Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.runloop.ai/llms.txt

Use this file to discover all available pages before exploring further.

Start with the Runloop Quickstart to use the examples below.
Network Policies can be applied to Blueprints in two ways:
  1. Build-time policy: Restricts network access during the blueprint build process
  2. Runtime policy: Applies to all Devboxes created from the blueprint

Build-time Network Policy

Apply a network policy during the blueprint build to restrict what the build process can access. This is useful when your build commands need to download packages from specific registries. 
# Create a build-time network policy
build_policy = await runloop.network_policies.create(
    name="build-policy",
    allow_all=False,
    allowed_hostnames=["github.com", "*.npmjs.org", "pypi.org"]
)

# Apply the policy during blueprint build
blueprint = await runloop.blueprint.create(
    name="secure-build-blueprint",
    network_policy_id=build_policy.id,  # Applies during build
    launch_parameters={
        "launch_commands": ["npm install"]
    }
)
The build-time network_policy_id only affects the build process. It does not affect Devboxes created from the blueprint.

Runtime Network Policy for Devboxes

To apply a network policy to all Devboxes created from the blueprint, set network_policy_id in launch_parameters: 
# Create a runtime network policy
runtime_policy = await runloop.network_policies.create(
    name="runtime-policy",
    allow_all=False,
    allowed_hostnames=["github.com", "api.openai.com"]
)

# Apply the policy to devboxes created from this blueprint
blueprint = await runloop.blueprint.create(
    name="secure-agent-blueprint",
    launch_parameters={
        "network_policy_id": runtime_policy.id,  # Applies to devboxes
        "launch_commands": ["npm install"]
    }
)

# Devboxes created from this blueprint inherit the runtime policy
devbox = await blueprint.create_devbox()

Using Both Build and Runtime Policies

You can use different policies for build and runtime: 
# Build policy: allow package registries
build_policy = await runloop.network_policies.create(
    name="build-policy",
    allow_all=False,
    allowed_hostnames=["*.npmjs.org", "pypi.org", "github.com"]
)

# Runtime policy: more restrictive for production
runtime_policy = await runloop.network_policies.create(
    name="runtime-policy",
    allow_all=False,
    allowed_hostnames=["api.openai.com"]
)

blueprint = await runloop.blueprint.create(
    name="dual-policy-blueprint",
    network_policy_id=build_policy.id,  # Build-time
    launch_parameters={
        "network_policy_id": runtime_policy.id,  # Runtime
        "launch_commands": ["npm install"]
    }
)
Devboxes can override the Blueprint’s runtime network policy by specifying a different network_policy_id at creation time.

Next Steps