Networking
Networking is key to setting up Private Runner Groups on the StackGuardian platform. This document covers the essential networking requirements and endpoints needed for your runners to operate securely and efficiently.
Networking with SG Runner Groups
The following table lists the domains required for communication between StackGuardian and private runner instances. Ensure that traffic is allowed and DNS resolution works for each endpoint.
- Replace <aws_region> with the specific AWS regions where your StackGuardian deployment is hosted.
- For EU deployments: Use
eu-central-1(primary) andeu-west-1(backup)- Example: *.dkr.ecr.eu-central-1.amazonaws.com and *.dkr.ecr.eu-west-1.amazonaws.com
- For US deployments: Use
us-east-2(primary) andus-west-2(backup)- Example: *.dkr.ecr.us-east-2.amazonaws.com and *.dkr.ecr.us-west-2.amazonaws.com
- These endpoints host workflow runtimes in the form of docker images and other essential services.
- Contact your StackGuardian representative if you're unsure which regions to configure.
Required Domains
| Domain | Purpose |
|---|---|
| *.stackguardian.io | Necessary for the registration and de-registration process of private runners. |
| *.github.com | Required during registration for downloading the runner installation script. |
| *.docker.io | Used during the registration process for private runners. |
| *.amazonaws.com | Essential for registration and workflow executions. |
| *.dkr.ecr.<aws_region>.amazonaws.com | Hosts SG Terraform Docker images used in workflow steps. |
| ec2messages.<aws_region>.amazonaws.com | Required for SSM and ECS Anywhere to connect private runners to the ECS cluster (SG control plane). |
| *.s3.<aws_region>.amazonaws.com | Required to fetch AWS runtime parameters for workflows. |
| ecs.<aws_region>.amazonaws.com | Essential for connecting private runners to ECS services. |
| ecs-*.<aws_region>.amazonaws.com | Essential for ECS service connections. |
| api.ecr.<aws_region>.amazonaws.com | Access to Docker images hosted in ECR. |
| *.elb.<aws_region>.amazonaws.com | Load balancer for AWS Elastic Container Service. |
| ssm.<aws_region>.amazonaws.com | Required for AWS Systems Manager operations. |
| *.raw.githubusercontent.com | Required for downloading raw scripts or dependencies hosted on GitHub. |
The following domains are required only if provisioning private runners on Ubuntu OS. These are needed for the ECS Anywhere setup script to fetch packages and security updates.
| Domain | Purpose |
|---|---|
| <aws_region>.ec2.archive.ubuntu.com | Fetch system packages on Ubuntu OS during private runner provisioning |
| security.ubuntu.com | Install security packages |
Azure Blob Storage Endpoints
For setups utilizing Azure Blob Storage, ensure the following endpoints are accessible:
| Domain | Purpose |
|---|---|
| blob.storage.azure.net | Required for Azure Blob Storage as the storage backend. |
| <storage-account-name>.blob.core.windows.net | Specific Azure storage endpoints for multiple uses. |
| azcopyvnextrelease.blob.core.windows.net | For Azure storage data transfer operations. |
Outgoing Permissions for Terraform Workflows
Ensure the following endpoints are accessible for Terraform workflows:
| Domain | Purpose |
|---|---|
| releases.hashicorp.com | Used for downloading Terraform binaries during deployment processes. |
| *.github.com | Required for downloading the runner installation script during registration. |
| registry.terraform.io | Facilitates the retrieval of Terraform modules and providers. |
Ensure configuration of firewall settings to allow access to all specified domains, using wildcard domains (e.g., *.) where applicable to prevent disruptions.