To trigger deployments using GitHub Actions running on EC2 server without internet access

0

Hi AWS, I am doing some deployments using GitHub Actions self-hosted runners which are installed on AWS EC2 server without internet access as those are organizations owned production servers and as a good practice they have blocked our internet access. Now the problem is in order to make a call with GitHub Actions you need to have an internet connection as it uses a REST API under the hood which is going to interact with GitHub. Is there any way around where I can do the deployment smoothly without worrying about the internet connectivity available on the server I am working or not as if we need to do a certain deployment after a lot of discussions we used to get the internet access temporarily and because of our current setup if we have to do some deployments at off hours it gets stuck because of the current issue we're experiencing.

After a long research, I explored something and I am attaching the links for your reference:

  1. https://docs.github.com/en/enterprise-cloud@latest/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-allowed-ip-addresses-for-your-organization
  2. https://docs.github.com/en/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization

But I am not sure if that's going to suffice my requirement if that's practically possible. Please suggest.

2 Answers
0

Have you looked into this? https://docs.github.com/en/actions/using-github-hosted-runners/connecting-to-a-private-network. Seems the feasible approach is to use API Gateway with OIDC, thought your requirement may be stricter than that.

profile picture
EXPERT
answered a month ago
profile picture
EXPERT
reviewed a month ago
0

According to Communication between self hosted runners and GitHub Enterprise Cloud a long poll https connection and several other bidirectional https connections are required from the GitHub Runner to GitHub.

Given your architecture and constraints, it may be possible to set up a proxy service that can centralize the outbound network access needed. Information is available at using a proxy server with self-hosted runners.

In combination with the workflow_job web hook event, you may be able to automatically turn the proxy on and off in an as needed basis. More information at webhook events and payloads: workflow_job.

profile picture
answered a month ago
profile picture
EXPERT
reviewed a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions