About GitHub-hosted runners networking
By default, GitHub-hosted runners have access to the public internet. However, you may also want these runners to access resources on your private network, such as a package registry, a secret manager, or other on-premise services.
GitHub-hosted runners are shared across all GitHub customers. However with private networking, you can configure hosted runners to be exclusively used to connect to your private network and resources while they are running your workflows.
There are a few different approaches you could take to configure this access, each with different advantages and disadvantages.
Using an API Gateway with OIDC
With GitHub Actions, you can use OpenID Connect (OIDC) tokens to authenticate your workflow outside of GitHub Actions. For more information, see "Using an API gateway with OIDC."
Using WireGuard to create a network overlay
If you don't want to maintain separate infrastructure for an API Gateway, you can create an overlay network between your runner and a service in your private network, by running WireGuard in both places. For more information, see "Using WireGuard to create a network overlay."
Using an Azure Virtual Network (VNET)
You can use GitHub-hosted runners in an Azure VNET. This enables you to use GitHub-managed infrastructure for CI/CD while providing you with full control over the networking policies of your runners. For more information about Azure VNET, see What is Azure Virtual Network? in the Azure documentation.
Enterprises and organizations on GitHub Enterprise Cloud or GitHub Team plans can configure Azure private networking for GitHub-hosted runners. For more information, see "About Azure private networking for GitHub-hosted runners in your enterprise" and "Configuring private networking for GitHub-hosted runners in your enterprise."