Documentation for "Actions: Organizations can now create network configurations for Azure private networking - [GA]" (#50852)

Co-authored-by: Steve-Glass <84886334+Steve-Glass@users.noreply.github.com> Co-authored-by: Sunbrye Ly <56200261+sunbrye@users.noreply.github.com> Co-authored-by: Siara <108543037+SiaraMist@users.noreply.github.com>
2025-12-19 18:10:59 -05:00 · 2024-06-03 09:34:08 -07:00
parent fec51a3179
commit c6408df62c
18 changed files with 314 additions and 242 deletions
--- a/content/actions/using-github-hosted-runners/connecting-to-a-private-network/about-private-networking-with-github-hosted-runners.md
+++ b/content/actions/using-github-hosted-runners/connecting-to-a-private-network/about-private-networking-with-github-hosted-runners.md
@@ -47,8 +47,7 @@ Organization owners using the {% data variables.product.prodname_team %} plan ca
 {% ifversion ghec %}
-Enterprise owners can configure Azure private networking for {% data variables.product.company_short %}-hosted runners at the enterprise level. For more information, see "[AUTOTITLE](/enterprise-cloud@latest/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-azure-private-networking-for-github-hosted-runners-in-your-enterprise)."
+Enterprises and organizations on {% data variables.product.prodname_ghe_cloud %} or {% data variables.product.prodname_team %} plans can configure Azure private networking for {% data variables.product.company_short %}-hosted runners. For more information, see "[AUTOTITLE](/enterprise-cloud@latest/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-azure-private-networking-for-github-hosted-runners-in-your-enterprise)" and "[AUTOTITLE](/admin/configuration/configuring-private-networking-for-hosted-compute-products/configuring-private-networking-for-github-hosted-runners-in-your-enterprise#enabling-creation-of-network-configurations-for-organizations)."
 {% endif %}
 {% endif %}
--- a/content/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-azure-private-networking-for-github-hosted-runners-in-your-enterprise.md
+++ b/content/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-azure-private-networking-for-github-hosted-runners-in-your-enterprise.md
@@ -46,6 +46,12 @@ redirect_from:
 {% data reusables.actions.azure-vnet-networking-policies %}
 ## Managing network configuration policies for organizations in your enterprise
 You can give organization owners in your enterprise the ability to set up and maintain organization-level network configurations for {% data variables.product.company_short %}-hosted runners.
 For more information, see "[AUTOTITLE](/admin/configuration/configuring-private-networking-for-hosted-compute-products/configuring-private-networking-for-github-hosted-runners-in-your-enterprise#enabling-creation-of-network-configurations-for-organizations)."
 ## Using {% data variables.product.company_short %}-hosted runners with an Azure VNET
 {% data reusables.actions.azure-vnet-next-steps-links %}
--- a/content/admin/configuration/configuring-private-networking-for-hosted-compute-products/configuring-private-networking-for-github-hosted-runners-in-your-enterprise.md
+++ b/content/admin/configuration/configuring-private-networking-for-hosted-compute-products/configuring-private-networking-for-github-hosted-runners-in-your-enterprise.md
@@ -30,11 +30,101 @@ redirect_from:
 ## Configuring your Azure resources
-{% data reusables.actions.azure-vnet-configure-azure-resources-procedures %}
+{% data reusables.actions.azure-vnet-procedures-prereqs %}
 ### 1. Obtain the `databaseId` for your enterprise
 You can use the following GraphQL query to retrieve your enterprise `databaseId`. You will use the enterprise `databaseId` for the value of the `DATABASE_ID` environment variable in the next step. For more information on working with GraphQL, see "[AUTOTITLE](/graphql/guides/forming-calls-with-graphql)."
 {% data reusables.enterprise_migrations.retrieve-enterprise-id-graphql %}
 ```graphql
 query(
  $slug: String!
 ){
  enterprise (slug: $slug)
  {
    slug
    databaseId
  }
 }
 '
 Variables
 {
  "slug": "ENTERPRISE_SLUG"
 }
 ```
 Alternatively, you can use the following curl command to find your `databaseId`.
 ```shell copy
 curl -H "Authorization: Bearer BEARER_TOKEN" -X POST \
  -d '{ "query": "query($slug: String!) { enterprise (slug: $slug) { slug databaseId } }" ,
        "variables": {
          "slug": "ENTERPRISE_SLUG"
        }
      }' \
 https://api.github.com/graphql
 ```
 {% data reusables.actions.azure-vnet-configure-azure-resources-script %}
 ## Creating a network configuration for your enterprise in {% data variables.product.company_short %}
-{% data reusables.actions.azure-vnet-creating-network-configuration-procedures %}
+{% data reusables.actions.azure-vnet-creating-network-configuration-prereqs %}
 ### 1. Add a new network configuration for your enterprise
 {% data reusables.enterprise-accounts.access-enterprise %}
 {% data reusables.enterprise-accounts.settings-tab %}
 1. In the left sidebar, click **Hosted compute networking**.
 1. Click the **New network configuration** dropdown. Then click **Azure private network**.
 1. Name your network configuration.
 1. Click **Add Azure Virtual Network**.
 1. In the popup window, enter the network settings resource ID you retrieved when you configured your Azure resources for private networking.
 1. Click **Add Azure Virtual Network**.
 ### 2. Create a runner group for your enterprise
 {% note %}
 **Note:** For the runner group to be accessible by repositories within your organizations, those repositories must have access to that runner group at the organization level. For more information, see "[AUTOTITLE](/actions/using-github-hosted-runners/controlling-access-to-larger-runners#changing-which-repositories-can-access-a-runner-group)."
 {% endnote %}
 1. Create a new runner group for your enterprise. For more information about how to create a runner group, see "[AUTOTITLE](/actions/using-github-hosted-runners/controlling-access-to-larger-runners#creating-a-runner-group-for-an-enterprise)."
 {% data reusables.actions.workflows.runner-groups-enterprise-organization-access %}
 1. While configuring your runner group, under "Network configurations," use the dropdown menu to select the network configuration you created for the Azure VNET.
 1. To create the group and apply the policy, click **Create group**.
 ### 3. Add the {% data variables.product.company_short %}-hosted runner to the enterprise runner group
 {% note %}
 **Note:** When adding your {% data variables.product.company_short %}-hosted runner to a runner group, select the runner group you created in the previous procedures.
 {% endnote %}
 1. Add the {% data variables.product.company_short %}-hosted runner to the runner group. For more information, see "[AUTOTITLE](/enterprise-cloud@latest/actions/using-github-hosted-runners/managing-larger-runners#adding-a-larger-runner-to-an-enterprise)."
 ### 4. Optionally, manage network configurations
 {% data reusables.enterprise-accounts.access-enterprise %}
 {% data reusables.enterprise-accounts.settings-tab %}
 1. In the left sidebar, click **Hosted compute networking**.
 1. To edit a network configuration, to the right of the network configuration, click {% octicon "pencil" aria-label="Edit a network configuration" %}. Then click **Edit configuration**.
 1. To disable a network configuration, to the right of the network configuration, click {% octicon "kebab-horizontal" aria-label="Menu" %}. Then click **Disable**.
 1. To delete a network configuration, to the right of the network configuration, click {% octicon "kebab-horizontal" aria-label="Menu" %}. Then click **Delete**.
 ## Enabling creation of network configurations for organizations
 You can allow organization owners in an enterprise to create their own organization-level network configurations.
 {% data reusables.enterprise-accounts.access-enterprise %}
 {% data reusables.enterprise-accounts.policies-tab %}
 1. Click **Hosted compute networking**.
 1. Under "Hosted compute networking," click **Enable**.
 1. Click **Save**.
 ## Deleting a subnet
--- a/content/organizations/managing-organization-settings/about-azure-private-networking-for-github-hosted-runners-in-your-organization.md
+++ b/content/organizations/managing-organization-settings/about-azure-private-networking-for-github-hosted-runners-in-your-organization.md
@@ -3,7 +3,7 @@ title: About Azure private networking for GitHub-hosted runners in your organiza
 shortTitle: About Azure private networking
 intro: 'You can create create a private network configuration for your organization to use {% data variables.product.company_short %}-hosted runners in your Azure Virtual Network(s) (VNET).'
 versions:
-  fpt: '*'
+  feature: actions-private-networking-azure-vnet
 type: overview
 permissions: '{% data reusables.actions.azure-vnet-organization-permissions %}'
 topics:
--- a/content/organizations/managing-organization-settings/about-networking-for-hosted-compute-products-in-your-organization.md
+++ b/content/organizations/managing-organization-settings/about-networking-for-hosted-compute-products-in-your-organization.md
@@ -4,7 +4,7 @@ shortTitle: About private networking
 intro: 'You can manage private networking for {% data variables.product.company_short %}-hosted products using network configurations in your organization.'
 permissions: '{% data reusables.actions.azure-vnet-organization-permissions %}'
 versions:
-  fpt: '*'
+  feature: actions-private-networking-azure-vnet
 type: how_to
 topics:
  - Actions
@@ -25,6 +25,12 @@ topics:
 {% data reusables.actions.azure-vnet-network-configuration-intro %}
-For more information about using an Azure VNET with {% data variables.product.company_short %}-hosted runners works, see{% ifversion ghec %} "[AUTOTITLE](/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-azure-private-networking-for-github-hosted-runners-in-your-enterprise)."{% else %} "[AUTOTITLE](/organizations/managing-organization-settings/about-azure-private-networking-for-github-hosted-runners-in-your-organization)."{% endif %}
+{% ifversion ghec %}
 {% data reusables.actions.azure-vnet-enterprise-policy %}
 {% endif %}
 For more information about how using an Azure VNET with {% data variables.product.company_short %}-hosted runners works, see "[AUTOTITLE](/organizations/managing-organization-settings/about-azure-private-networking-for-github-hosted-runners-in-your-organization)."
 {% data reusables.actions.azure-vnet-next-steps-links %}
--- a/content/organizations/managing-organization-settings/configuring-private-networking-for-github-hosted-runners-in-your-organization.md
+++ b/content/organizations/managing-organization-settings/configuring-private-networking-for-github-hosted-runners-in-your-organization.md
@@ -3,7 +3,7 @@ title: Configuring private networking for GitHub-hosted runners in your organiza
 shortTitle: Configuring private networking
 intro: 'Learn how to use {% data variables.product.company_short %}-hosted runners with an Azure private network in your organization.'
 versions:
-  fpt: '*'
+  feature: actions-private-networking-azure-vnet
 type: how_to
 permissions: '{% data reusables.actions.azure-vnet-organization-permissions %}'
 topics:
@@ -21,13 +21,102 @@ topics:
 {% data reusables.actions.azure-vnet-configuring-overview %}
 {% ifversion ghec %}
 > [!NOTE]
 > {% data reusables.actions.azure-vnet-enterprise-policy %}
 {% endif %}
 ## Configuring your Azure resources
-{% data reusables.actions.azure-vnet-configure-azure-resources-procedures %}
+{% data reusables.actions.azure-vnet-procedures-prereqs %}
 ### 1. Obtain the `databaseId` for your organization
 You can use the following GraphQL query to retrieve your organization `databaseId`. You will use the organization `databaseId` for the value of the `DATABASE_ID` environment variable in the next step. For more information on working with GraphQL, see "[AUTOTITLE](/graphql/guides/forming-calls-with-graphql)."
 | Query variable | Description |
 |----|----|
 | `login` | The login for your organization account, which you can identify by looking at the URL for your organization, `https://github.com/organizations/ORGANIZATION_LOGIN`.
 ```graphql
 query(
  $login: String!
 ){
  organization (login: $login)
  {
    login
    databaseId
  }
 }
 '
 Variables
 {
  "login": "ORGANIZATION_LOGIN"
 }
 ```
 Alternatively, you can use the following curl command to find your `databaseId`.
 ```shell copy
 curl -H "Authorization: Bearer BEARER_TOKEN" -X POST \
  -d '{ "query": "query($login: String!) { organization (login: $login) { login databaseId } }" ,
        "variables": {
          "login": "ORGANIZATION_LOGIN"
        }
      }' \
 https://api.github.com/graphql
 ```
 {% data reusables.actions.azure-vnet-configure-azure-resources-script %}
 ## Creating a network configuration for your organization in {% data variables.product.company_short %}
-{% data reusables.actions.azure-vnet-creating-network-configuration-procedures %}
+{% data reusables.actions.azure-vnet-creating-network-configuration-prereqs %}
 ### 1. Add a new network configuration for your organization
 {% data reusables.profile.access_org %}
 {% data reusables.profile.org_settings %}
 1. In the left sidebar, click **Hosted compute networking**.
 1. Click the **New network configuration** dropdown. Then click **Azure private network**.
 1. Name your network configuration.
 1. Click **Add Azure Virtual Network**.
 1. In the popup window, enter the network settings resource ID you retrieved when you configured your Azure resources for private networking.
 1. Click **Add Azure Virtual Network**.
 ### 2. Create a runner group for your organization
 {% note %}
 **Note:** For the runner group to be accessible by repositories within your organizations, those repositories must have access to that runner group at the organization level. For more information, see "[AUTOTITLE](/actions/using-github-hosted-runners/controlling-access-to-larger-runners#changing-which-repositories-can-access-a-runner-group)."
 {% endnote %}
 1. Create a new runner group for your organization. For more information about how to create a runner group, see "[AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners/controlling-access-to-larger-runners#creating-a-runner-group-for-an-organization)."
 1. To choose a policy for repository access, select the **Repository access** dropdown menu and click a policy. You can configure a runner group to be accessible to a specific list of repositories, or all repositories in the organization.
 1. While configuring your runner group, under "Network configurations," use the dropdown menu to select the network configuration you created for the Azure VNET.
 1. To create the group and apply the policy, click **Create group**.
 ### 3. Add the {% data variables.product.company_short %}-hosted runner to the organization runner group
 {% note %}
 **Note:** When adding your {% data variables.product.company_short %}-hosted runner to a runner group, select the runner group you created in the previous procedures.
 {% endnote %}
 1. Add the {% data variables.product.company_short %}-hosted runner to the runner group. For more information, see "[AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners/managing-larger-runners#adding-a-larger-runner-to-an-organization)."
 ### 4. Optionally, manage network configurations
 {% data reusables.profile.access_org %}
 {% data reusables.profile.org_settings %}
 1. In the left sidebar, click **Hosted compute networking**.
 1. To edit a network configuration, to the right of the network configuration, click {% octicon "pencil" aria-label="Edit a network configuration" %}. Then click **Edit configuration**.
 1. To disable a network configuration, to the right of the network configuration, click {% octicon "kebab-horizontal" aria-label="Menu" %}. Then click **Disable**.
 1. To delete a network configuration, to the right of the network configuration, click {% octicon "kebab-horizontal" aria-label="Menu" %}. Then click **Delete**.
 ## Deleting a subnet
--- a/content/organizations/managing-organization-settings/troubleshooting-azure-private-network-configurations-for-github-hosted-runners-in-your-organization.md
+++ b/content/organizations/managing-organization-settings/troubleshooting-azure-private-network-configurations-for-github-hosted-runners-in-your-organization.md
@@ -3,7 +3,7 @@ title: Troubleshooting Azure private network configurations for GitHub-hosted ru
 shortTitle: Troubleshooting Azure private networking
 intro: 'Learn how to fix common issues while creating Azure private network configurations to use {% data variables.product.company_short %}-hosted runners with an Azure VNET.'
 versions:
-  fpt: '*'
+  feature: actions-private-networking-azure-vnet
 type: how_to
 permissions: '{% data reusables.actions.azure-vnet-organization-permissions %}'
 topics:
--- a/data/reusables/actions/azure-vnet-configure-azure-resources-script.md
+++ b/data/reusables/actions/azure-vnet-configure-azure-resources-script.md
@@ -0,0 +1,85 @@
 ### 2. Use a script to configure your Azure resources
 Use the following script to set up a subnet for Azure private networking. The script creates all resources in the same resource group.
 To use the script, fill in the placeholder environment variable values with the actual values and run the script from a bash shell or Windows Subsystem for Linux.
 {% note %}
 **Notes**:
 - Run the following script in the same directory where you saved the `actions-nsg-deployment.bicep` file.
 - When setting the `YOUR_AZURE_LOCATION` environment variable, use your region’s name. This value is different than your region’s display name. To see a list of names and display names, use `az account list-locations -o table`.
 - When you create the network settings resource, a service association link is applied to the subnet that you provide. This link prevents accidental deletion of the subnet while in use by the {% data variables.product.prodname_actions %} service.
 - If you customize this script to use network resources in existing subnets, you must ensure any existing network interfaces (NICs) connected to the subnet are deleted before the subnet is delegated to the {% data variables.product.prodname_actions %} service. Otherwise, the service will fail to apply the service association link to the subnet.
 {% endnote %}
 ```bash copy
 #!/bin/bash
 # This script creates the following resources in the specified subscription:
 # - Resource group
 # - Network Security Group rules
 # - Virtual network (vnet) and subnet
 # - Network Settings with specified subnet and GitHub {% ifversion ghec %}Enterprise{% else %}Organization {% endif %}database ID
 #
 # It also registers the `GitHub.Network` resource provider with the subscription,
 # delegates the created subnet to the Actions service via the `GitHub.Network/NetworkSettings`
 # resource type, and applies the NSG rules to the created subnet.
 # stop on failure
 set -e
 #set environment
 export AZURE_LOCATION=YOUR_AZURE_LOCATION
 export SUBSCRIPTION_ID=YOUR_SUBSCRIPTION_ID
 export RESOURCE_GROUP_NAME=YOUR_RESOURCE_GROUP_NAME
 export VNET_NAME=YOUR_VNET_NAME
 export SUBNET_NAME=YOUR_SUBNET_NAME
 export NSG_NAME=YOUR_NSG_NAME
 export NETWORK_SETTINGS_RESOURCE_NAME=YOUR_NETWORK_SETTINGS_RESOURCE_NAME
 export DATABASE_ID=YOUR_DATABASE_ID
 # These are the default values. You can adjust your address and subnet prefixes.
 export ADDRESS_PREFIX=10.0.0.0/16
 export SUBNET_PREFIX=10.0.0.0/24
 echo
 echo login to Azure
 . az login --output none
 echo
 echo set account context $SUBSCRIPTION_ID
 . az account set --subscription $SUBSCRIPTION_ID
 echo
 echo Register resource provider GitHub.Network
 . az provider register --namespace GitHub.Network
 echo
 echo Create resource group $RESOURCE_GROUP_NAME at $AZURE_LOCATION
 . az group create --name $RESOURCE_GROUP_NAME --location $AZURE_LOCATION
 echo
 echo Create NSG rules deployed with 'actions-nsg-deployment.bicep' file
 . az deployment group create --resource-group $RESOURCE_GROUP_NAME --template-file ./actions-nsg-deployment.bicep --parameters location=$AZURE_LOCATION nsgName=$NSG_NAME
 echo
 echo Create vnet $VNET_NAME and subnet $SUBNET_NAME
 . az network vnet create --resource-group $RESOURCE_GROUP_NAME --name $VNET_NAME --address-prefix $ADDRESS_PREFIX --subnet-name $SUBNET_NAME --subnet-prefixes $SUBNET_PREFIX
 echo
 echo Delegate subnet to GitHub.Network/networkSettings and apply NSG rules
 . az network vnet subnet update --resource-group $RESOURCE_GROUP_NAME --name $SUBNET_NAME --vnet-name $VNET_NAME --delegations GitHub.Network/networkSettings --network-security-group $NSG_NAME
 echo
 echo Create network settings resource $NETWORK_SETTINGS_RESOURCE_NAME
 . az resource create --resource-group $RESOURCE_GROUP_NAME  --name $NETWORK_SETTINGS_RESOURCE_NAME --resource-type GitHub.Network/networkSettings --properties "{ \"location\": \"$AZURE_LOCATION\", \"properties\" : {  \"subnetId\": \"/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP_NAME/providers/Microsoft.Network/virtualNetworks/$VNET_NAME/subnets/$SUBNET_NAME\", \"businessId\": \"$DATABASE_ID\" }}" --is-full-object --output table --query "{GitHubId:tags.GitHubId, name:name}" --api-version 2024-04-02
 echo
 echo To clean up and delete resources run the following command:
 echo az group delete --resource-group $RESOURCE_GROUP_NAME
 ```
 The script will return the full payload for the created resource. The `GitHubId` hash value returned in the payload for the created resource is the network settings resource ID you will use in the next steps while configuring a network configuration in {% data variables.product.company_short %}.
--- a/data/reusables/actions/azure-vnet-configuring-overview.md
+++ b/data/reusables/actions/azure-vnet-configuring-overview.md
@@ -2,4 +2,4 @@ To use {% data variables.product.company_short %}-hosted runners with Azure VNET
 The following procedures will lead you through both steps.
-For more information about troubleshooting common issues with using {% data variables.product.company_short %}-hosted runners with Azure VNET, see{% ifversion ghec %} "[AUTOTITLE](/admin/configuration/configuring-private-networking-for-hosted-compute-products/troubleshooting-azure-private-network-configurations-for-github-hosted-runners-in-your-enterprise)."{% else %}"[AUTOTITLE](/organizations/managing-organization-settings/troubleshooting-azure-private-network-configurations-for-github-hosted-runners-in-your-organization)."{% endif %}
+For more information about troubleshooting common issues with using {% data variables.product.company_short %}-hosted runners with Azure VNET, see {% ifversion ghec %}"[AUTOTITLE](/admin/configuration/configuring-private-networking-for-hosted-compute-products/troubleshooting-azure-private-network-configurations-for-github-hosted-runners-in-your-enterprise)."{% else %}"[AUTOTITLE](/organizations/managing-organization-settings/troubleshooting-azure-private-network-configurations-for-github-hosted-runners-in-your-organization)."{% endif %}
--- a/data/reusables/actions/azure-vnet-creating-network-configuration-prereqs.md
+++ b/data/reusables/actions/azure-vnet-creating-network-configuration-prereqs.md
@@ -0,0 +1,7 @@
 After configuring your Azure resources, you can use an Azure Virtual Network (VNET) for private networking by creating a network configuration{% ifversion ghec%} at the enterprise or organization level{% else %} at the organization level{% endif %}. Then, you can associate that network configuration to runner groups. For more information about runner groups, see "[AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners/controlling-access-to-larger-runners)."
 Once the network configuration is associated with a runner group, all runners in that group will have access to the Azure VNET that has been connected to the underlying configuration.
 ### Prerequisites
 Ensure your Azure resources have been configured _before_ adding a network configuration in {% data variables.product.company_short %}. For more information, see {% ifversion ghec %}"[AUTOTITLE](/admin/configuration/configuring-private-networking-for-hosted-compute-products/configuring-private-networking-for-github-hosted-runners#configuring-your-azure-resources)."{% else %}For more information, see "[AUTOTITLE](/organizations/managing-organization-settings/configuring-private-networking-for-github-hosted-runners-in-your-organization#configuring-your-azure-resources)."{% endif %}
--- a/data/reusables/actions/azure-vnet-creating-network-configuration-procedures.md
+++ b/data/reusables/actions/azure-vnet-creating-network-configuration-procedures.md
@@ -1,64 +0,0 @@
 After configuring your Azure resources, you can use an Azure Virtual Network (VNET) for private networking by creating a network configuration{% ifversion ghec%} at the enterprise level{% else %} at the organization level{% endif %}. Then, you can associate that network configuration to runner groups. For more information about runner groups, see "[AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners/controlling-access-to-larger-runners)."
 Once the network configuration is associated with a runner group, all runners in that group will have access to the Azure VNET that has been connected to the underlying configuration.
 ### Prerequisites
 Ensure your Azure resources have been configured _before_ adding a network configuration in {% data variables.product.company_short %}. For more information, see {% ifversion ghec %}"[AUTOTITLE](/admin/configuration/configuring-private-networking-for-hosted-compute-products/configuring-private-networking-for-github-hosted-runners#configuring-your-azure-resources)."{% else %}For more information, see "[AUTOTITLE](/organizations/managing-organization-settings/configuring-private-networking-for-github-hosted-runners-in-your-organization#configuring-your-azure-resources)."{% endif %}
 ### 1. Add a new network configuration for your{% ifversion ghec %} enterprise{% else %} organization{% endif %}
 {% ifversion ghec %}
 {% data reusables.enterprise-accounts.access-enterprise %}
 {% data reusables.enterprise-accounts.settings-tab %}
 {%- else %}
 {% data reusables.profile.access_org %}
 {% data reusables.profile.org_settings %}
 {%- endif %}
 1. In the left sidebar, click **Hosted compute networking**.
 1. Click the **New network configuration** dropdown. Then click **Azure private network**.
 1. Name your network configuration.
 1. Click **Add Azure Virtual Network**.
 1. In the popup window, enter the network settings resource ID you retrieved when you configured your Azure resources for private networking.
 1. Click **Add Azure Virtual Network**.
 ### 2. Create a runner group for your{% ifversion ghec %} enterprise{% else %} organization{% endif %}
 {% note %}
 **Note:** For the runner group to be accessible by repositories within your organizations, those repositories must have access to that runner group at the organization level. For more information, see "[AUTOTITLE](/actions/using-github-hosted-runners/controlling-access-to-larger-runners#changing-which-repositories-can-access-a-runner-group)."
 {% endnote %}
 1. Create a new runner group for your{% ifversion ghec %} enterprise. For more information about how to create a runner group, see "[AUTOTITLE](/actions/using-github-hosted-runners/controlling-access-to-larger-runners#creating-a-runner-group-for-an-enterprise)."{% else %} organization. For more information about how to create a runner group, see "[AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners/controlling-access-to-larger-runners#creating-a-runner-group-for-an-organization)."{% endif %}
 {%- ifversion ghec %}
 {% data reusables.actions.workflows.runner-groups-enterprise-organization-access %}
 {% else %}
 1. To choose a policy for repository access, select the **Repository access** dropdown menu and click a policy. You can configure a runner group to be accessible to a specific list of repositories, or all repositories in the organization.
 {% endif %}
 1. While configuring your runner group, under "Network configurations," use the dropdown menu to select the network configuration you created for the Azure VNET.
 1. To create the group and apply the policy, click **Create group**.
 ### 3. Add the {% data variables.product.company_short %}-hosted runner to the{% ifversion ghec %} enterprise{% else %} organization{% endif %} runner group
 {% note %}
 **Note:** When adding your {% data variables.product.company_short %}-hosted runner to a runner group, select the runner group you created in the previous procedures.
 {% endnote %}
 1. Add the {% data variables.product.company_short %}-hosted runner to the runner group. For more information, see "[AUTOTITLE](/enterprise-cloud@latest/actions/using-github-hosted-runners/managing-larger-runners#adding-a-larger-runner-to-an-enterprise)."
 ### 4. Optionally, manage network configurations
 {% ifversion ghec %}
 {% data reusables.enterprise-accounts.access-enterprise %}
 {% data reusables.enterprise-accounts.settings-tab %}
 {%- else %}
 {% data reusables.profile.access_org %}
 {% data reusables.profile.org_settings %}
 {%- endif %}
 1. In the left sidebar, click **Hosted compute networking**.
 1. To edit a network configuration, to the right of the network configuration, click {% octicon "pencil" aria-label="Edit a network configuration" %}. Then click **Edit configuration**.
 1. To disable a network configuration, to the right of the network configuration, click {% octicon "kebab-horizontal" aria-label="Menu" %}. Then click **Disable**.
 1. To delete a network configuration, to the right of the network configuration, click {% octicon "kebab-horizontal" aria-label="Menu" %}. Then click **Delete**.
--- a/data/reusables/actions/azure-vnet-enterprise-policy.md
+++ b/data/reusables/actions/azure-vnet-enterprise-policy.md
@@ -0,0 +1 @@
 By default, organizations in an enterprise cannot create new network configurations and only inherit enterprise-level network configurations. Enterprise owners can set a policy that allows organizations in the enterprise to create network configurations that are independent of the enterprise. For more information, see "[AUTOTITLE](/admin/configuration/configuring-private-networking-for-hosted-compute-products/configuring-private-networking-for-github-hosted-runners-in-your-enterprise#enabling-creation-of-network-configurations-for-organizations)."
--- a/data/reusables/actions/azure-vnet-hosted-compute-troubleshooting.md
+++ b/data/reusables/actions/azure-vnet-hosted-compute-troubleshooting.md
@@ -1,3 +1,11 @@
 {% ifversion ghec %}
 ### Enabling creation of network configurations for organizations in an enterprise
 {% data reusables.actions.azure-vnet-enterprise-policy %}
 {% endif %}
 ### Configuring Azure resources before creating a network configuration in {% data variables.product.company_short %}
 Ensure your Azure resources have been configured _before_ adding a network configuration in {% data variables.product.company_short %}.
@@ -16,7 +24,7 @@ If {% data variables.product.prodname_actions %} cannot communicate with the run
 VNetInjectionFailedToConnectToInternet
 ```
-To fix this, ensure that you have configured your Azure resources according to the "Configuring your Azure resources" procedures.{% ifversion ghec %} For more information, see "[AUTOTITLE](/admin/configuration/configuring-private-networking-for-hosted-compute-products/configuring-private-networking-for-github-hosted-runners-in-your-enterprise#configuring-your-azure-resources)."{% else %} For more information, see "[AUTOTITLE](/organizations/managing-organization-settings/configuring-private-networking-for-github-hosted-runners-in-your-organization#configuring-your-azure-resources)."{% endif %}
+To fix this, ensure that you have configured your Azure resources according to the "Configuring your Azure resources" procedures.
 ### Deployment scope is locked
--- a/data/reusables/actions/azure-vnet-next-steps-links.md
+++ b/data/reusables/actions/azure-vnet-next-steps-links.md
@@ -8,6 +8,10 @@ For procedures to configure Azure private networking at the organization level,
 {% ifversion ghec %}
-For procedures to configure Azure private networking at the enterprise level, see "[AUTOTITLE](/admin/configuration/configuring-private-networking-for-hosted-compute-products/configuring-private-networking-for-github-hosted-runners-in-your-enterprise)."
+{% data reusables.actions.azure-vnet-enterprise-policy %}
 For procedures to configure Azuzre private networking at the enterprise level, see "[AUTOTITLE](/admin/configuration/configuring-private-networking-for-hosted-compute-products/configuring-private-networking-for-github-hosted-runners-in-your-enterprise)."
 For procedures to configure Azure private networking at the organization level, see "[AUTOTITLE](/organizations/managing-organization-settings/configuring-private-networking-for-github-hosted-runners-in-your-organization)."
 {% endif %}
--- a/data/reusables/actions/azure-vnet-organization-permissions.md
+++ b/data/reusables/actions/azure-vnet-organization-permissions.md
@@ -1 +1 @@
-Organizations using the {% data variables.product.prodname_team %} plan can configure Azure private networking for {% data variables.product.company_short %}-hosted runners at the organization level.
+{% ifversion ghec %}Organization owners for organizations in an enterprise can configure Azure private networking for {% data variables.product.company_short %}-hosted runners at the organization level.{% else %}Organization owners with the {% data variables.product.prodname_team %} plan can configure Azure private networking for {% data variables.product.company_short %}-hosted runners at the organization level.{% endif %}
--- a/data/reusables/actions/azure-vnet-configure-azure-resources-procedures.md
+++ b/data/reusables/actions/azure-vnet-configure-azure-resources-procedures.md
@@ -12,7 +12,7 @@ You will use a script to automate configuring your Azure resources.
  {% note %}
-  **Note:** Alternatively, to allow {% data variables.product.prodname_actions %} to communicate with the runners, you can allow the same firewall domains that are required for communication between self-hosted runners and {% data variables.product.product_name %}. For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#communication-between-self-hosted-runners-and-github-enterprise-cloud)."
+  **Note:** Alternatively, to allow {% data variables.product.prodname_actions %} to communicate with the runners, you can allow the same firewall domains that are required for communication between self-hosted runners and {% data variables.product.product_name %}. For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#communication-between-self-hosted-runners-and-github-enterprise-cloud)." To determine the appropriate subnet IP address range,  we recommend adding a 30% buffer to the maximum job concurrency you anticipate. For instance, if your network configuration's runners are set to a maximum job concurrency of 300, it's recommended to utilize a subnet IP address range that can accommodate at least 390 runners. This buffer helps ensure that your network can handle unexpected increases in VM needs to meet job concurrency without running out of IP addresses.
  {% endnote %}
@@ -227,163 +227,3 @@ You will use a script to automate configuring your Azure resources.
    }
  }
  ```
 ### 1. Obtain the `databaseId` for your{% ifversion ghec %} enterprise{% else %} organization{% endif %}
 You can use the following GraphQL query to retrieve your{% ifversion ghec %} enterprise{% else %} organization{% endif %} `databaseId`. You will use the{% ifversion ghec %} enterprise{% else %} organization{% endif %} `databaseId` for the value of the `DATABASE_ID` environment variable in the next step. For more information on working with GraphQL, see "[AUTOTITLE](/graphql/guides/forming-calls-with-graphql)."
 {% ifversion ghec %}
 {% data reusables.enterprise_migrations.retrieve-enterprise-id-graphql %}
 ```graphql
 query(
  $slug: String!
 ){
  enterprise (slug: $slug)
  {
    slug
    databaseId
  }
 }
 '
 Variables
 {
  "slug": "ENTERPRISE_SLUG"
 }
 ```
 Alternatively, you can use the following curl command to find your `databaseId`.
 ```shell copy
 curl -H "Authorization: Bearer BEARER_TOKEN" -X POST \
  -d '{ "query": "query($slug: String!) { enterprise (slug: $slug) { slug databaseId } }" ,
        "variables": {
          "slug": "ENTERPRISE_SLUG"
        }
      }' \
 https://api.github.com/graphql
 ```
 {% else %}
 | Query variable | Description |
 |----|----|
 | `login` | The login for your organization account, which you can identify by looking at the URL for your organization, `https://github.com/organizations/ORGANIZATION_LOGIN`.
 ```graphql
 query(
  $login: String!
 ){
  organization (login: $login)
  {
    login
    databaseId
  }
 }
 '
 Variables
 {
  "login": "ORGANIZATION_LOGIN"
 }
 ```
 Alternatively, you can use the following curl command to find your `databaseId`.
 ```shell copy
 curl -H "Authorization: Bearer BEARER_TOKEN" -X POST \
  -d '{ "query": "query($login: String!) { organization (login: $login) { login databaseId } }" ,
        "variables": {
          "login": "ORGANIZATION_LOGIN"
        }
      }' \
 https://api.github.com/graphql
 ```
 {% endif %}
 ### 2. Use a script to configure your Azure resources
 Use the following script to set up a subnet for Azure private networking. The script creates all resources in the same resource group.
 To use the script, fill in the placeholder environment variable values with the actual values and run the script from a bash shell or Windows Subsystem for Linux.
 {% note %}
 **Notes**:
 - Run the following script in the same directory where you saved the `actions-nsg-deployment.bicep` file.
 - When setting the `YOUR_AZURE_LOCATION` environment variable, use your region’s name. This value is different than your region’s display name. To see a list of names and display names, use `az account list-locations -o table`.
 - When you create the network settings resource, a service association link is applied to the subnet that you provide. This link prevents accidental deletion of the subnet while in use by the {% data variables.product.prodname_actions %} service.
 - If you customize this script to use network resources in existing subnets, you must ensure any existing network interfaces (NICs) connected to the subnet are deleted before the subnet is delegated to the {% data variables.product.prodname_actions %} service. Otherwise, the service will fail to apply the service association link to the subnet.
 {% endnote %}
 ```bash copy
 #!/bin/bash
 # This script creates the following resources in the specified subscription:
 # - Resource group
 # - Network Security Group rules
 # - Virtual network (vnet) and subnet
 # - Network Settings with specified subnet and GitHub {% ifversion ghec %}Enterprise{% else %}Organization {% endif %}database ID
 #
 # It also registers the `GitHub.Network` resource provider with the subscription,
 # delegates the created subnet to the Actions service via the `GitHub.Network/NetworkSettings`
 # resource type, and applies the NSG rules to the created subnet.
 # stop on failure
 set -e
 #set environment
 export AZURE_LOCATION=YOUR_AZURE_LOCATION
 export SUBSCRIPTION_ID=YOUR_SUBSCRIPTION_ID
 export RESOURCE_GROUP_NAME=YOUR_RESOURCE_GROUP_NAME
 export VNET_NAME=YOUR_VNET_NAME
 export SUBNET_NAME=YOUR_SUBNET_NAME
 export NSG_NAME=YOUR_NSG_NAME
 export NETWORK_SETTINGS_RESOURCE_NAME=YOUR_NETWORK_SETTINGS_RESOURCE_NAME
 export DATABASE_ID=YOUR_DATABASE_ID
 # These are the default values. You can adjust your address and subnet prefixes.
 export ADDRESS_PREFIX=10.0.0.0/16
 export SUBNET_PREFIX=10.0.0.0/24
 echo
 echo login to Azure
 . az login --output none
 echo
 echo set account context $SUBSCRIPTION_ID
 . az account set --subscription $SUBSCRIPTION_ID
 echo
 echo Register resource provider GitHub.Network
 . az provider register --namespace GitHub.Network
 echo
 echo Create resource group $RESOURCE_GROUP_NAME at $AZURE_LOCATION
 . az group create --name $RESOURCE_GROUP_NAME --location $AZURE_LOCATION
 echo
 echo Create NSG rules deployed with 'actions-nsg-deployment.bicep' file
 . az deployment group create --resource-group $RESOURCE_GROUP_NAME --template-file ./actions-nsg-deployment.bicep --parameters location=$AZURE_LOCATION nsgName=$NSG_NAME
 echo
 echo Create vnet $VNET_NAME and subnet $SUBNET_NAME
 . az network vnet create --resource-group $RESOURCE_GROUP_NAME --name $VNET_NAME --address-prefix $ADDRESS_PREFIX --subnet-name $SUBNET_NAME --subnet-prefixes $SUBNET_PREFIX
 echo
 echo Delegate subnet to GitHub.Network/networkSettings and apply NSG rules
 . az network vnet subnet update --resource-group $RESOURCE_GROUP_NAME --name $SUBNET_NAME --vnet-name $VNET_NAME --delegations GitHub.Network/networkSettings --network-security-group $NSG_NAME
 echo
 echo Create network settings resource $NETWORK_SETTINGS_RESOURCE_NAME
 . az resource create --resource-group $RESOURCE_GROUP_NAME  --name $NETWORK_SETTINGS_RESOURCE_NAME --resource-type GitHub.Network/networkSettings --properties "{ \"location\": \"$AZURE_LOCATION\", \"properties\" : {  \"subnetId\": \"/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP_NAME/providers/Microsoft.Network/virtualNetworks/$VNET_NAME/subnets/$SUBNET_NAME\", \"businessId\": \"$DATABASE_ID\" }}" --is-full-object --output table --query "{GitHubId:tags.GitHubId, name:name}" --api-version 2024-04-02
 echo
 echo To clean up and delete resources run the following command:
 echo az group delete --resource-group $RESOURCE_GROUP_NAME
 ```
 The script will return the full payload for the created resource. The `GitHubId` hash value returned in the payload for the created resource is the network settings resource ID you will use in the next steps while configuring a network configuration in {% data variables.product.company_short %}.
--- a/data/reusables/actions/ip-allow-list-self-hosted-runners.md
+++ b/data/reusables/actions/ip-allow-list-self-hosted-runners.md
@@ -1,6 +1,6 @@
 {% warning %}
-**Warning**: If you use an IP allow list and would also like to use {% data variables.product.prodname_actions %}, you must use self-hosted runners{% ifversion actions-hosted-runners %} or {% data variables.product.prodname_dotcom %}-hosted larger runners with static IP address ranges{% endif %}. For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners)" {% ifversion actions-hosted-runners %} or "[AUTOTITLE](/actions/using-github-hosted-runners/using-larger-runners)"{% endif %}.
+**Warning**: If you use an IP allow list and would also like to use {% data variables.product.prodname_actions %}, you must use self-hosted runners{% ifversion actions-hosted-runners %} or {% data variables.product.prodname_dotcom %}-hosted larger runners with static IP address ranges{% endif %}. When using [Azure private networking](/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-azure-private-networking-for-github-hosted-runners-in-your-enterprise), IPs from your Azure subnet must be used. To reduce the number of required IPs, we recommend creating a load balancer to provide a single IP range for the GitHub allow list. For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners)" {% ifversion actions-hosted-runners %} or "[AUTOTITLE](/actions/using-github-hosted-runners/using-larger-runners)"{% endif %}.
 {% endwarning %}
--- a/data/reusables/actions/macos-runner-limitations.md
+++ b/data/reusables/actions/macos-runner-limitations.md
@@ -1,3 +1,4 @@
 - All actions provided by {% data variables.product.prodname_dotcom %} are compatible with arm64 {% data variables.product.prodname_dotcom %}-hosted runners. However, community actions may not be compatible with arm64 and need to be manually installed at runtime.
- Nested-virtualization is not supported by arm64 runners, due to a limitation of Apple's Virtualization Framework that our hypervisor uses.
+- Nested-virtualization and Metal Performance Shaders (MPS) are not supported due to the limitation of Apple's Virtualization Framework.
 - Networking capabilities such as Azure private networking and assigning static IPs are not currently available for macOS larger runners.
 - The arm64 macOS runners do not have a static UUID/UDID assigned to them because Apple does not support this feature. However, Intel MacOS runners are assigned a static UDID, specifically `4203018E-580F-C1B5-9525-B745CECA79EB`. If you are building and signing on the same host you plan to test the build on, you can sign with a [development provisioning profile](https://developer.apple.com/help/account/manage-profiles/create-a-development-provisioning-profile/). If you do require a static UDID, you can use Intel runners and add their UDID to your Apple Developer account.
`@@ -2,4 +2,4 @@ To use {% data variables.product.company_short %}-hosted runners with Azure VNET`

	`The following procedures will lead you through both steps.`	`The following procedures will lead you through both steps.`

	For more information about troubleshooting common issues with using {% data variables.product.company_short %}-hosted runners with Azure VNET, see{% ifversion ghec %} "[AUTOTITLE](/admin/configuration/configuring-private-networking-for-hosted-compute-products/troubleshooting-azure-private-network-configurations-for-github-hosted-runners-in-your-enterprise)."{% else %}"[AUTOTITLE](/organizations/managing-organization-settings/troubleshooting-azure-private-network-configurations-for-github-hosted-runners-in-your-organization)."{% endif %}	For more information about troubleshooting common issues with using {% data variables.product.company_short %}-hosted runners with Azure VNET, see {% ifversion ghec %}"[AUTOTITLE](/admin/configuration/configuring-private-networking-for-hosted-compute-products/troubleshooting-azure-private-network-configurations-for-github-hosted-runners-in-your-enterprise)."{% else %}"[AUTOTITLE](/organizations/managing-organization-settings/troubleshooting-azure-private-network-configurations-for-github-hosted-runners-in-your-organization)."{% endif %}
		`@@ -0,0 +1 @@`
							By default, organizations in an enterprise cannot create new network configurations and only inherit enterprise-level network configurations. Enterprise owners can set a policy that allows organizations in the enterprise to create network configurations that are independent of the enterprise. For more information, see "[AUTOTITLE](/admin/configuration/configuring-private-networking-for-hosted-compute-products/configuring-private-networking-for-github-hosted-runners-in-your-enterprise#enabling-creation-of-network-configurations-for-organizations)."
`@@ -1 +1 @@`
	`Organizations using the {% data variables.product.prodname_team %} plan can configure Azure private networking for {% data variables.product.company_short %}-hosted runners at the organization level.`	`{% ifversion ghec %}Organization owners for organizations in an enterprise can configure Azure private networking for {% data variables.product.company_short %}-hosted runners at the organization level.{% else %}Organization owners with the {% data variables.product.prodname_team %} plan can configure Azure private networking for {% data variables.product.company_short %}-hosted runners at the organization level.{% endif %}`