Private networking for GitHub-hosted runners #120785
-
Select Topic AreaQuestion BodyWe are looking at containerizing a set of node.js API's (uses loopback.io) that were developed sitting on a VM. I wanted to automate deployment to a container registry first, and it has to be private per our security guidelines. I was going to use a self-hosted runner, but then saw the article Configuring private networking for GitHub-hosted runners in your organization. Having just migrated our GitHub account from a personal pro plan to an organization team plan, I thought wow, this looks promising. I followed the instructions, mostly - I already had a resource group and a VLAN set up with a container registry, so the only real thing I changed was I didn't create a VNET and update the subnet info, I just created the subnet. So this subnet is in the same VLAN as the registry (in a different subnet). But I created the service principal, set the rbac role, etc., got the networking config in GitHub set up, created the runner group. Happy happy! Except it won't connect. I put a step in to log what runner group the workflow used, and it was the one I just created. On the docker/login-action@v3 action, I get this in the log:
I went in with the Cloud CLI and used docker commands to login and connect to the container registry with the clientId and secret of the service principal, same as what is in the repo secrets that the workflow references. I'm not trying to access anything on our on-premise network, so I didn't think I needed to deal with ExpressRoute or VPN Gateway or anything. But what's the trick here? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 3 replies
This comment was marked as spam.
This comment was marked as spam.
-
I fixed the problem. This all works without public access, with a private IP defined for the VM. It turned out that the documentation did not include enough in the bicep contents to set up the NSG. In order for azure/login to work (and docker/action-login), I had to add the following to the bicep contents:
FWIW, because I was also building services in containers with node.js, I had to add this so I could reach out to registry-1.docker.io, production.cloudflare.docker.com, and registry.npmjs.org:
|
Beta Was this translation helpful? Give feedback.
I fixed the problem. This all works without public access, with a private IP defined for the VM. It turned out that the documentation did not include enough in the bicep contents to set up the NSG. In order for azure/login to work (and docker/action-login), I had to add the following to the bicep contents: