- Overview
- Getting Started
- Core Concepts
- CLI Reference
- Infrastructure
- Functions
- Buckets
- Machines
- Platform
- Events
- Logs
- Metrics
- IAM
- Secrets
- Edge
- TLS
- DNS
- Firewall
I-NTER.NET is a managed cloud platform organized into three layers: Infrastructure (compute and storage primitives), Platform (observability, messaging, and access control), and Edge (TLS, DNS, and network policy). All services share a single private project network and a unified API.
Prerequisites
- An I-NTER.NET account — create one at /console
- The INET CLI installed (
curl -sSL https://i-nter.net/install.sh | sh) - An API key generated from Console → IAM → Keys
Authenticate the CLI
Create a project
All resources belong to a project. Projects provide network isolation, shared IAM, and unified billing.
What to read next
Projects
A project is the top-level organizational unit. All resources — Machines, Buckets, Functions, secrets, firewall rules — belong to a project. Resources within a project share a private VLAN and can communicate without leaving the INET network. Billing, IAM, and logs are all scoped per project.
Regions
Resources are provisioned in a specific region. Intra-project traffic within a region is free; cross-region traffic is metered. Private DNS and VLAN isolation are per-region.
API
All platform operations are available via the INET REST API at https://api.i-nter.net/v1. Every request must include an Authorization: Bearer <key> header. The CLI is a thin wrapper around this API.
Events as the integration layer
Platform primitives emit events automatically — a Machine stopping, a Bucket object created, a Function invocation failing. These events flow into the Events service where you can subscribe Functions, webhooks, or other consumers. This means you rarely need custom polling or glue code to wire services together.
The inet CLI provides subcommands for every service. Run inet <service> --help for full flag documentation.
| Command | Description |
|---|---|
inet auth | Authenticate, switch keys, and manage sessions |
inet projects | Create, list, and switch projects |
inet fn | Deploy, invoke, and manage Functions |
inet buckets | Create buckets, upload/download objects |
inet machines | Provision, SSH into, snapshot, and destroy Machines |
inet events | Manage topics, subscriptions, and inspect delivery history |
inet logs | Query and stream logs from any resource |
inet metrics | Query time-series metrics |
inet iam | Manage roles, service accounts, and API keys |
inet secrets | Store, retrieve, rotate, and inject secrets |
inet tls | View and manage certificates |
inet dns | Manage zones and records |
inet firewall | Manage rules and profiles |
Functions run event-driven handlers without managing servers. INET provisions runtime capacity on demand, routes triggers to your handler, and bills only for active execution time. Instances scale to zero when idle.
Handler signature
Each runtime expects a specific handler shape. Examples:
Triggers
| Trigger | Config | Notes |
|---|---|---|
http | path, method, auth | Endpoint served over TLS; supports public and project-private access |
schedule | cron expression | Minimum interval: 1 minute |
bucket | bucket name, event type | Fires on create, update, delete |
machine | machine id or tag | Fires on start, stop, health_change |
event | topic, filter expression | Subscribe to any Events topic |
Runtimes
| Runtime | Identifier | Max memory | Max timeout |
|---|---|---|---|
| Go 1.22+ | go122 | 4 GB | 15 min |
| Node.js 22 | node22 | 4 GB | 15 min |
| Python 3.12 | python312 | 4 GB | 15 min |
| Rust (stable) | rust-stable | 4 GB | 15 min |
| Custom image | container:<image> | Configurable | 60 min |
Deploy
Environment variables and secrets
Pass environment variables at deploy time with --env KEY=value. Inject secrets by name with --secret MY_SECRET — the value is mounted as an environment variable at runtime and never stored in your function config.
Limits
| Property | Limit |
|---|---|
| Deployment package size | 250 MB (zip), unlimited (container) |
| Concurrent executions per project | 1,000 (soft limit, raiseable) |
| Max execution timeout | 15 min (managed), 60 min (container) |
Ephemeral disk (/tmp) | 512 MB |
Buckets provide S3-compatible object storage. Any tool or SDK that speaks S3 works against INET Buckets without modification — point it at the INET endpoint and swap your credentials.
Create a bucket
Upload and download objects
Storage classes
| Class | Retrieval | Use case |
|---|---|---|
standard | Immediate | Application assets, user uploads, live datasets |
archive | Minutes to hours | Backups, logs, compliance archives |
Transition objects between classes automatically with lifecycle rules:
Access control
Buckets default to private. Access is controlled at three levels:
- Bucket policy — public or private at the bucket level
- IAM keys — scoped per project or per bucket; managed under IAM
- Presigned URLs — time-limited access without exposing credentials
S3 compatibility
Use any S3-compatible client. Set the endpoint to your region's object storage URL:
Versioning
Enable versioning to retain all previous versions of every object. Deletes and overwrites become non-destructive — prior versions are always recoverable.
Machines are on-demand virtual or bare metal instances. They are attached to your project's private VLAN at provision time and billed per second of active runtime. Stopped instances are not billed.
Instance types
| Type | vCPU | Memory | Notes |
|---|---|---|---|
standard-1 | 1 shared | 1 GB | Dev, low-traffic workloads |
standard-2 | 2 shared | 4 GB | General purpose |
standard-4 | 4 dedicated | 8 GB | Production web and API |
standard-8 | 8 dedicated | 16 GB | High-throughput workers |
metal-1 | Full host | Varies | No hypervisor; latency-sensitive workloads |
gaming-* | High clock | Varies | Pre-configured for game server hosting |
Provision a machine
SSH access
Snapshots
Capture the full disk state at any point. Snapshots are stored in the INET object layer and can be used to restore or clone a Machine.
Resize
Virtual instances can move between types without reprovisioning. The Machine is briefly stopped, resized, and restarted. Bare metal instances cannot be resized — provision a new host and migrate.
Networking
Every Machine gets a stable private IP on your project VLAN. Public IPs are optional and can be attached or detached at any time. Firewall rules are configured separately under Firewall.
Events provides pub/sub messaging between services. Publishers push events to a topic; subscribers receive them with at-least-once delivery. INET handles retries, dead-letter queuing, and fan-out — no broker to manage.
Topics and subscriptions
Publish an event
Platform events
Platform primitives emit events automatically to a reserved inet.* topic namespace. You cannot publish to these topics, but you can subscribe to them:
| Topic | Emitted when |
|---|---|
inet.machines.started | A Machine transitions to running |
inet.machines.stopped | A Machine is stopped or crashes |
inet.buckets.object.created | An object is uploaded to any Bucket |
inet.buckets.object.deleted | An object is deleted from a Bucket |
inet.functions.error | A Function invocation returns an error |
inet.iam.key.issued | A new API key is created |
inet.iam.policy.changed | An IAM policy is modified |
Delivery guarantees and dead letters
Events are delivered at least once. Subscribers should be idempotent. Events that exhaust their retry budget (default: 5 attempts with exponential backoff) are written to the subscription's dead-letter topic for inspection and replay.
Logs collects stdout, stderr, and structured log output from every resource in your project. No agent configuration required for Functions; install the INET log agent on Machines for system and application log forwarding.
Query logs
Log levels
Structured logs should include a level field. Supported values: debug, info, warn, error. Unstructured output is indexed as plaintext at level info.
Retention
| Setting | Default | Range |
|---|---|---|
| Log retention | 30 days | 7 days – 2 years |
| Index resolution | Full text | — |
| Export | On demand | To any Bucket |
Log-based alerts
Trigger a Function or publish an Event when a log pattern matches. Alerts evaluate on a rolling window.
Metrics collects time-series data from all platform resources automatically. Query built-in metrics or push custom counters, gauges, and histograms from your application.
Built-in metrics
| Metric | Type | Source |
|---|---|---|
machine.cpu.utilization | gauge | Machines |
machine.memory.used_bytes | gauge | Machines |
machine.disk.read_bytes | counter | Machines |
machine.network.rx_bytes | counter | Machines |
fn.invocations | counter | Functions |
fn.errors | counter | Functions |
fn.duration_ms | histogram | Functions |
bucket.requests | counter | Buckets |
bucket.storage_bytes | gauge | Buckets |
Custom metrics
Query
Metric-based alerts
IAM controls authentication and authorization for every API call on the platform. All requests are evaluated against IAM policy in real time. Access decisions are written to Logs automatically.
Built-in roles
| Role | Permissions |
|---|---|
owner | Full access including billing and project deletion |
admin | Full access to all resources; cannot delete the project |
developer | Read/write on Machines, Functions, Buckets; read on Logs and Metrics |
viewer | Read-only across all resources |
Custom roles
Define a role with an explicit permission set. Permissions follow the pattern <service>:<resource>:<action>.
Service accounts
Service accounts are non-human identities for CI/CD pipelines, Functions, and automation. They receive an API key and can be assigned any role.
API keys
Temporary credentials
Issue short-lived tokens for delegated access without creating a permanent key.
Secrets stores sensitive values — API keys, database passwords, tokens — encrypted at rest. Values are never returned after write and are never logged. Access is governed by IAM policy.
Store and retrieve
Inject into Functions
Secrets are injected as environment variables at invocation time. The value is never stored in your function config or visible in deployment metadata.
Inject into Machines
Versioning and rotation
TLS certificates are provisioned and renewed automatically when you attach a domain to a platform resource. HTTPS is the default; HTTP is not served on public endpoints.
Attach a domain
Certificate lifecycle
| Event | When |
|---|---|
| Initial issuance | Within 2 minutes of domain attach |
| Auto-renewal | 30 days before expiry |
| Zero-downtime rotation | New cert served before old is revoked |
Custom certificates
Upload a PEM bundle if you have CA requirements not met by ACME (e.g., EV certificates, internal CAs).
Termination modes
| Mode | Behaviour |
|---|---|
edge (default) | TLS terminated at the INET edge; plain HTTP to your service on the private network |
passthrough | Raw TLS forwarded to your service; you handle termination |
mtls | Client certificate required; for service-to-service authentication |
DNS manages public zones and records for your domains, and provides automatic private resolution for all resources within a project. Delegate your domain to INET nameservers and changes propagate immediately.
Add a zone
Update your registrar's nameservers to the values returned by this command. INET operates anycast nameservers for low-latency resolution globally.
Manage records
Private DNS
Every resource gets a private hostname automatically at provision time. These resolve only within your project VLAN — no configuration required.
| Resource | Private hostname pattern |
|---|---|
| Machine | <name>.machines.internal |
| Function | <name>.functions.internal |
| Bucket | <name>.buckets.internal |
Health-check routing
INET monitors your endpoints and removes unhealthy records from DNS automatically. Configure a health check on any A or AAAA record:
Firewall enforces inbound and outbound traffic policy at the hypervisor level — before traffic reaches your Machine OS. Rules apply instantly with no downtime. Internal traffic within a project VLAN is not affected by public firewall rules.
Apply a profile
Profiles are pre-built rule sets for common workloads. Apply one as a starting point and extend with custom rules.
| Profile | Opens |
|---|---|
web | 80/tcp, 443/tcp inbound |
database | Project VLAN only; no public ingress |
gaming | Game-specific UDP/TCP port ranges (configurable) |
none | Default deny all; start from scratch |
Custom rules
Rule evaluation
- Rules are evaluated top-down by priority (lower number = higher priority)
- First matching rule wins
- Default policy is deny — traffic not matched by any rule is dropped
- Every dropped packet is logged in Logs with source, destination, and matched rule
Project-wide rules
Rules can be applied at the project level to cover all current and future Machines without per-resource configuration.