Skip to main content
Start with the Runloop Quickstart to use the examples below.
Network Policies can be applied to Blueprints in two ways:
  1. Build-time policy: Restricts network access during the blueprint build process
  2. Runtime policy: Applies to all Devboxes created from the blueprint

Build-time Network Policy

Apply a network policy during the blueprint build to restrict what the build process can access. This is useful when your build commands need to download packages from specific registries. 
# Create a build-time network policy
build_policy = await runloop.network_policies.create(
    name="build-policy",
    allow_all=False,
    allowed_hostnames=["github.com", "*.npmjs.org", "pypi.org"]
)

# Apply the policy during blueprint build
blueprint = await runloop.blueprint.create(
    name="secure-build-blueprint",
    network_policy_id=build_policy.id,  # Applies during build
    launch_parameters={
        "launch_commands": ["npm install"]
    }
)
The build-time network_policy_id only affects the build process. It does not affect Devboxes created from the blueprint.

Runtime Network Policy for Devboxes

To apply a network policy to all Devboxes created from the blueprint, set network_policy_id in launch_parameters: 
# Create a runtime network policy
runtime_policy = await runloop.network_policies.create(
    name="runtime-policy",
    allow_all=False,
    allowed_hostnames=["github.com", "api.openai.com"]
)

# Apply the policy to devboxes created from this blueprint
blueprint = await runloop.blueprint.create(
    name="secure-agent-blueprint",
    launch_parameters={
        "network_policy_id": runtime_policy.id,  # Applies to devboxes
        "launch_commands": ["npm install"]
    }
)

# Devboxes created from this blueprint inherit the runtime policy
devbox = await blueprint.create_devbox()

Using Both Build and Runtime Policies

You can use different policies for build and runtime: 
# Build policy: allow package registries
build_policy = await runloop.network_policies.create(
    name="build-policy",
    allow_all=False,
    allowed_hostnames=["*.npmjs.org", "pypi.org", "github.com"]
)

# Runtime policy: more restrictive for production
runtime_policy = await runloop.network_policies.create(
    name="runtime-policy",
    allow_all=False,
    allowed_hostnames=["api.openai.com"]
)

blueprint = await runloop.blueprint.create(
    name="dual-policy-blueprint",
    network_policy_id=build_policy.id,  # Build-time
    launch_parameters={
        "network_policy_id": runtime_policy.id,  # Runtime
        "launch_commands": ["npm install"]
    }
)
Devboxes can override the Blueprint’s runtime network policy by specifying a different network_policy_id at creation time.

Next Steps