Russia's Runet Is Now Real: How Moscow's Sovereign Internet Affects Global Routing, CDNs, and Developers

The splinternet is no longer a prediction. In Russia, it is operational infrastructure.

Russia's Sovereign Internet Law (Federal Law No. 90-FZ, signed by President Putin in May 2019) gave the government authority to route all Russian internet traffic through state-controlled exchange points, install deep packet inspection (DPI) hardware at all ISPs, and disconnect Russia from the global internet entirely if authorities determine it is necessary for "national security."

Seven years later, that infrastructure is built, tested, and increasingly active. The Runet — Russia's domestic internet — is not yet fully isolated from the global internet, but the controls in place mean isolation can happen at any moment, and partial isolation is already a daily reality for millions of Russian users trying to access services that are not approved by Roskomnadzor (Russia's Federal Service for Supervision of Communications).

For developers, this creates a growing operational problem: if your application has Russian users, or if any of your infrastructure touches Russian networks, the rules of engagement have changed permanently.

The Technical Architecture of Runet

The Sovereign Internet Law mandated the installation of "technical means for countering threats" (TSPU — технические средства противодействия угрозам) at all Russian ISPs. These are deep packet inspection devices manufactured by Echelon (a Russian company), installed between ISPs and their upstream international peers.

The TSPU boxes give Roskomnadzor centralised traffic control:

• URL and domain filtering: Block specific pages or entire domains without involving ISPs
• Traffic throttling: Slow specific protocols or services without full blocking (used against Twitter/X in 2021)
• BGP manipulation: Override ISP routing decisions to route traffic through state-controlled IXPs
• Deep packet inspection: Inspect traffic at layers 4-7, including identifying encrypted traffic by fingerprinting

The centralised control point (TSPU) means that blocking decisions flow from a single authority — Roskomnadzor — rather than requiring coordination across all Russian ISPs. A domain can go from accessible to blocked across all of Russia within minutes.

Domestic exchange points: All Russian internet traffic must now route through Roskomnadzor-approved Internet Exchange Points (IXPs). The Russian Internet Exchange (MSK-IX, SPB-IX, and others) are technically capable of routing all domestic traffic without touching international networks. In a disconnection scenario, flipping Russian BGP routing to these domestic IXPs severs the international connections.

What Is Already Blocked or Throttled in 2026

Russia maintains an active blocklist (Единый реестр запрещённых сайтов — the Unified Register of Prohibited Sites) that has expanded dramatically since 2022:

Fully blocked: Facebook (Meta), Instagram (Meta), LinkedIn, many opposition news sites, Bellingcat, Meduza, BBC Russia, Deutsche Welle Russian, some Wikipedia pages, and thousands of specific URLs.

Throttled/degraded: Twitter/X has been subject to speed throttling campaigns. Cloudflare services have experienced intermittent throttling. Some Google services have experienced degraded performance during enforcement campaigns.

VPN crackdown: Russia has blocked more than 200 VPN services since 2022. Roskomnadzor maintains a list of non-compliant VPN providers and uses DPI to fingerprint and block VPN traffic. Many of the most popular commercial VPNs — ExpressVPN, NordVPN, IPVanish — are blocked or significantly degraded inside Russia.

Developer tools — intermittent disruption:

• GitHub: Blocked temporarily in 2021, unblocked after GitHub agreed to remove specific repositories. The blocking precedent exists and GitHub has been intermittently slow inside Russia since.
• Docker Hub: Access has been degraded since 2022. Russian developers increasingly use mirrors.
• npm registry: Some packages from sanctioned organisations are inaccessible via npm in Russia.
• PyPI: Generally accessible but subject to future restriction under the same framework.

BGP and the Global Routing Impact

When Russia throttled Twitter in 2021 using DPI on TSPU boxes, a misconfiguration caused routing tables at Russian ISPs to advertise incorrect routes globally. Cloudflare engineers observed Russian routes briefly appearing in BGP tables with incorrect path attributes. The incident was contained but demonstrated that Russia's DPI infrastructure, when misconfigured, can inject bad routing into the global BGP ecosystem.

As Russia's Runet infrastructure becomes more actively used, the risk of BGP anomalies propagating outside Russia increases. Network engineers monitoring BGP health (via services like BGPmon, RIPE NCC RIS, and Cloudflare Radar) should watch for anomalous Russian origin AS advertisements.

CDN and Latency Impact

Major CDN operators have had to make difficult decisions about their Russia presence:

Cloudflare maintains presence in Russia through peering at MSK-IX and SPB-IX but has reduced its Russia operations following 2022 sanctions. Cloudflare content delivery inside Russia is degraded compared to pre-2022 performance. Russian users accessing Cloudflare-fronted sites experience higher latency (typically 80-150ms added) than the CDN was designed to deliver.

Akamai withdrew from Russian IXPs in March 2022, causing significant performance degradation for Russian users of Akamai-CDN'd content.

Fastly similarly reduced Russia operations. Content that relied on Fastly's Russian PoPs now routes through European or other CDN edges.

The net effect: Russian users experience systematically higher latency and lower reliability for international web services. This is intentional — the infrastructure is designed to make domestic Russian internet services perform better than international alternatives, nudging users toward Runet-hosted services.

What Developers Need to Know and Do

If you have Russian users:

1. Do not rely on Cloudflare or other Western CDNs for Russian delivery. Performance from Russia to European CDN edges has degraded significantly. If Russia is a meaningful market, consider whether a Russia-local CDN or edge node is justified.

1. Implement graceful degradation for blocked features. If your application uses any service that is blocked in Russia (Google Analytics, Facebook Login, Instagram embeds), those dependencies will fail silently for Russian users. Design for failure.

1. Assume npm, PyPI, and GitHub may be intermittently slow. Russian developers building with your project may face dependency resolution delays. Consider whether your documentation addresses alternative mirror usage.

1. Sanctions compliance before Russia feature development. Before building Russia-specific features, verify your company's OFAC and EU sanctions compliance posture. Some software categories cannot legally be sold or provided to Russian users.

If your infrastructure touches Russian networks:

1. Audit BGP peering with Russian ASes. If you peer with Russian ISPs or IXPs, review whether that peering is still compliant with your organisation's sanctions posture and whether any BGP route leaks from those peers could affect your routing tables.

1. Monitor for traffic originating from Russian IPs hitting unusual endpoints. The TSPU DPI infrastructure has been observed injecting traffic or probing connections in some analyses. Anomalous requests from Russian IP ranges deserve scrutiny.

1. Do not store sensitive customer data in Russian-jurisdiction infrastructure. Russia's data localisation law (Federal Law No. 242-FZ) requires personal data of Russian citizens to be stored on servers physically located in Russia. Compliance with this law is incompatible with many Western data protection and sovereignty requirements.

The Splinternet Is Not Coming — It Is Here

Iran has a National Information Network (SHOMA) with similar architecture to Runet. China has its Great Firewall. Now Russia has operational sovereign internet infrastructure.

The global internet is fragmenting into jurisdictional zones. For developers building global applications, this means:

• Assume geographically variable access to your services
• Design authentication and onboarding flows that work without third-party services blocked in major markets
• Treat country-level connectivity as a first-class infrastructure concern, not an edge case

Russia's Runet is the most transparent example of what sovereign internet looks like in practice. It will not be the last.