Skip to main content
Runners are the infrastructure layer that provisions and manages your environments and agents. Every environment you launch and every agent task you run executes on a runner.

What a runner handles

A runner handles everything that touches your code:
  • Environment provisioning: creates isolated VMs from your Dev Container configuration
  • Source code access: clones repositories using credentials stored on the runner, not the management plane
  • Secret injection: delivers secrets into environments at startup
  • Agent execution: runs Ona Agent tasks inside the same isolated environments developers use
  • Build and test execution: runs prebuilds, tasks, and services defined in your project

How runners fit into the architecture

Ona uses a two-plane architecture:
Management PlaneRunners
Hosted byOnaOna Cloud or your VPC
HandlesAuthentication, org settings, guardrails, coordinationEnvironment provisioning, code access, secret injection, agent execution
Touches your codeNoYes
The management plane coordinates. Runners execute. This separation exists for three reasons:
  1. Data sovereignty. Source code and SCM credentials stay on runners, not the management plane. With a runner in your VPC, sensitive assets never leave your infrastructure.
  2. Compliance. Guardrails are defined on the management plane and enforced at the runner level. Audit logs track every action.
  3. Multi-region, multi-cloud. Deploy runners in different regions and cloud providers. Each runner supports multiple environment classes with different compute specs.
For a deeper look at data flow between planes, see the Architecture overview.

Deployment options

Ona Cloud

Zero-setup managed infrastructure. A runner in your nearest region is automatically provisioned when you create your account.
  • No infrastructure to manage
  • Available in EU (Frankfurt) and US (N. Virginia)
  • Included with Free and Core plans
Best for individuals, small teams, and organizations that want to start immediately. Get started with Ona Cloud →

AWS

Requires Enterprise plan. Contact sales for access.
Deploy runners as ECS services in your own AWS VPC. Environments run as EC2 instances. Deployment is automated via CloudFormation templates.
  • Private networking with AWS PrivateLink
  • Custom domains with your own SSL/TLS certificates
  • Fine-grained IAM permission boundaries
  • HTTP proxy and custom CA support
Setup takes 30–60 minutes. See AWS Runner overview and Setup guide.

GCP

Requires Enterprise plan. Contact sales for access.
Deploy runners in your Google Cloud VPC. Environments run as Compute Engine instances. Deployment is automated via Terraform modules.
  • External or internal load balancer configurations
  • Private Google Artifact Registry access
  • Vertex AI private connectivity
  • Full control over networking and security
Setup takes 30–60 minutes. See GCP Runner overview and Setup guide.

Choosing a deployment option

Ona CloudAWS / GCP (your VPC)
Setup timeInstant30–60 minutes
InfrastructureManaged by OnaManaged by you
Data residencyOna’s infrastructureYour VPC
Network controlStandardFull (PrivateLink, internal LB, VPN)
ComplianceSOC 2Your controls + Ona guardrails
Best forGetting started, small teamsEnterprise, regulated industries
Organizations can run multiple runners across regions and cloud providers to support distributed teams and compliance requirements.

Capabilities across all deployment options

All runners support these features regardless of where they run:
  • Prebuilds for fast environment startup
  • Ona Agent for AI-powered development
  • Environment classes with configurable compute (CPU, memory, storage)
  • Dev Container caching for faster rebuilds
  • Custom metrics pipeline for operational visibility
  • Runner sharing across organizations

Next steps