Admins can gate MicroVM regions with feature flags

nicktrn

·Apr 13, 2026·#3366feat(webapp): gate microvm regions behind compute access feature flag

Organization administrators can selectively grant access to MicroVM compute regions using a dedicated feature flag, keeping premium workloads restricted by default.

The system gates MicroVM compute regions behind a dedicated feature flag. Administrators can explicitly grant organizations access to these workloads while keeping them hidden from standard users.

This prevents unauthorized usage of premium compute resources. Teams without access only see standard worker queues. Organizations with the flag enabled experience no changes to their existing workflows. The checks execute at the service layer in the webapp app, filtering UI region lists and blocking direct API attempts to trigger runs in restricted regions.

View Original GitHub Description

Adds region-level gating so MICROVM regions are only visible and usable by orgs with the hasComputeAccess feature flag. Admins and explicit allowlist behavior unchanged.

New shared helper (regionAccess.server.ts) with resolveComputeAccess, defaultVisibilityFilter, and isComputeRegionAccessible
RegionsPresenter filters out MICROVM regions for non-compute orgs
SetDefaultRegionService blocks setting a MICROVM region as default without compute access
WorkerGroupService blocks triggering runs in MICROVM regions without compute access
computeTemplateCreation refactored to use shared resolveComputeAccess
Updated snapshot callback schema