet-networking-policies %} + +## Using {% data variables.product.company_short %}-hosted runners with an Azure VNET + +{% data reusables.actions.azure-vnet-next-steps-links %} diff --git a/content/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-networking-for-hosted-compute-products-in-your-enterprise.md b/content/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-networking-for-hosted-compute-products-in-your-enterprise.md new file mode 100644 index 000000000000..dc805f595235 --- /dev/null +++ b/content/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-networking-for-hosted-compute-products-in-your-enterprise.md @@ -0,0 +1,31 @@ +--- +title: About networking for hosted compute products in your enterprise +shortTitle: About hosted compute networking +intro: 'You can manage private networking for {% data variables.product.company_short %}-hosted products using network configurations.' +permissions: 'Enterprise owners can configure private networking for hosted compute products at the enterprise level.' +versions: + ghec: '*' +type: overview +topics: + - Actions + - Action development + - Administrator + - Developer + - CI + - CD + - Enterprise +redirect_from: + - /admin/configuration/configuring-private-networking-for-hosted-compute-products/about-networking-for-hosted-compute-products +--- + +## About network configurations + +{% data reusables.actions.about-network-configurations %} + +## About Azure private networking for {% data variables.product.prodname_dotcom %}-hosted runners + +{% data reusables.actions.azure-vnet-network-configuration-intro %} + +For more information about using {% data variables.product.company_short %}-hosted runners with an Azure VNET, see "[AUTOTITLE](/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-azure-private-networking-for-github-hosted-runners-in-your-enterprise)." + +{% data reusables.actions.azure-vnet-next-steps-links %} diff --git a/content/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-networking-for-hosted-compute-products.md b/content/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-networking-for-hosted-compute-products.md deleted file mode 100644 index ea47beb7079d..000000000000 --- a/content/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-networking-for-hosted-compute-products.md +++ /dev/null @@ -1,27 +0,0 @@ ---- -title: About networking for hosted compute products -shortTitle: About hosted compute networking -intro: 'You can manage private networking for {% data variables.product.company_short %}-hosted products using network configurations.' -versions: - feature: actions-private-networking-azure-vnet -type: overview -topics: - - Actions - - Developer ---- - -## About network configurations - -Network configurations provide an overarching construct to manage private networking settings for {% data variables.product.company_short %}-hosted compute products including {% data variables.product.company_short %}-hosted runners. - -By customizing network configurations for hosted compute products, you can securely access private resources, control outbound network access, and monitor network traffic. This allows you to control and manage network security for your development and CI/CD managed infrastructure within a single place. - -## Using {% data variables.product.prodname_dotcom %}-hosted runners with an Azure private network - -{% data reusables.actions.private-networking-actions-azure-vnet-beta-note %} - -{% data reusables.actions.azure-vnet-injected-runners-intro %} - -For more information about how Azure private networking with {% data variables.product.company_short %}-hosted runners works, see "[AUTOTITLE](/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-using-github-hosted-runners-in-your-azure-virtual-network)." - -{% data reusables.actions.actions-azure-vnet-resources-config-link %} For more information, see "[AUTOTITLE](/admin/configuration/configuring-private-networking-for-hosted-compute-products/configuring-private-networking-for-github-hosted-runners)." diff --git a/content/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-using-github-hosted-runners-in-your-azure-virtual-network.md b/content/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-using-github-hosted-runners-in-your-azure-virtual-network.md deleted file mode 100644 index d3a35f6b29fc..000000000000 --- a/content/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-using-github-hosted-runners-in-your-azure-virtual-network.md +++ /dev/null @@ -1,66 +0,0 @@ ---- -title: About using GitHub-hosted runners in your Azure Virtual Network -shortTitle: About using Azure virtual network -intro: 'You can create {% data variables.product.company_short %}-hosted runners in your Azure Virtual Network(s) (VNET).' -versions: - feature: actions-private-networking-azure-vnet -type: overview -topics: - - Actions - - Developer -redirect_from: - - /actions/using-github-hosted-runners/connecting-to-a-private-network/about-using-github-hosted-runners-in-your-azure-virtual-network ---- - -## About using {% data variables.product.company_short %}-hosted runners in your Azure Virtual Network (VNET) - -{% data reusables.actions.private-networking-actions-azure-vnet-beta-note %} - -{% data reusables.actions.azure-vnet-injected-runners-intro %} - -You can connect multiple VNET-subnet pairs to {% data variables.location.product_location %} and manage private resource access for your runners via runner groups. For more information about runner groups, see "[AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners/controlling-access-to-larger-runners)." - -Using {% data variables.product.company_short %}-hosted runners within Azure VNET allows you to perform the following actions. -- Privately connect a runner to resources inside an Azure VNET without opening internet ports, including on-premises resources accessible from the Azure VNET. -- Restrict what {% data variables.product.company_short %}-hosted runners can access or connect to with full control over outbound network policies. -- Monitor network logs for {% data variables.product.company_short %}-hosted runners and view all connectivity to and from a runner. - -## About network communication - -To facilitate communication between {% data variables.product.company_short %} networks and your VNET, a {% data variables.product.company_short %}-hosted runner's network interface card (NIC) deploys into your Azure VNET. - -Because the NIC lives within your VNET, {% data variables.product.company_short %} cannot block inbound connections. By default, Azure virtual machines will accept inbound connections from the same VNET. For more information, see [`AllowVNetInBound`](https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview#allowvnetinbound) on Microsoft Learn. It is recommended to explicitly block all inbound connections to the runners. {% data variables.product.company_short %} will never require inbound connections to these machines. - -A NIC enables an Azure virtual machine (VM) to communicate with internet, Azure, and on-premises resources. This way, all communication is kept private within the network boundaries, and networking policies applied to the VNET also apply to the runner. For more information on how to manage a network interface, see [Change network interface settings](https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface?tabs=azure-portal#change-network-interface-settings) on Microsoft Learn. - -![Diagram of the network communication architecture between GitHub networks and your private networks. The diagram describes each step in connecting GitHub-hosted runners to an Azure VNET. Each step is numbered and the numbers correspond to the numbered descriptions of the step listed below the diagram.](/assets/images/help/actions/actions-vnet-injected-larger-runners-architecture.png) - -1. A {% data variables.product.prodname_actions %} workflow is triggered. -1. The {% data variables.product.prodname_actions %} service creates a runner. -1. The runner service deploys the {% data variables.product.company_short %}-hosted runner's network interface card (NIC) into your Azure VNET. -1. The runner agent picks up the workflow job. The {% data variables.product.prodname_actions %} service queues the job. -1. The runner sends logs back to the {% data variables.product.prodname_actions %} service. -1. The NIC accesses on-premise resources. - -## About the {% data variables.product.prodname_actions %} service permissions - -In order to successfully deploy a NIC and join a NIC to a subnet, the {% data variables.product.prodname_actions %} service maintains the following permissions in your Azure subscription. - -- Create deployments -- Read/write/delete NICs -- Join/read network security groups (NSGs) -- Read/write/join public IPs -- Read virtual networks -- Read/write/join subnet - -## Using your VNET's network policies - -Because the {% data variables.product.company_short %}-hosted runner's NIC is deployed into your Azure VNET, networking policies applied to the VNET also apply to the runner. - -For example, if your VNET is configured with an Azure ExpressRoute to provide access to on-premises resources (e.g. Artifactory) or connected to a VPN tunnel to provide access to other cloud-based resources, those access policies also apply to your runners. Additionally, any outbound rules applied to your VNET's network security group (NSG) also apply, giving you the ability to control outbound access for your runners. - -If you have enabled any network logs monitoring for your VNET, you can also monitor network traffic for your runners. - -## Using {% data variables.product.company_short %}-hosted runners with an Azure VNET - -{% data reusables.actions.actions-azure-vnet-resources-config-link %} For more information, see "[AUTOTITLE](/admin/configuration/configuring-private-networking-for-hosted-compute-products/configuring-private-networking-for-github-hosted-runners)." diff --git a/content/admin/configuration/configuring-private-networking-for-hosted-compute-products/configuring-private-networking-for-github-hosted-runners-in-your-enterprise.md b/content/admin/configuration/configuring-private-networking-for-hosted-compute-products/configuring-private-networking-for-github-hosted-runners-in-your-enterprise.md new file mode 100644 index 000000000000..cdebc8b02969 --- /dev/null +++ b/content/admin/configuration/configuring-private-networking-for-hosted-compute-products/configuring-private-networking-for-github-hosted-runners-in-your-enterprise.md @@ -0,0 +1,41 @@ +--- +title: Configuring private networking for GitHub-hosted runners in your enterprise +shortTitle: Configuring private networking +intro: 'Learn how to use {% data variables.product.company_short %}-hosted runners with an Azure private network.' +versions: + ghec: '*' +type: how_to +permissions: 'Enterprise owners can configure private networking for GitHub-hosted runners at the enterprise level.' +topics: + - Actions + - Action development + - Azure Virtual Network + - Administrator + - Developer + - CI + - CD + - Enterprise +redirect_from: + - /actions/using-github-hosted-runners/connecting-to-a-private-network/configuring-an-azure-virtual-network-for-your-enterprise + - /actions/using-github-hosted-runners/connecting-to-a-private-network/configuring-azure-resources-for-private-networking-with-github-hosted-runners + - /admin/configuration/configuring-private-networking-for-hosted-compute-products/configuring-azure-resources-for-private-networking-with-github-hosted-runners + - /admin/configuration/configuring-private-networking-for-hosted-compute-products/creating-a-network-configuration-with-an-azure-private-network + - /actions/using-github-hosted-runners/connecting-to-a-private-network/configuring-your-github-settings-for-use-with-azure-virtual-network + - /admin/configuration/configuring-private-networking-for-hosted-compute-products/configuring-private-networking-for-github-hosted-runners +--- + +## About Azure private networking for {% data variables.product.company_short %}-hosted runners + +{% data reusables.actions.azure-vnet-configuring-overview %} + +## Configuring your Azure resources + +{% data reusables.actions.azure-vnet-configure-azure-resources-procedures %} + +## Creating a network configuration for your enterprise in {% data variables.product.company_short %} + +{% data reusables.actions.azure-vnet-creating-network-configuration-procedures %} + +## Deleting a subnet + +{% data reusables.actions.azure-vnet-deleting-a-subnet %} diff --git a/content/admin/configuration/configuring-private-networking-for-hosted-compute-products/index.md b/content/admin/configuration/configuring-private-networking-for-hosted-compute-products/index.md index 7a1aa1fb091d..d3308b17e014 100644 --- a/content/admin/configuration/configuring-private-networking-for-hosted-compute-products/index.md +++ b/content/admin/configuration/configuring-private-networking-for-hosted-compute-products/index.md @@ -9,7 +9,8 @@ topics: - Networking - Actions children: - - /about-networking-for-hosted-compute-products - - /about-using-github-hosted-runners-in-your-azure-virtual-network - - /configuring-private-networking-for-github-hosted-runners + - /about-networking-for-hosted-compute-products-in-your-enterprise + - /about-azure-private-networking-for-github-hosted-runners-in-your-enterprise + - /configuring-private-networking-for-github-hosted-runners-in-your-enterprise + - /troubleshooting-azure-private-network-configurations-for-github-hosted-runners-in-your-enterprise --- diff --git a/content/admin/configuration/configuring-private-networking-for-hosted-compute-products/troubleshooting-azure-private-network-configurations-for-github-hosted-runners-in-your-enterprise.md b/content/admin/configuration/configuring-private-networking-for-hosted-compute-products/troubleshooting-azure-private-network-configurations-for-github-hosted-runners-in-your-enterprise.md new file mode 100644 index 000000000000..cc00e9e9a0c4 --- /dev/null +++ b/content/admin/configuration/configuring-private-networking-for-hosted-compute-products/troubleshooting-azure-private-network-configurations-for-github-hosted-runners-in-your-enterprise.md @@ -0,0 +1,23 @@ +--- +title: Troubleshooting Azure private network configurations for GitHub-hosted runners in your enterprise +shortTitle: Troubleshooting Azure private networking +intro: 'Learn how to fix common issues while creating Azure private network configurations to use {% data variables.product.company_short %}-hosted runners with an Azure VNET.' +versions: + ghec: '*' +type: how_to +permissions: 'Enterprise owners can configure private networking for GitHub-hosted runners at the enterprise level.' +topics: + - Actions + - Action development + - Azure Virtual Network + - Administrator + - Developer + - CI + - CD + - Enterprise + - Troubleshooting +--- + +## Troubleshooting configuring private networking for {% data variables.product.company_short %}-hosted runners in your enterprise + +{% data reusables.actions.azure-vnet-hosted-compute-troubleshooting %} diff --git a/content/admin/github-actions/getting-started-with-github-actions-for-your-enterprise/introducing-github-actions-to-your-enterprise.md b/content/admin/github-actions/getting-started-with-github-actions-for-your-enterprise/introducing-github-actions-to-your-enterprise.md index 5a4e801ceb9e..60a3fc17b194 100644 --- a/content/admin/github-actions/getting-started-with-github-actions-for-your-enterprise/introducing-github-actions-to-your-enterprise.md +++ b/content/admin/github-actions/getting-started-with-github-actions-for-your-enterprise/introducing-github-actions-to-your-enterprise.md @@ -61,9 +61,7 @@ There is significant risk in sourcing actions from third-party repositories on { ### Private networking with GitHub-hosted runners -{% data reusables.actions.private-networking-actions-azure-vnet-beta-note %} - -{% data reusables.actions.azure-vnet-injected-runners-intro %} For more information, see "[AUTOTITLE](/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-using-github-hosted-runners-in-your-azure-virtual-network)." +{% data reusables.actions.azure-vnet-network-configuration-intro %} For more information, see "[AUTOTITLE](/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-azure-private-networking-for-github-hosted-runners-in-your-enterprise)." {% endif %} diff --git a/content/organizations/managing-organization-settings/about-azure-private-networking-for-github-hosted-runners-in-your-organization.md b/content/organizations/managing-organization-settings/about-azure-private-networking-for-github-hosted-runners-in-your-organization.md new file mode 100644 index 000000000000..da9ea8427123 --- /dev/null +++ b/content/organizations/managing-organization-settings/about-azure-private-networking-for-github-hosted-runners-in-your-organization.md @@ -0,0 +1,50 @@ +--- +title: About Azure private networking for GitHub-hosted runners in your organization +shortTitle: About Azure private networking +intro: 'You can create create a private network configuration for your organization to use {% data variables.product.company_short %}-hosted runners in your Azure Virtual Network(s) (VNET).' +versions: + feature: actions-private-networking-azure-vnet +type: overview +permissions: 'Organizations in an enterprise and organizations using the {% data variables.product.prodname_team %} plan can configure {% data variables.product.company_short %}-hosted runners at the organization level.' +topics: + - Actions + - Action development + - Azure Virtual Network + - Administrator + - Developer + - CI + - CD + - Organizations +redirect_from: + - /organizations/managing-organization-settings/about-using-github-hosted-runners-in-your-azure-virtual-network +--- + +## About Azure private networking for {% data variables.product.company_short %}-hosted runners + +{% data reusables.actions.azure-vnet-network-configuration-intro %} + +{% data reusables.actions.azure-vnet-intro-capabilities %} + +## About using larger runners with Azure VNET + +{% data reusables.actions.azure-vnet-about-larger-runners %} + +## About network communication + +{% data reusables.actions.azure-vnet-network-communication %} + +## About supported regions + +{% data reusables.actions.azure-vnet-supported-regions %} + +## About the {% data variables.product.prodname_actions %} service permissions + +{% data reusables.actions.azure-vnet-actions-service-permissions %} + +## Using your VNET's network policies + +{% data reusables.actions.azure-vnet-networking-policies %} + +## Using {% data variables.product.company_short %}-hosted runners with an Azure VNET + +{% data reusables.actions.azure-vnet-next-steps-links %} diff --git a/content/organizations/managing-organization-settings/about-networking-for-hosted-compute-products-in-your-organization.md b/content/organizations/managing-organization-settings/about-networking-for-hosted-compute-products-in-your-organization.md new file mode 100644 index 000000000000..67e01f6eea2d --- /dev/null +++ b/content/organizations/managing-organization-settings/about-networking-for-hosted-compute-products-in-your-organization.md @@ -0,0 +1,30 @@ +--- +title: About networking for hosted compute products in your organization +shortTitle: About private networking +intro: 'You can manage private networking for {% data variables.product.company_short %}-hosted products using network configurations in your organization.' +permissions: 'Enterprise-owned organizations and organizations using the {% data variables.product.prodname_team %} plan can configure private networking for GitHub-hosted runners at the organization level.' +versions: + feature: actions-private-networking-azure-vnet +type: how_to +topics: + - Actions + - Action development + - Azure Virtual Network + - Administrator + - Developer + - CI + - CD + - Organizations +--- + +## About network configurations + +{% data reusables.actions.about-network-configurations %} + +## About Azure private networking for {% data variables.product.prodname_dotcom %}-hosted runners + +{% data reusables.actions.azure-vnet-network-configuration-intro %} + +For more information about using an Azure VNET with {% data variables.product.company_short %}-hosted runners works, see{% ifversion ghec %} "[AUTOTITLE](/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-azure-private-networking-for-github-hosted-runners-in-your-enterprise)."{% else %} "[AUTOTITLE](/organizations/managing-organization-settings/about-azure-private-networking-for-github-hosted-runners-in-your-organization)."{% endif %} + +{% data reusables.actions.azure-vnet-next-steps-links %} diff --git a/content/organizations/managing-organization-settings/configuring-private-networking-for-github-hosted-runners-in-your-organization.md b/content/organizations/managing-organization-settings/configuring-private-networking-for-github-hosted-runners-in-your-organization.md new file mode 100644 index 000000000000..9466cdb037b7 --- /dev/null +++ b/content/organizations/managing-organization-settings/configuring-private-networking-for-github-hosted-runners-in-your-organization.md @@ -0,0 +1,34 @@ +--- +title: Configuring private networking for GitHub-hosted runners in your organization +shortTitle: Configuring private networking +intro: 'Learn how to use {% data variables.product.company_short %}-hosted runners with an Azure private network in your organization.' +versions: + feature: actions-private-networking-azure-vnet +type: how_to +permissions: 'Enterprise-owned organizations and organizations using the {% data variables.product.prodname_team %} plan can configure private networking for GitHub-hosted runners at the organization level.' +topics: + - Actions + - Action development + - Azure Virtual Network + - Administrator + - Developer + - CI + - CD + - Organizations +--- + +## About Azure private networking for {% data variables.product.company_short %}-hosted runners + +{% data reusables.actions.azure-vnet-configuring-overview %} + +## Configuring your Azure resources + +{% data reusables.actions.azure-vnet-configure-azure-resources-procedures %} + +## Creating a network configuration for your enterprise in {% data variables.product.company_short %} + +{% data reusables.actions.azure-vnet-creating-network-configuration-procedures %} + +## Deleting a subnet + +{% data reusables.actions.azure-vnet-deleting-a-subnet %} diff --git a/content/organizations/managing-organization-settings/index.md b/content/organizations/managing-organization-settings/index.md index a695b9c70e6d..d67ff5289a25 100644 --- a/content/organizations/managing-organization-settings/index.md +++ b/content/organizations/managing-organization-settings/index.md @@ -21,6 +21,10 @@ children: - /managing-the-forking-policy-for-your-organization - /managing-pull-request-reviews-in-your-organization - /disabling-or-limiting-github-actions-for-your-organization + - /about-networking-for-hosted-compute-products-in-your-organization + - /about-azure-private-networking-for-github-hosted-runners-in-your-organization + - /configuring-private-networking-for-github-hosted-runners-in-your-organization + - /troubleshooting-azure-private-network-configurations-for-github-hosted-runners-in-your-organization - /configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization - /setting-permissions-for-adding-outside-collaborators - /allowing-people-to-delete-issues-in-your-organization diff --git a/content/organizations/managing-organization-settings/troubleshooting-azure-private-network-configurations-for-github-hosted-runners-in-your-organization.md b/content/organizations/managing-organization-settings/troubleshooting-azure-private-network-configurations-for-github-hosted-runners-in-your-organization.md new file mode 100644 index 000000000000..ec5394a14b68 --- /dev/null +++ b/content/organizations/managing-organization-settings/troubleshooting-azure-private-network-configurations-for-github-hosted-runners-in-your-organization.md @@ -0,0 +1,23 @@ +--- +title: Troubleshooting Azure private network configurations for GitHub-hosted runners in your organization +shortTitle: Troubleshooting Azure private networking +intro: 'Learn how to fix common issues while creating Azure private network configurations to use {% data variables.product.company_short %}-hosted runners with an Azure VNET.' +versions: + feature: actions-private-networking-azure-vnet +type: how_to +permissions: 'Organization owners using the {% data variables.product.prodname_team %} plan can configure private networking for GitHub-hosted runners at the organization level.' +topics: + - Actions + - Action development + - Azure Virtual Network + - Administrator + - Developer + - CI + - CD + - Organizations + - Troubleshooting +--- + +## Troubleshooting configuring private networking for {% data variables.product.company_short %}-hosted runners in your organization + +{% data reusables.actions.azure-vnet-hosted-compute-troubleshooting %} diff --git a/data/allowed-topics.js b/data/allowed-topics.js index e78323ff5d5e..ad1784a97c00 100644 --- a/data/allowed-topics.js +++ b/data/allowed-topics.js @@ -32,6 +32,7 @@ export default [ 'Azure Kubernetes Service', 'Azure Pipelines', 'Azure Static Web Apps', + 'Azure Virtual Network', 'Backups', 'Billing', 'C/C++', diff --git a/data/features/actions-private-networking-azure-vnet.yml b/data/features/actions-private-networking-azure-vnet.yml index 1a3481518ed6..9f185c13b3a8 100644 --- a/data/features/actions-private-networking-azure-vnet.yml +++ b/data/features/actions-private-networking-azure-vnet.yml @@ -1,4 +1,5 @@ # Reference: #9954 # Documentation for larger-hosted runners with Azure Vnet injection public beta versions: + fpt: '*' ghec: '*' diff --git a/data/reusables/actions/about-network-configurations.md b/data/reusables/actions/about-network-configurations.md new file mode 100644 index 000000000000..ceddc7c92bc9 --- /dev/null +++ b/data/reusables/actions/about-network-configurations.md @@ -0,0 +1,3 @@ +Network configurations provide an overarching construct to manage private networking settings for {% data variables.product.company_short %}-hosted compute products including {% data variables.product.company_short %}-hosted runners. + +By customizing network configurations for hosted compute products, you can securely access private resources, control outbound network access, and monitor network traffic. This allows you to control and manage network security for your development and CI/CD managed infrastructure within a single place. diff --git a/data/reusables/actions/actions-azure-vnet-resources-config-link.md b/data/reusables/actions/actions-azure-vnet-resources-config-link.md deleted file mode 100644 index 9bf56967a087..000000000000 --- a/data/reusables/actions/actions-azure-vnet-resources-config-link.md +++ /dev/null @@ -1 +0,0 @@ -To use {% data variables.product.company_short %}-hosted runners with Azure VNET, you will need to configure your Azure resources then create an Azure private network configuration in {% data variables.product.company_short %}. diff --git a/data/reusables/actions/azure-vnet-about-larger-runners.md b/data/reusables/actions/azure-vnet-about-larger-runners.md new file mode 100644 index 000000000000..6acb63f09b6a --- /dev/null +++ b/data/reusables/actions/azure-vnet-about-larger-runners.md @@ -0,0 +1,3 @@ +2-64 vCPU Ubuntu and Windows runners are supported with Azure VNET. For more information on these runner types, see "[AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners/about-larger-runners#about-ubuntu-and-windows-larger-runners)." + +{% data reusables.actions.static-ip-limitation-vnet %} You must use dynamic IP addresses, which is the default configuration for larger runners. For more information about networking for larger runners, see "[AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners/about-larger-runners#networking-for-larger-runners)." diff --git a/data/reusables/actions/azure-vnet-actions-service-permissions.md b/data/reusables/actions/azure-vnet-actions-service-permissions.md new file mode 100644 index 000000000000..448abff0ffd2 --- /dev/null +++ b/data/reusables/actions/azure-vnet-actions-service-permissions.md @@ -0,0 +1,40 @@ +In order to successfully deploy a NIC and join a NIC to a subnet, the {% data variables.product.prodname_actions %} service maintains the following Azure role-based access control (RBAC) permissions in your Azure subscription. For more information about fine-grained access management of Azure resources, see [Azure RBAC](https://learn.microsoft.com/en-us/azure/role-based-access-control/) in the Azure documentation. + +- `GitHub.Network/operations/read` +- `GitHub.Network/networkSettings/read` +- `GitHub.Network/networkSettings/write` +- `GitHub.Network/networkSettings/delete` +- `Microsoft.Network/locations/operations/read` +- `Microsoft.Network/locations/operationResults/read` +- `Microsoft.Network/locations/usages/read` +- `Microsoft.Network/networkInterfaces/read` +- `Microsoft.Network/networkInterfaces/write` +- `Microsoft.Network/networkInterfaces/delete` +- `Microsoft.Network/networkInterfaces/join/action` +- `Microsoft.Network/networkSecurityGroups/join/action` +- `Microsoft.Network/networkSecurityGroups/read` +- `Microsoft.Network/publicIpAddresses/read` +- `Microsoft.Network/publicIpAddresses/write` +- `Microsoft.Network/publicIPAddresses/join/action` +- `Microsoft.Network/routeTables/join/action` +- `Microsoft.Network/virtualNetworks/read` +- `Microsoft.Network/virtualNetworks/subnets/join/action` +- `Microsoft.Network/virtualNetworks/subnets/read` +- `Microsoft.Network/virtualNetworks/subnets/write` +- `Microsoft.Network/virtualNetworks/subnets/serviceAssociationLinks/delete` +- `Microsoft.Network/virtualNetworks/subnets/serviceAssociationLinks/read` +- `Microsoft.Network/virtualNetworks/subnets/serviceAssociationLinks/write` +- `Microsoft.Network/virtualNetworks/subnets/serviceAssociationLinks/details/read` +- `Microsoft.Network/virtualNetworks/subnets/serviceAssociationLinks/validate/action` +- `Microsoft.Resources/subscriptions/resourceGroups/read` +- `Microsoft.Resources/subscriptions/resourcegroups/deployments/read` +- `Microsoft.Resources/subscriptions/resourcegroups/deployments/write` +- `Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read` +- `Microsoft.Resources/deployments/read` +- `Microsoft.Resources/deployments/write` +- `Microsoft.Resources/deployments/operationStatuses/read` + +The following permissions will be present on two enterprise applications in your Azure tenant. You will see the enterprise applications your Azure tenant after configuring Azure private networking. + +- `GitHub CPS Network Service` id: `85c49807-809d-4249-86e7-192762525474` +- `GitHub Actions API` id: `4435c199-c3da-46b9-a61d-76de3f2c9f82` diff --git a/content/admin/configuration/configuring-private-networking-for-hosted-compute-products/configuring-private-networking-for-github-hosted-runners.md b/data/reusables/actions/azure-vnet-configure-azure-resources-procedures.md similarity index 51% rename from content/admin/configuration/configuring-private-networking-for-hosted-compute-products/configuring-private-networking-for-github-hosted-runners.md rename to data/reusables/actions/azure-vnet-configure-azure-resources-procedures.md index e25d604779da..d2d0126e6bdd 100644 --- a/content/admin/configuration/configuring-private-networking-for-hosted-compute-products/configuring-private-networking-for-github-hosted-runners.md +++ b/data/reusables/actions/azure-vnet-configure-azure-resources-procedures.md @@ -1,37 +1,3 @@ ---- -title: Configuring private networking for GitHub-hosted runners -shortTitle: Configuring private networking -intro: 'Learn how to use {% data variables.product.company_short %}-hosted runners with an Azure private network.' -versions: - feature: actions-private-networking-azure-vnet -type: how_to -topics: - - Actions - - Developer -redirect_from: - - /actions/using-github-hosted-runners/connecting-to-a-private-network/configuring-an-azure-virtual-network-for-your-enterprise - - /actions/using-github-hosted-runners/connecting-to-a-private-network/configuring-azure-resources-for-private-networking-with-github-hosted-runners - - /admin/configuration/configuring-private-networking-for-hosted-compute-products/configuring-azure-resources-for-private-networking-with-github-hosted-runners - - /admin/configuration/configuring-private-networking-for-hosted-compute-products/creating-a-network-configuration-with-an-azure-private-network - - /actions/using-github-hosted-runners/connecting-to-a-private-network/configuring-your-github-settings-for-use-with-azure-virtual-network ---- - -{% data reusables.actions.private-networking-actions-azure-vnet-beta-note %} - -## About configuring private networking for {% data variables.product.company_short %}-hosted runners - -{% data reusables.actions.actions-azure-vnet-resources-config-link %} - -The following procedures will lead you through the entire configuration process. - -{% warning %} - -**Warning:** {% data reusables.actions.network-configuration-for-github-hosted-runners-warning %} - -{% endwarning %} - -## Configuring your Azure resources - You will use a script to automate configuring your Azure resources. ### Prerequisites @@ -60,19 +26,6 @@ You will use a script to automate configuring your Azure resources. location: location properties: { securityRules: [ - { - name: 'DenyInternetOutBoundOverwrite' - properties: { - protocol: '*' - sourcePortRange: '*' - destinationPortRange: '*' - sourceAddressPrefix: '*' - destinationAddressPrefix: 'Internet' - access: 'Deny' - priority: 400 - direction: 'Outbound' - } - } { name: 'AllowVnetOutBoundOverwrite' properties: { @@ -88,21 +41,86 @@ You will use a script to automate configuring your Azure resources. } } { - name: 'AllowAzureCloudOutBound' + name: 'AllowOutBoundActions' properties: { protocol: 'TCP' sourcePortRange: '*' destinationPortRange: '443' sourceAddressPrefix: '*' - destinationAddressPrefix: 'AzureCloud' access: 'Allow' priority: 210 direction: 'Outbound' - destinationAddressPrefixes: [] + destinationAddressPrefixes: [ + '4.175.114.51/32' + '20.102.35.120/32' + '4.175.114.43/32' + '20.72.125.48/32' + '20.19.5.100/32' + '20.7.92.46/32' + '20.232.252.48/32' + '52.186.44.51/32' + '20.22.98.201/32' + '20.246.184.240/32' + '20.96.133.71/32' + '20.253.2.203/32' + '20.102.39.220/32' + '20.81.127.181/32' + '52.148.30.208/32' + '20.14.42.190/32' + '20.85.159.192/32' + '52.224.205.173/32' + '20.118.176.156/32' + '20.236.207.188/32' + '20.242.161.191/32' + '20.166.216.139/32' + '20.253.126.26/32' + '52.152.245.137/32' + '40.118.236.116/32' + '20.185.75.138/32' + '20.96.226.211/32' + '52.167.78.33/32' + '20.105.13.142/32' + '20.253.95.3/32' + '20.221.96.90/32' + '51.138.235.85/32' + '52.186.47.208/32' + '20.7.220.66/32' + '20.75.4.210/32' + '20.120.75.171/32' + '20.98.183.48/32' + '20.84.200.15/32' + '20.14.235.135/32' + '20.10.226.54/32' + '20.22.166.15/32' + '20.65.21.88/32' + '20.102.36.236/32' + '20.124.56.57/32' + '20.94.100.174/32' + '20.102.166.33/32' + '20.31.193.160/32' + '20.232.77.7/32' + '20.102.38.122/32' + '20.102.39.57/32' + '20.85.108.33/32' + '40.88.240.168/32' + '20.69.187.19/32' + '20.246.192.124/32' + '20.4.161.108/32' + '20.22.22.84/32' + '20.1.250.47/32' + '20.237.33.78/32' + '20.242.179.206/32' + '40.88.239.133/32' + '20.121.247.125/32' + '20.106.107.180/32' + '20.22.118.40/32' + '20.15.240.48/32' + '20.84.218.150/32' + ] } } { - name: 'AllowInternetOutBoundGitHub' + name: 'AllowOutBoundGitHub' properties: { protocol: 'TCP' sourcePortRange: '*' @@ -116,17 +134,104 @@ You will use a script to automate configuring your Azure resources. '143.55.64.0/20' '185.199.108.0/22' '192.30.252.0/22' + '20.175.192.146/32' + '20.175.192.147/32' + '20.175.192.149/32' + '20.175.192.150/32' + '20.199.39.227/32' + '20.199.39.228/32' + '20.199.39.231/32' + '20.199.39.232/32' + '20.200.245.241/32' + '20.200.245.245/32' + '20.200.245.246/32' + '20.200.245.247/32' + '20.200.245.248/32' + '20.201.28.144/32' + '20.201.28.148/32' + '20.201.28.149/32' + '20.201.28.151/32' + '20.201.28.152/32' + '20.205.243.160/32' + '20.205.243.164/32' + '20.205.243.165/32' + '20.205.243.166/32' + '20.205.243.168/32' + '20.207.73.82/32' + '20.207.73.83/32' + '20.207.73.85/32' + '20.207.73.86/32' + '20.207.73.88/32' + '20.233.83.145/32' + '20.233.83.146/32' + '20.233.83.147/32' + '20.233.83.149/32' + '20.233.83.150/32' + '20.248.137.48/32' + '20.248.137.49/32' + '20.248.137.50/32' + '20.248.137.52/32' + '20.248.137.55/32' + '20.27.177.113/32' + '20.27.177.114/32' + '20.27.177.116/32' + '20.27.177.117/32' + '20.27.177.118/32' + '20.29.134.17/32' + '20.29.134.18/32' + '20.29.134.19/32' + '20.29.134.23/32' + '20.29.134.24/32' + '20.87.245.0/32' + '20.87.245.1/32' + '20.87.245.4/32' + '20.87.245.6/32' + '20.87.245.7/32' + '4.208.26.196/32' + '4.208.26.197/32' + '4.208.26.198/32' + '4.208.26.199/32' + '4.208.26.200/32' ] } - } + } + { + name: 'AllowStorageOutbound' + properties: { + protocol: '*' + sourcePortRange: '*' + destinationPortRange: '*' + sourceAddressPrefix: '*' + destinationAddressPrefix: 'Storage' + access: 'Allow' + priority: 230 + direction: 'Outbound' + destinationAddressPrefixes: [] + } + } + { + name: 'DenyInternetOutBoundOverwrite' + properties: { + protocol: '*' + sourcePortRange: '*' + destinationPortRange: '*' + sourceAddressPrefix: '*' + destinationAddressPrefix: 'Internet' + access: 'Deny' + priority: 400 + direction: 'Outbound' + } + } ] } } ``` -### 1. Obtain the `databaseId` for your enterprise +### 1. Obtain the `databaseId` for your{% ifversion ghec %} enterprise{% else %} organization{% endif %} + +You can use the following GraphQL query to retrieve your{% ifversion ghec %} enterprise{% else %} organization{% endif %} `databaseId`. You will use the{% ifversion ghec %} enterprise{% else %} organization{% endif %} `databaseId` for the value of the `DATABASE_ID` environment variable in the next step. For more information on working with GraphQL, see "[AUTOTITLE](/graphql/guides/forming-calls-with-graphql)." -You can use the following GraphQL query to retrieve your enterprise `databaseId`. You will use the enterprise `databaseId` for the value of the `DATABASE_ID` environment variable in the next step. For more information on working with GraphQL, see "[AUTOTITLE](/graphql/guides/forming-calls-with-graphql)." +{% ifversion ghec %} {% data reusables.enterprise_migrations.retrieve-enterprise-id-graphql %} @@ -159,6 +264,43 @@ curl -H "Authorization: Bearer BEARER_TOKEN" -X POST \ https://api.github.com/graphql ``` +{% else %} + +| Query variable | Description | +|----|----| +| `login` | The login for your organization account, which you can identify by looking at the URL for your organization, `https://github.com/organizations/ORGANIZATION_LOGIN`. + +```graphql +query( + $login: String! +){ + organization (login: $login) + { + login + databaseId + } +} +' +Variables +{ + "login": "ORGANIZATION_LOGIN" +} +``` + +Alternatively, you can use the following curl command to find your `databaseId`. + +```shell copy +curl -H "Authorization: Bearer BEARER_TOKEN" -X POST \ + -d '{ "query": "query($login: String!) { organization (login: $login) { login databaseId } }" , + "variables": { + "login": "ORGANIZATION_LOGIN" + } + }' \ +https://api.github.com/graphql +``` + +{% endif %} + ### 2. Use a script to configure your Azure resources Use the following script to set up a subnet for Azure private networking. The script creates all resources in the same resource group. @@ -236,7 +378,7 @@ echo Delegate subnet to GitHub.Network/networkSettings and apply NSG rules echo echo Create network settings resource $NETWORK_SETTINGS_RESOURCE_NAME -. az resource create --resource-group $RESOURCE_GROUP_NAME --name $NETWORK_SETTINGS_RESOURCE_NAME --resource-type GitHub.Network/networkSettings --properties "{ \"location\": \"$AZURE_LOCATION\", \"properties\" : { \"subnetId\": \"/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP_NAME/providers/Microsoft.Network/virtualNetworks/$VNET_NAME/subnets/$SUBNET_NAME\", \"organizationId\": \"$DATABASE_ID\" }}" --is-full-object --output table --query "{GitHubId:tags.GitHubId, name:name}" --api-version 2023-11-01-preview +. az resource create --resource-group $RESOURCE_GROUP_NAME --name $NETWORK_SETTINGS_RESOURCE_NAME --resource-type GitHub.Network/networkSettings --properties "{ \"location\": \"$AZURE_LOCATION\", \"properties\" : { \"subnetId\": \"/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP_NAME/providers/Microsoft.Network/virtualNetworks/$VNET_NAME/subnets/$SUBNET_NAME\", \"businessId\": \"$DATABASE_ID\" }}" --is-full-object --output table --query "{GitHubId:tags.GitHubId, name:name}" --api-version 2024-04-02 echo echo To clean up and delete resources run the following command: @@ -244,77 +386,3 @@ echo az group delete --resource-group $RESOURCE_GROUP_NAME ``` The script will return the full payload for the created resource. The `GitHubId` hash value returned in the payload for the created resource is the network settings resource ID you will use in the next steps while configuring a network configuration in {% data variables.product.company_short %}. - -## Configuring a network configuration in {% data variables.product.company_short %} - -After configuring your Azure resources, you can use an Azure Virtual Network (VNET) for private networking by creating a network configuration for your enterprise. Then, you can associate that network configuration to runner groups. For more information about runner groups, see "[AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners/controlling-access-to-larger-runners)." - -Once the network configuration is associated with a runner group, all runners in that group will have access to the Azure VNET that has been connected to the underlying configuration. - -### Prerequisites - -{% data reusables.actions.network-configuration-for-github-hosted-runners-warning %} - -### 1. Add a new network configuration - -{% data reusables.enterprise-accounts.access-enterprise %} -{% data reusables.enterprise-accounts.settings-tab %} -1. In the left sidebar, click **Hosted compute networking**. -1. Click the **New network configuration** dropdown. Then click **Azure private network**. -1. Name your network configuration. -1. Click **Add Azure Virtual Network**. -1. In the popup window, enter the network settings resource ID you retrieved when you configured your Azure resources for private networking. -1. Click **Add Azure Virtual Network**. - -### 2. Create a runner group - -{% note %} - -**Note:** For the runner group to be accessible by repositories within your enterprise-owned organizations, those repositories must have access to that runner group at the organization level. For more information, see "[AUTOTITLE](/actions/using-github-hosted-runners/controlling-access-to-larger-runners#changing-which-repositories-can-access-a-runner-group)." - -{% endnote %} - -1. Create a new runner group for your enterprise. For more information about how to create a runner group, see "[AUTOTITLE](/enterprise-cloud@latest/actions/using-github-hosted-runners/controlling-access-to-larger-runners#creating-a-runner-group-for-an-enterprise)." -{% data reusables.actions.workflows.runner-groups-enterprise-organization-access %} -1. While configuring your runner group, under "Network configurations," use the dropdown menu to select the network configuration you created for the Azure VNET. -1. To create the group and apply the policy, click **Create group**. - -### 3. Add the {% data variables.product.company_short %}-hosted runner to the runner group - -{% note %} - -**Note:** When adding your {% data variables.product.company_short %}-hosted runner to a runner group, select the runner group you created in the previous procedures. - -{% endnote %} - -1. Add the {% data variables.product.company_short %}-hosted runner to the runner group. For more information, see "[AUTOTITLE](/enterprise-cloud@latest/actions/using-github-hosted-runners/managing-larger-runners#adding-a-larger-runner-to-an-enterprise)." - -### 4. Optionally, manage network configurations - -{% data reusables.enterprise-accounts.access-enterprise %} -{% data reusables.enterprise-accounts.settings-tab %} -1. In the left sidebar, click **Hosted compute networking**. -1. To edit a network configuration, to the right of the network configuration, click {% octicon "pencil" aria-label="Edit a network configuration" %}. Then click **Edit configuration**. -1. To disable a network configuration, to the right of the network configuration, click {% octicon "kebab-horizontal" aria-label="Menu" %}. Then click **Disable**. -1. To delete a network configuration, to the right of the network configuration, click {% octicon "kebab-horizontal" aria-label="Menu" %}. Then click **Delete**. - -## Deleting a subnet - -When you create the network settings resource, a service association link is applied to the subnet that you provide. This link prevents accidental deletion of the subnet while in use by the {% data variables.product.prodname_actions %} service. - -To delete the subnet, this service association link needs to be removed first. The service association link is safely removed automatically once the network settings resource is deleted. - -{% data reusables.enterprise-accounts.access-enterprise %} -{% data reusables.enterprise-accounts.settings-tab %} -1. In the left sidebar, click **Hosted compute networking**. -1. Open the network configuration that is using the subnet that you want to delete. -1. Review the list of runner groups using the network configuration. -1. In the top-right corner, click the "{% octicon "kebab-horizontal" aria-label="Menu" %}" button. Then click **Delete configuration**. -1. To delete the network settings resource and remove the service association link, use your own inputs with following commands with the Azure CLI. For more information, see the [Azure Command-Line Interface (CLI)](https://learn.microsoft.com/en-us/cli/azure/) documentation. - - ```bash copy - az account set --subscription $SUBSCRIPTION_ID - az resource delete -g $RESOURCE_GROUP_NAME --name $NETWORK_SETTINGS_RESOURCE_NAME --resource-type 'GitHub.Network/networkSettings' --api-version '2023-11-01-preview' - ``` - -1. Delete the subnet in Azure. For more information, see [Delete a subnet](https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-subnet?tabs=azure-portal#delete-a-subnet) on Microsoft Learn. diff --git a/data/reusables/actions/azure-vnet-configuring-overview.md b/data/reusables/actions/azure-vnet-configuring-overview.md new file mode 100644 index 000000000000..e727f253be1c --- /dev/null +++ b/data/reusables/actions/azure-vnet-configuring-overview.md @@ -0,0 +1,5 @@ +To use {% data variables.product.company_short %}-hosted runners with Azure VNET, first, configure your Azure resources. Then create a private network configuration in {% data variables.product.company_short %}. + +The following procedures will lead you through both steps. + +For more information about troubleshooting common issues with using {% data variables.product.company_short %}-hosted runners with Azure VNET, see{% ifversion ghec %} "[AUTOTITLE](/admin/configuration/configuring-private-networking-for-hosted-compute-products/troubleshooting-azure-private-network-configurations-for-github-hosted-runners-in-your-enterprise)."{% else %}"[AUTOTITLE](/organizations/managing-organization-settings/troubleshooting-azure-private-network-configurations-for-github-hosted-runners-in-your-organization)."{% endif %} diff --git a/data/reusables/actions/azure-vnet-creating-network-configuration-procedures.md b/data/reusables/actions/azure-vnet-creating-network-configuration-procedures.md new file mode 100644 index 000000000000..37632e219208 --- /dev/null +++ b/data/reusables/actions/azure-vnet-creating-network-configuration-procedures.md @@ -0,0 +1,60 @@ +After configuring your Azure resources, you can use an Azure Virtual Network (VNET) for private networking by creating a network configuration{% ifversion ghec%} at the enterprise level{% else %} at the organization level{% endif %}. Then, you can associate that network configuration to runner groups. For more information about runner groups, see "[AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners/controlling-access-to-larger-runners)." + +Once the network configuration is associated with a runner group, all runners in that group will have access to the Azure VNET that has been connected to the underlying configuration. + +### Prerequisites + +Ensure your Azure resources have been configured _before_ adding a network configuration in {% data variables.product.company_short %}. For more information, see {% ifversion ghec %}"[AUTOTITLE](/admin/configuration/configuring-private-networking-for-hosted-compute-products/configuring-private-networking-for-github-hosted-runners#configuring-your-azure-resources)."{% else %}For more information, see "[AUTOTITLE](/organizations/managing-organization-settings/configuring-private-networking-for-github-hosted-runners-in-your-organization#configuring-your-azure-resources)."{% endif %} + +### 1. Add a new network configuration for your{% ifversion ghec %} enterprise{% else %} organization{% endif %} + +{% ifversion ghec %} +{% data reusables.enterprise-accounts.access-enterprise %} +{% data reusables.enterprise-accounts.settings-tab %} +{%- else %} +{% data reusables.profile.access_org %} +{% data reusables.profile.org_settings %} +{%- endif %} +1. In the left sidebar, click **Hosted compute networking**. +1. Click the **New network configuration** dropdown. Then click **Azure private network**. +1. Name your network configuration. +1. Click **Add Azure Virtual Network**. +1. In the popup window, enter the network settings resource ID you retrieved when you configured your Azure resources for private networking. +1. Click **Add Azure Virtual Network**. + +### 2. Create a runner group for your{% ifversion ghec %} enterprise{% else %} organization{% endif %} + +{% note %} + +**Note:** For the runner group to be accessible by repositories within your organizations, those repositories must have access to that runner group at the organization level. For more information, see "[AUTOTITLE](/actions/using-github-hosted-runners/controlling-access-to-larger-runners#changing-which-repositories-can-access-a-runner-group)." + +{% endnote %} + +1. Create a new runner group for your{% ifversion ghec %} enterprise. For more information about how to create a runner group, see "[AUTOTITLE](/actions/using-github-hosted-runners/controlling-access-to-larger-runners#creating-a-runner-group-for-an-enterprise)."{% else %} organization. For more information about how to create a runner group, see "[AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners/controlling-access-to-larger-runners#creating-a-runner-group-for-an-organization)."{% endif %} +{% data reusables.actions.workflows.runner-groups-enterprise-organization-access %} +1. While configuring your runner group, under "Network configurations," use the dropdown menu to select the network configuration you created for the Azure VNET. +1. To create the group and apply the policy, click **Create group**. + +### 3. Add the {% data variables.product.company_short %}-hosted runner to the{% ifversion ghec %} enterprise{% else %} organization{% endif %} runner group + +{% note %} + +**Note:** When adding your {% data variables.product.company_short %}-hosted runner to a runner group, select the runner group you created in the previous procedures. + +{% endnote %} + +1. Add the {% data variables.product.company_short %}-hosted runner to the runner group. For more information, see "[AUTOTITLE](/enterprise-cloud@latest/actions/using-github-hosted-runners/managing-larger-runners#adding-a-larger-runner-to-an-enterprise)." + +### 4. Optionally, manage network configurations + +{% ifversion ghec %} +{% data reusables.enterprise-accounts.access-enterprise %} +{% data reusables.enterprise-accounts.settings-tab %} +{%- else %} +{% data reusables.profile.access_org %} +{% data reusables.profile.org_settings %} +{%- endif %} +1. In the left sidebar, click **Hosted compute networking**. +1. To edit a network configuration, to the right of the network configuration, click {% octicon "pencil" aria-label="Edit a network configuration" %}. Then click **Edit configuration**. +1. To disable a network configuration, to the right of the network configuration, click {% octicon "kebab-horizontal" aria-label="Menu" %}. Then click **Disable**. +1. To delete a network configuration, to the right of the network configuration, click {% octicon "kebab-horizontal" aria-label="Menu" %}. Then click **Delete**. diff --git a/data/reusables/actions/azure-vnet-deleting-a-subnet.md b/data/reusables/actions/azure-vnet-deleting-a-subnet.md new file mode 100644 index 000000000000..936b6e49fb82 --- /dev/null +++ b/data/reusables/actions/azure-vnet-deleting-a-subnet.md @@ -0,0 +1,25 @@ +When you create the network settings resource, a service association link is applied to the subnet that you provide. This link prevents accidental deletion of the subnet while in use by the {% data variables.product.prodname_actions %} service. + +To delete the subnet, this service association link needs to be removed first. The service association link is safely removed automatically once the network settings resource is deleted. + +To delete the network settings resource, the network configuration that uses it needs to be deleted first. + +{% ifversion ghec %} +{% data reusables.enterprise-accounts.access-enterprise %} +{% data reusables.enterprise-accounts.settings-tab %} +{%- else %} +{% data reusables.profile.access_org %} +{% data reusables.profile.org_settings %} +{%- endif %} +1. In the left sidebar, click **Hosted compute networking**. +1. Open the network configuration that is using the subnet that you want to delete. +1. Review the list of runner groups using the network configuration. +1. In the top-right corner, click the "{% octicon "kebab-horizontal" aria-label="Menu" %}" button. Then click **Delete configuration**. +1. To delete the network settings resource and remove the service association link, use your own inputs with following commands with the Azure CLI. For more information, see the [Azure Command-Line Interface (CLI)](https://learn.microsoft.com/en-us/cli/azure/) documentation. + + ```bash copy + az account set --subscription $SUBSCRIPTION_ID + az resource delete -g $RESOURCE_GROUP_NAME --name $NETWORK_SETTINGS_RESOURCE_NAME --resource-type 'GitHub.Network/networkSettings' --api-version '2023-11-01-preview' + ``` + +1. Delete the subnet in Azure. For more information, see [Delete a subnet](https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-subnet?tabs=azure-portal#delete-a-subnet) on Microsoft Learn. diff --git a/data/reusables/actions/azure-vnet-hosted-compute-troubleshooting.md b/data/reusables/actions/azure-vnet-hosted-compute-troubleshooting.md new file mode 100644 index 000000000000..96a79aa7dbe6 --- /dev/null +++ b/data/reusables/actions/azure-vnet-hosted-compute-troubleshooting.md @@ -0,0 +1,81 @@ +### Configuring Azure resources before creating a network configuration in {% data variables.product.company_short %} + +Ensure your Azure resources have been configured _before_ adding a network configuration in {% data variables.product.company_short %}. + +### Supported regions + +{% data reusables.actions.azure-vnet-supported-regions %} + +### Runner failed to connect to the internet + +{% data variables.product.company_short %}-hosted runners need to be able to make outbound connections to {% data variables.product.prodname_dotcom_the_website %} as well as other necessary URLs for {% data variables.product.prodname_actions %}. + +If {% data variables.product.prodname_actions %} cannot communicate with the runners, the pool will never be able to bring runners online and so no jobs will be picked up. In this case, the pool will have the following error code. + +```bash +VNetInjectionFailedToConnectToInternet +``` + +To fix this, ensure that you have configured your Azure resources according to the "Configuring your Azure resources" procedures.{% ifversion ghec %} For more information, see "[AUTOTITLE](/admin/configuration/configuring-private-networking-for-hosted-compute-products/configuring-private-networking-for-github-hosted-runners-in-your-enterprise#configuring-your-azure-resources)."{% else %} For more information, see "[AUTOTITLE](/organizations/managing-organization-settings/configuring-private-networking-for-github-hosted-runners-in-your-organization#configuring-your-azure-resources)."{% endif %} + +### Deployment scope is locked + +You can put locks on the Azure subscription or resource group, which can prevent NIC creation or deletion. + +Locks that prevent NIC creation fail to pick up jobs, while locks that prevent NIC deletion either exhaust subnet address space (by continuing to create NICs) or have long queue-to-assign (QTA) times as the service retries deployment exceptions. + +In this case, the pool will have the following error code. + +```bash +RunnerDeploymentScopeLocked +``` + +To fix this, remove the lock or change the subnet you are using to one without a lock. + +### Deployment blocked by policy + +You can create policies on their management group, subscription, resource group, or individual resources. The most common policy is requiring a resource to have certain tags or to have a specific name. + +The policy will prevent creation of NICs, which means the pool will not pick up jobs since no VMs can come online. + +In this case, the pool will have the following error code. + +```bash +RunnerDeploymentBlockedByPolicy +``` + +To fix this, remove the policy or change the subnet you are using to one without a policy. + +### Subnet is full + +Subnets have a limited amount of IP addresses to distribute. Each runner consumes one IP address. If the service attempts to scale up beyond the maximum runner count setting, it will encounter deployment errors. + +This impacts the ability of the pool to add additional runners. If the queue depth is high enough, you may experience increased queue-to-assign (QTA) times. Jobs will still be processed, but not at a level of concurrency that you may expect. + +In this case, the pool will have the following error code. + +```bash +VNetInjectionSubnetIsFull +``` + +To fix this, either increase the size of the subnet you are using or reduce the pool's maximum runner count to match your subnet size. + +### Incorrect NSG or firewall rules + +The "Configuring your Azure resources" procedures list the required openings. However, you may have complex production networks with multiple downstream proxies or firewalls. + +If runners are failing to come online, no jobs will be picked up. Your setup process may involve setting up the runner application and communicating back to the {% data variables.product.prodname_actions %} service to indicate it is ready, as well as fetching and installing anti-abuse tooling. If either of these processes fail, the runner cannot pick up any jobs. + +If you are experiencing these issues, try setting up a virtual machine on the same subnet that you are using for private networking with {% data variables.product.company_short %}-hosted runners. However, if you have a service association link (SAL) in place, this is not possible. + +If you have a SAL in place, try setting up a similar subnet in the virtual network and place a virtual machine on that network. Then attempt to register a self-hosted runner on it. + +### HTTP request payload failure when configuring Azure resources + +While running the command to configure Azure resources, ensure you are using the correct API version and the `businessId` property. If you are using a different property, your command may return the following error. + +```bash +(HttpRequestPayloadAPISpecValidationFailed) HTTP request payload failed validation against API specification with one or more errors. Please see details for more information. +``` + +If you experience this error, you can see more information by running the command using the `---debug` flag. diff --git a/data/reusables/actions/azure-vnet-injected-runners-intro.md b/data/reusables/actions/azure-vnet-injected-runners-intro.md deleted file mode 100644 index 3f89f569e425..000000000000 --- a/data/reusables/actions/azure-vnet-injected-runners-intro.md +++ /dev/null @@ -1,3 +0,0 @@ -If you are using Azure and {% data variables.product.prodname_ghe_cloud %}, you can use {% data variables.product.company_short %}-hosted runners in your Azure VNET(s) using the Azure private network configuration. For more information about Azure VNET, see [What is Azure Virtual Network?](https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview) in the Azure documentation. - -Using {% data variables.product.company_short %}-hosted runners in an Azure VNET enables you to use {% data variables.product.company_short %}-managed infrastructure for CI/CD while providing you with full control over the networking policies of your runners. diff --git a/data/reusables/actions/azure-vnet-intro-capabilities.md b/data/reusables/actions/azure-vnet-intro-capabilities.md new file mode 100644 index 000000000000..28fb0705d09c --- /dev/null +++ b/data/reusables/actions/azure-vnet-intro-capabilities.md @@ -0,0 +1,6 @@ +You can connect multiple VNET subnets to {% data variables.location.product_location %} and manage private resource access for your runners via runner groups. For more information about runner groups, see "[AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners/controlling-access-to-larger-runners)." + +Using {% data variables.product.company_short %}-hosted runners within Azure VNET allows you to perform the following actions. +- Privately connect a runner to resources inside an Azure VNET without opening internet ports, including on-premises resources accessible from the Azure VNET. +- Restrict what {% data variables.product.company_short %}-hosted runners can access or connect to with full control over outbound network policies. +- Monitor network logs for {% data variables.product.company_short %}-hosted runners and view all connectivity to and from a runner. diff --git a/data/reusables/actions/azure-vnet-network-communication.md b/data/reusables/actions/azure-vnet-network-communication.md new file mode 100644 index 000000000000..bb6e1547808b --- /dev/null +++ b/data/reusables/actions/azure-vnet-network-communication.md @@ -0,0 +1,16 @@ +To facilitate communication between {% data variables.product.company_short %} networks and your VNET, a {% data variables.product.company_short %}-hosted runner's network interface card (NIC) deploys into your Azure VNET. + +Because the NIC lives within your VNET, {% data variables.product.company_short %} cannot block inbound connections. By default, Azure virtual machines will accept inbound connections from the same VNET. For more information, see [`AllowVNetInBound`](https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview#allowvnetinbound) on Microsoft Learn. It is recommended to explicitly block all inbound connections to the runners. {% data variables.product.company_short %} will never require inbound connections to these machines. + +A NIC enables an Azure virtual machine (VM) to communicate with internet, Azure, and on-premises resources. This way, all communication is kept private within the network boundaries, and networking policies applied to the VNET also apply to the runner. For more information on how to manage a network interface, see [Change network interface settings](https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface?tabs=azure-portal#change-network-interface-settings) on Microsoft Learn. + +>[!NOTE] {% data reusables.actions.azure-vnet-over-provisioning-resources %} + +![Diagram of the network communication architecture between GitHub networks and your private networks. The diagram describes each step in connecting GitHub-hosted runners to an Azure VNET. Each step is numbered and the numbers correspond to the numbered descriptions of the step listed below the diagram.](/assets/images/help/actions/actions-vnet-injected-larger-runners-architecture.png) + +1. A {% data variables.product.prodname_actions %} workflow is triggered. +1. The {% data variables.product.prodname_actions %} service creates a runner. +1. The runner service deploys the {% data variables.product.company_short %}-hosted runner's network interface card (NIC) into your Azure VNET. +1. The runner agent picks up the workflow job. The {% data variables.product.prodname_actions %} service queues the job. +1. The runner sends logs back to the {% data variables.product.prodname_actions %} service. +1. The NIC accesses on-premise resources. diff --git a/data/reusables/actions/azure-vnet-network-configuration-intro.md b/data/reusables/actions/azure-vnet-network-configuration-intro.md new file mode 100644 index 000000000000..c8c505eabe7f --- /dev/null +++ b/data/reusables/actions/azure-vnet-network-configuration-intro.md @@ -0,0 +1,3 @@ +{% ifversion ghec %}You {% else %}Organizations using the {% data variables.product.prodname_team %} plan {% endif %}can use {% data variables.product.company_short %}-hosted runners in Azure VNET(s) by creating a network configuration{% ifversion ghec %} for your enterprise.{% else %} for your organization.{% endif %} For more information about Azure VNET, see [What is Azure Virtual Network?](https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview) in the Azure documentation. + +Using {% data variables.product.company_short %}-hosted runners in an Azure VNET enables you to use {% data variables.product.company_short %}-managed infrastructure for CI/CD while providing you with full control over the networking policies of your runners. diff --git a/data/reusables/actions/azure-vnet-networking-policies.md b/data/reusables/actions/azure-vnet-networking-policies.md new file mode 100644 index 000000000000..c765f5e536ca --- /dev/null +++ b/data/reusables/actions/azure-vnet-networking-policies.md @@ -0,0 +1,5 @@ +Because the {% data variables.product.company_short %}-hosted runner's NIC is deployed into your Azure VNET, networking policies applied to the VNET also apply to the runner. + +For example, if your VNET is configured with an Azure ExpressRoute to provide access to on-premises resources (e.g. Artifactory) or connected to a VPN tunnel to provide access to other cloud-based resources, those access policies also apply to your runners. Additionally, any outbound rules applied to your VNET's network security group (NSG) also apply, giving you the ability to control outbound access for your runners. + +If you have enabled any network logs monitoring for your VNET, you can also monitor network traffic for your runners. diff --git a/data/reusables/actions/azure-vnet-next-steps-links.md b/data/reusables/actions/azure-vnet-next-steps-links.md new file mode 100644 index 000000000000..070f088c1392 --- /dev/null +++ b/data/reusables/actions/azure-vnet-next-steps-links.md @@ -0,0 +1 @@ +To use {% data variables.product.company_short %}-hosted runners with an Azure VNET, you will need to configure your Azure resources and then create a networking configuration in {% data variables.product.company_short %}. For detailed procedures, see{% ifversion ghec %} "[AUTOTITLE](/admin/configuration/configuring-private-networking-for-hosted-compute-products/configuring-private-networking-for-github-hosted-runners-in-your-enterprise)."{% else %} "[AUTOTITLE](/organizations/managing-organization-settings/configuring-private-networking-for-github-hosted-runners-in-your-organization)."{% endif %} diff --git a/data/reusables/actions/azure-vnet-over-provisioning-resources.md b/data/reusables/actions/azure-vnet-over-provisioning-resources.md new file mode 100644 index 000000000000..1babdb901aa4 --- /dev/null +++ b/data/reusables/actions/azure-vnet-over-provisioning-resources.md @@ -0,0 +1 @@ +Multiple NICs may appear for a single job in your subscription because the {% data variables.product.prodname_actions %} service over-provisions resources to run jobs. Once a runner is idle, the {% data variables.product.prodname_actions %} service automatically de-provisions the resource and removes the corresponding NIC. diff --git a/data/reusables/actions/azure-vnet-supported-regions.md b/data/reusables/actions/azure-vnet-supported-regions.md new file mode 100644 index 000000000000..32dbb7d67fed --- /dev/null +++ b/data/reusables/actions/azure-vnet-supported-regions.md @@ -0,0 +1,23 @@ +The {% data variables.product.prodname_actions %} service supports a subset of all the regions that Azure provides. To facilitate communication between the {% data variables.product.prodname_actions %} service and your subnet, your subnet must be in one of the following supported regions. + +- `EastUs` +- `EastUs2` +- `WestUs2` +- `AustraliaEast` +- `CentralUs` +- `FranceCentral` +- `NorthEurope` +- `NorwayEast` +- `SoutheastAsia` +- `SwitzerlandNorth` +- `UkSouth` +- `WestEurope` + +Azure private networking supports GPU runners in the following regions. + +- `EastUs` +- `WestUs` +- `NorthCentralUs` +- `SouthCentralUs` + +You may also use global virtual network peering to connect virtual networks across Azure regions. For more information, see [Virtual network peering](https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview) in the Azure documentation. diff --git a/data/reusables/actions/network-configuration-for-github-hosted-runners-warning.md b/data/reusables/actions/network-configuration-for-github-hosted-runners-warning.md deleted file mode 100644 index ba5b64522885..000000000000 --- a/data/reusables/actions/network-configuration-for-github-hosted-runners-warning.md +++ /dev/null @@ -1 +0,0 @@ -Ensure your Azure resources have been configured before adding a network configuration in {% data variables.product.company_short %}. For more information, see "[AUTOTITLE](/admin/configuration/configuring-private-networking-for-hosted-compute-products/configuring-private-networking-for-github-hosted-runners#configuring-your-azure-resources)." diff --git a/data/reusables/actions/private-networking-actions-azure-vnet-beta-note.md b/data/reusables/actions/private-networking-actions-azure-vnet-beta-note.md deleted file mode 100644 index 9e6a7b45c99f..000000000000 --- a/data/reusables/actions/private-networking-actions-azure-vnet-beta-note.md +++ /dev/null @@ -1,10 +0,0 @@ -{% note %} - -**Notes:** - -- Using {% data variables.product.company_short %}-hosted runners with an Azure VNET is in beta and subject to change. -- Only 4-64 CPU Ubuntu and Windows runners are supported with Azure VNET. For more information on these runner types, see "[AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners/about-larger-runners#about-ubuntu-and-windows-larger-runners)." -- Supported regions include `East US`, `East US 2`, and `West US 2`. To request support for a region that is not in this list, fill out the [region request form](https://github.co/vnet-region-form). -- {% data reusables.actions.static-ip-limitation-vnet %} You must use dynamic IP addresses, which is the default configuration for larger runners. For more information about networking for larger runners, see "[AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners/about-larger-runners#networking-for-larger-runners)." - -{% endnote %}