Create runners in custom resource group and subnet

[harsha-chamarthi]

Is it possible to create runners in custom resource group and subnet? I just see the option for passing vnet in extra-specs.

[gabriel-samfira]

Hi @harsha-chamarthi !

Not at this point, no. We currently create one resource group per runner and delete the entire resource group when the runner finishes running a job. By doing so we:

1) Attempt to isolate each runner from any other workload. The code that gets executed in a runner is potentially malicious and the systems running potentially harmful code that comes in via a PR need to be treated as adversarial. 2) It makes cleaning up a lot easier. By removing the resource group, everything in it is removed at once.

Could you detail your use case? It would help in determining if there is an easy way to achieve it in the current form.

[harsha-chamarthi]

I am trying to create a runner pool with extra specs and attach an already existing vnet and subnet. Instead of creating a new subnet everytime. Also do we need to open any additional ports on the runner vm for it to communicate to github?

[gabriel-samfira]

Then it should be enough to set extra specs to:

{
  "vnet_subnet_id": "THE_ID_OF_THE_SUBNET",
  "disable_isolated_networks": true
}

In terms of access for the VM, it needs to be able to call back home into your GARM server. So if your GARM server is (for example) running at https://garm.example.com, the runners that spin up in Azure need to have egress access to that URL.