Governance and Egress
Use the egress gateway when a runtime should only reach approved external hosts. Every runtime connection goes through the gateway; the per-runtime policy decides which destination hosts are allowed or denied.
Each runtime has two egress settings:
mode -> denylist or allowlisthost lists -> hostnames matched by the selected modedenylist with an empty denied-host list is the default and allows all hosts.
Use allowlist when a runtime should reach only named hosts.
Allowed hosts are hostnames, not URLs. Use pypi.org, api.openai.com, or
*.pythonhosted.org; do not include https://, paths, ports, or query strings.
Wildcard entries only match subdomains, so *.example.com matches
api.example.com but not example.com.
Create a runtime for the demo:
runta run --name demo --cpus 2 --memory 2048from runta import Runta
runta = Runta()runtime = runta.runtimes.create("demo", vcpus=2, memory_mib=2048)import { Runta } from "@runta/runta-sdk";
const runta = new Runta();const runtime = await runta.runtimes.create("demo", { vcpus: 2, memoryMib: 2048,});Configure an allowlist:
runta egress set demo \ --mode allowlist \ --allow pypi.org "*.pythonhosted.org" api.openai.comfrom runta import EgressMode, EgressPolicy
runtime.egress.set_policy( EgressPolicy( mode=EgressMode.ALLOWLIST, allowed_hosts=["pypi.org", "*.pythonhosted.org", "api.openai.com"], denied_hosts=[], ))await runtime.egress.setPolicy({ mode: "allowlist", allowedHosts: ["pypi.org", "*.pythonhosted.org", "api.openai.com"], deniedHosts: [],});Verify the policy:
runta egress describe demoprint(runtime.egress.get())console.log(await runtime.egress.get());Try an allowed request from inside the runtime:
runta exec demo -- sh -lc 'curl -fsSI https://pypi.org/simple/ | head -n 1'Try a host that is not on the allowlist; it should be blocked:
runta exec demo -- sh -lc 'curl -fsSI --max-time 10 https://example.com || true'