How can we help?

Articles in this section

See more

Runner network and egress requirements

ServiceAI Orion
  • Updated

A CloudRadial AutomationAI runner is outbound-only: it has no public ingress and connects out to the control plane on its own schedule. On a standard virtual network its egress works out of the box, and you only need to act in a locked-down environment. This article lists the outbound targets to allow. It is for the technician operating a runner.

  • The Outbound-Only Posture
  • Allow-List Targets
  • The Workspace Outbound IP

The Outbound-Only Posture

The runner exposes no inbound endpoint. There is no public ingress, no broker, and no shared-access tokens. Its Function Apps poll the control plane over outbound HTTPS, and AI traffic stays on the private Foundry endpoint inside the runner's virtual network by default. On a standard VNet the required egress is already allowed, so the allow-list below matters only where outbound traffic is restricted.

Allow-List Targets

In a locked-down environment, allow outbound HTTPS to:

  • The control plane — your regional CloudRadial control-plane URL (automationai*.cloudradial.com), which the runner polls for work
  • The runner package storecrautopkg<region>.blob.core.windows.net, the CloudRadial package store the runner downloads its code package from (anonymous blob read; no token needed)
  • OpenAI, only in OpenAI modeapi.openai.com (or your endpoint override). This is required only when the runner's AI provider is set to OpenAI; the default Foundry provider keeps all AI traffic on the private endpoint with no internet egress

If your egress controls require a different package-store URL, CloudRadial support can provide a mirrored one to use in place of the default. For the AI-provider choice, see the article on choosing the runner AI provider.

The Workspace Outbound IP

Your workspace has an Outbound IP shown under Settings > Overview as the Outbound IP allowlist. This is the address AutomationAI uses when it reaches out to your systems from your workflows, so if those systems restrict access by IP, allow this address on their firewalls. It is a separate concern from the runner's outbound egress above: the runner allow-list governs what the runner can call, while the Outbound IP is what your own systems should permit so AutomationAI can reach them. The Outbound IP appears only when one is configured for your workspace.

Comments

0 comments

Please sign in to leave a comment.