Skip to content

Governance and Egress

Use the egress gateway when a runtime should only reach approved external hosts. Every runtime connection goes through the gateway; the per-runtime policy decides which destination hosts are allowed or denied.

Each runtime has two egress settings:

mode -> denylist or allowlist
host lists -> hostnames matched by the selected mode

denylist with an empty denied-host list is the default and allows all hosts. Use allowlist when a runtime should reach only named hosts.

Allowed hosts are hostnames, not URLs. Use pypi.org, api.openai.com, or *.pythonhosted.org; do not include https://, paths, ports, or query strings. Wildcard entries only match subdomains, so *.example.com matches api.example.com but not example.com.

Create a runtime for the demo:

Terminal window
runta run --name demo --cpus 2 --memory 2048

Configure an allowlist:

Terminal window
runta egress set demo \
--mode allowlist \
--allow pypi.org "*.pythonhosted.org" api.openai.com

Verify the policy:

Terminal window
runta egress describe demo

Try an allowed request from inside the runtime:

Terminal window
runta exec demo -- sh -lc 'curl -fsSI https://pypi.org/simple/ | head -n 1'

Try a host that is not on the allowlist; it should be blocked:

Terminal window
runta exec demo -- sh -lc 'curl -fsSI --max-time 10 https://example.com || true'