Making the AppRunner endpoint private
Making the AppRunner endpoint private
From a common user question:
Is it possible to deploy RunsOn while keeping the underlying AWS App Runner service not publicly exposed to the Internet, or does App Runner necessarily need to be publicly accessible in order to communicate with GitHub?
Unless you are using a self-hosted GHES instance running in your private VPC, then yes you need to have the AppRunner listening on a public IP, so that it can receive webhooks from github.com.
However AppRunner supports a WAF configuration, which means you can restrict access to the public endpoint from only known ranges, including GitHub Actions ranges. At this time the WAF can be enabled manually through the AWS console (github publishes relevant IPs at https://api.github.com/meta ↗). A (not-so-great) screencast ↗ is available to show you around the AWS console if you wish to go that route. The WAF configuration will survive upgrades.
However, the new terraform module ↗ officially supports this option (enable_waf = true) so that you don’t need to do anything. I would recommend to have a look at this if you want that kind of advanced networking configuration, since the CloudFormation stack is going to be more targeted towards simple RunsOn deployments.
At this time (Jan 28 2026), you will need to reference the main branch of the module to get that new feature, until a new version of the module is officially released in registries:
module "runs-on" {
source = "git::https://github.com/runs-on/terraform-aws-runs-on.git?ref=main"
...
# Enable WAF to restrict access to GitHub IPs only
enable_waf = true
# Optionally add your own IPs for admin access
# waf_allowed_ipv4_cidrs = ["203.0.113.50/32"]
}Last updated: January 28, 2026