Clarify network/firewall requirements for business and enterprise licenses

[AjkayAlan]

Describe the bug

Problem Summary

The Copilot CLI seems to use API endpoints that things like the VSCode extension doesn't, resulting in our corporate network firewall blocking the Copilot CLI requests.

Specifically, we have users licensed via the business tier and enterprise tier. Per GitHub's docs, we would expect traffic to go through *.business.githubcopilot.com. When users are working in IDE's, this works as expected, and they can get chat completions without issue.

However, when using Copilot CLI, we end up seeing most traffic end up going through the non subscription-based network paths, namely api.githubcopilot.com. For instance, when asking questions we see traffic to https://api.githubcopilot.com/chat/completions. This becomes problematic as we have specific firewall rules to block non-business copilot usage (e.g. individual subscriptions), and it seems to be picking up this traffic resulting in the Copilot CLI being non-functional for folks.

My Ask

Can you clarify if the network firewalling should be the same between completions in the IDE vs the CLI?

• If so, I believe the Copilot CLI is not using the correct subscription-based network routing (requiring a change on the CLI side), or IDE's hide traffic better than the CLI (so we would need to make firewall changes internally)
• If not, could the docs around firewalling and subscription-based networking be clarified?

Affected version

0.0.327 Commit: 0cbec74

Steps to reproduce the behavior

1. Set up Wireshark, and use a filter such as _ws.col.info matches "(?i)api.githubcopilot". Start a packet capture

For Copilot CLI:

1. Type copilot
2. Run /login
3. Ask a question. E.g. testing 123
4. Review the Wireshark output

For Copilot Chat in VSCode:

1. Open VSCode
2. Let the Copilot Chat pane load including models populating
3. Ask a question in the chat pane, e.g. testing 123
4. Review the Wireshark output

Expected behavior

Copilot CLI should use same subscription-based endpoints as Copilot in IDE's, or documentation should be updated to clarify differences.

Additional context

Filtered packet capture when asking a question via Copilot CLI - seems to mix traffic between api.githubcopilot.com and api.enterprise.githubcopilot.com:

---

Filtered packet capture when asking question via Copilot Chat in VSCode - seems to just use the subscription endpoint:

---

If needed I can capture Copilot CLI logs using debug logging if it would help.

[andyfeller]

Thank you for reporting this concern, @AjkayAlan! 🙇 I have verified your concern and working with my fellow maintainers to resolve this.

[andyfeller]

@AjkayAlan : fix for this is available in the 0.0.332-4 prerelease, which will eventually make its way into latest.

I'd appreciate any verification on your end this is good! 🙇

[RyanHecht]

It's now in latest! https://github.com/github/copilot-cli/releases/tag/v0.0.332

[AjkayAlan]

Excellent! I had one internal user confirm that the .332-4 prerelease solved their issue. I will try to get more folks to confirm the latest release does the same - but if you don’t hear from me assume all is well!

Thanks again for prioritizing this fix!

[iofq]

Hi all, this commit appears to have actually broken the CLI functionality in my environment. I'm working on identifying what our current firewall rules are and what requests are being blocked, but those existing rules work fine for the Copilot VSCode plugin. I'll start a new issue when I have sufficient info