RunsOn: VPC Networking, Security Groups, and Egress Issues
RunsOn runners live in a VPC in your AWS account. If subnet routing, security groups, or egress are wrong, runners cannot reach GitHub or your registries.
Per RunsOn's troubleshooting docs, VPC networking issues are a common cause of failing RunsOn jobs: subnet routing, security group rules, and egress to GitHub and container registries all have to be correct for runners to work (runs-on.com/docs/maintenance/troubleshooting). Because the VPC is in your AWS account, these are yours to configure. Verify current guidance on runs-on.com.
What is happening
- Runners in a private subnet need a route (often via NAT) to reach GitHub and registries.
- Security groups must allow the required outbound traffic.
- Missing or misconfigured egress blocks action downloads, registry pulls, and runner registration.
How to address it (per RunsOn docs)
- Check subnet route tables so runners have a working path to the internet or your endpoints.
- Verify security group egress rules permit traffic to GitHub and your registries.
- Confirm the optional NAT (created by the stack) is present and routing if runners are in private subnets.
The managed contrast
RunsOn's stack creates its own VPC, subnets, and optional NAT (per runs-on.com/quickstart), and from then on the networking is your responsibility. With Latchkey there is no VPC to design or debug: connectivity to GitHub and registries is part of the managed service.