Skip to content

Static IPs

RunsOn now supports private networking on AWS, enabling the use of static IPs for egress traffic originating from GitHub Action runners. This feature is crucial for organizations that require strict network controls or need to whitelist IP addresses for accessing external resources.

How it Works

RunsOn leverages AWS VPC (Virtual Private Cloud) to provide private networking capabilities. Within this VPC, your GitHub Action runners operate in a secure and isolated environment. The use of static IPs is facilitated through the deployment of NAT Gateways.

NAT Gateways and Static IPs

A NAT (Network Address Translation) Gateway in AWS serves as a bridge between instances within a private subnet and the internet or other AWS services. It allows instances in the private subnet to initiate outbound traffic to the internet or other AWS services while preventing unsolicited inbound traffic.

When you enable private networking for your GitHub Action runners in RunsOn, a NAT Gateway is automatically provisioned in your VPC, for each availability zone. Each gateway is assigned an Elastic IP (EIP) - a static IP address provided by AWS. This EIP becomes the source IP for all outbound traffic from your runners, ensuring that your egress traffic has a consistent and whitelistable IP address.


To take advantage of private networking and static IPs in RunsOn, you need to enable this feature during the setup process, or reconfigure your stack to enable it. RunsOn handles the provisioning and configuration of the necessary AWS resources, including the assignment of the Elastic IPs to the NAT Gateways.

You can easily switch between Public or Private mode by changing the Private CloudFormation parameter to true (Private) or false (Public). By default, RunsOn creates the Stack in Public mode, because NAT gateways incur a significant cost.


NAT gateways cost about $60/month each, plus processing costs for each GB transferred. So make sure to only enable them if you need them. In Public mode, you can restrict inbound traffic to a specific CIDR range, which is sufficient in a lot of cases.


  • Security: By operating within a private subnet, your runners are shielded from direct access from the internet, reducing the attack surface.
  • Compliance: For organizations with strict compliance requirements, using static IPs for egress traffic allows for precise control over network traffic and easier auditability.
  • Reliability: Static IPs ensure that your egress traffic is not subject to IP address changes, which can disrupt integrations with external services that require IP whitelisting.

By integrating private networking and static IP capabilities, RunsOn provides a more secure, compliant, and reliable environment for running GitHub Actions, giving you peace of mind and greater control over your CI/CD workflows.