Egress
Egress controls are runtime scoped. When enforcement is enabled, outbound host-based traffic is checked by the Runta egress gateway and denied unless the destination host is allowed.
Host Rules
Section titled “Host Rules”Allowed hosts are host names, not full URLs, when you use the CLI:
pypi.orgapi.openai.com*.pythonhosted.orgDo not include https://, paths, ports, or query strings in CLI allowlist
entries. SDK helpers accept URLs and normalize them to host names before
calling the REST API. Wildcard entries match subdomains, so *.example.com
matches api.example.com; add example.com separately if the apex host should
also be allowed.
Enable Enforcement
Section titled “Enable Enforcement”runta egress allow worker pypi.org '*.pythonhosted.org' api.openai.comrunta egress enable workerrunta egress table workerruntime.egress.allow(["pypi.org", "*.pythonhosted.org", "api.openai.com"])runtime.egress.enable()
print(runtime.egress.list())await runtime.egress.allow(["pypi.org", "*.pythonhosted.org", "api.openai.com"]);await runtime.egress.enable();
console.log(await runtime.egress.list());Disable enforcement when the runtime should return to unrestricted outbound network access:
runta egress disable workerThe SDK equivalents are runtime.egress.disable() and
await runtime.egress.disable().
Patch Policy
Section titled “Patch Policy”The SDKs can replace the policy in one call:
from runta import EgressPolicy
runtime.egress.update_policy( EgressPolicy(enabled=True, allowed_hosts=["api.github.com"]))await runtime.egress.updatePolicy({ enabled: true, allowed_hosts: ["api.github.com"],});Audit Events
Section titled “Audit Events”Egress audit events record observed outbound activity and policy outcomes. Use them to confirm which host was reached, whether the gateway allowed or denied the request, and why.
runta egress events --sandbox worker --limit 20runta egress events --watch --interval 5for event in runtime.egress.audit(limit=20): print(event.action, event.host, event.path, event.reason)
for audit in runta.audits.list(runtime=runtime, category="egress", limit=20): print(audit.category, audit.payload)for (const event of await runtime.egress.audit(20)) { console.log(event.action, event.host, event.path, event.reason);}
for (const audit of await runta.audits.list({ runtime, category: "egress", limit: 20 })) { console.log(audit.category, audit.payload);}The REST API exposes generic audit listing at GET /v1/audits. Filter by
runtime and category when you only need egress evidence for one runtime.