Skip to main content
Self-hosted runners (AWS) are only available on the Enterprise tier. Contact sales to learn more about upgrading.
AWS Runners allow you to deploy Ona’s runner infrastructure directly within your own AWS VPC, giving you complete control over your development environments while maintaining security and compliance requirements. When you deploy an AWS Runner, development environments are created as EC2 instances that are automatically sized based on your environment class requirements. The runner orchestrator itself runs as an ECS service within a dedicated ECS cluster in your AWS account. The entire deployment is automated through CloudFormation templates that we provide, making setup straightforward while ensuring best practices for security and scalability. Overview of AWS runner architecture Overview of AWS runner architecture

Benefits of AWS Runner

AWS Runners let you run Ona environments inside your AWS account with enterprise‑grade controls. Key benefits include:
  • Direct connectivity using your own Network Load Balancer with your domain and SSL/TLS certificate
  • AI agent integration for accelerated development workflows (Enterprise tier)
  • Private connectivity to the management plane via AWS PrivateLink (no public internet traversal)
  • Fine‑grained IAM with permission boundaries to meet enterprise security requirements
  • HTTP proxy support for environments behind corporate firewalls
  • Custom CA certificate support for enterprise CAs and certificate chains
The Enterprise Runner is exclusively available to customers on the Enterprise tier. If you’re an Enterprise customer, contact your Ona account manager for more information.
The Enterprise AWS Runner provides enhanced capabilities including Ona Agents support and direct connectivity options. Designed for enterprise customers who need advanced features and greater control over their infrastructure with custom networking configurations.

Key Features

  • Ona AI agent integration - Enhanced development workflows with AI-powered assistance
  • Direct connectivity - Bypasses central gateways by using your own Network Load Balancer, secured with your custom domain and SSL/TLS certificate
  • Private VPC endpoints - Connect to the management plane via AWS PrivateLink for enhanced security without public internet traversal
  • Enhanced security - Fine-grained IAM policies with permission boundaries for enterprise security requirements
  • HTTP proxy support - Custom HTTP proxy configuration for environments behind corporate firewalls
  • Custom CA certificate support - Support for enterprise certificate authorities and custom certificate chains
Enterprise Runner architecture Enterprise Runner architecture

Prerequisites

Before deploying your Enterprise AWS Runner, ensure you have:
  1. AWS Account with elevated permissions for enterprise features
  2. Capacity Planning - Follow our Capacity Planning guide to determine your infrastructure requirements
  3. AMI Access - If your organization restricts AMI usage, allowlist the AMIs runners and environments run on
    AMI NameOwner Account IDOwnerPurpose
    bottlerocket-aws-ecs-1-x86_64149721548608AmazonRunner service
    gitpod/images/gitpod-next/ec2-runner-ami-*995913728426GitpodDevelopment environments
    For more details, review our AMI Requirements guide
  4. Domain Name that you control with DNS modification capabilities
  5. SSL/TLS Certificate provisioned in AWS Certificate Manager (ACM). Your SSL certificate must include both Subject Alternative Names (SANs):
    • yourdomain.com (root domain)
    • *.yourdomain.com (wildcard subdomain)

Network Requirements

The Enterprise Runner requires a custom VPC with specific networking setup for enhanced security and direct connectivity. Network Configuration Diagram Network Configuration Diagram

Next Steps

I