Guide
Networking
Configure network isolation and access policies for your VMs
Each vmsan microVM gets its own TAP network device with a /30 subnet (172.16.{slot}.0/30). You can control outbound network access with policies.
Set a network policy at creation
Use the --network-policy flag when creating a VM:
# Allow all outbound traffic (default)
vmsan create --network-policy allow-all
# Block all outbound traffic
vmsan create --network-policy deny-all
# Custom policy with allowed domains
vmsan create --network-policy custom --allowed-domain "*.github.com,npmjs.org"
Available policies
| Policy | Description |
|---|---|
allow-all | Unrestricted outbound access (default) |
deny-all | No outbound access |
custom | Granular control with domain and CIDR allowlists |
The policy is automatically promoted to
custom when you specify --allowed-domain, --allowed-cidr, or --denied-cidr.Allow specific domains
Restrict outbound traffic to specific domains:
vmsan create --allowed-domain "api.example.com,*.github.com"
Wildcard * matches subdomains. DNS resolution is handled by a host-side resolver to prevent DNS bypass.
Allow or deny CIDR ranges
Control access by IP address ranges:
# Allow specific ranges
vmsan create --allowed-cidr "10.0.0.0/8,192.168.1.0/24"
# Deny specific ranges (takes precedence over all allows)
vmsan create --denied-cidr "10.0.0.0/8"
Forward ports to a VM
Expose VM ports to the host:
vmsan create --publish-port 8080,3000
This sets up DNAT rules to forward traffic from the host ports to the VM.
Limit bandwidth
Cap the outbound bandwidth per VM:
vmsan create --bandwidth 50mbit
Update a policy on a running VM
Change the network policy without restarting:
vmsan network <vm-id> --network-policy deny-all
vmsan network <vm-id> --network-policy custom --allowed-domain "api.example.com"
Disable network namespace isolation
By default, each VM runs in its own network namespace. Disable this with:
vmsan create --no-netns
Disabling network namespace isolation reduces security. VMs will share the host network namespace for iptables rules.