idyl subnet - IDYL Docs

View and manage subnets. Subnets define groups of nodes organized by region. Admission is managed separately for developer accounts and provider fleets or nodes. Subnet runtime policy controls which workload isolation intent a subnet accepts. Use —allowed-isolation-class when creating or editing a subnet to allow container, microvm, or both. Use —allowed-vmm-backend to restrict Kata microVM nodes by backend. Use —default-isolation-class when workloads that omit —isolation-class should inherit a subnet default. Runtime policy does not install or prove a runtime on provider nodes; scheduled workloads still require matching node capabilities. A unique slug is auto-generated when a subnet is created. Subnet names are purchased in the Idyl console and managed with ‘idyl sname’.

Usage

idyl subnet

Aliases

subnets

Commands

Command	Description
`idyl subnet admission`	Manage subnet admission
`idyl subnet approve`	Approve a subnet for account deploy access
`idyl subnet create`	Create a subnet
`idyl subnet delete`	Delete a subnet
`idyl subnet edit`	Edit a subnet
`idyl subnet get`	Get managed subnet details or list managed subnets
`idyl subnet show`	Show current subnet details
`idyl subnet unapprove`	Remove subnet deploy access from the account

Inherited flags

Flag	Description
`-a <string>, --account-id <string>`	Account ID to use (overrides context)
`-c <string>, --context <string>`	Use specific context
`--homedir <string>`	Override config directory (default: ~/.idyl)
`-n <string>, --namespace <string>`	Namespace to use
`-o <string>, --output <string>`	Output format (json\|yaml)
`-p <string>, --profile <string>`	Override profile
`--realm <string>`	Override realm
`--subnet <string>`	Override context subnet for this command

Examples

# Create a subnet (slug auto-generated)
idyl subnet create --region us-east

# Create a subnet that accepts only microVM isolation intent and defaults omitted isolation
idyl subnet create --region us-east --allowed-isolation-class microvm --default-isolation-class microvm

# Create a subnet that accepts only explicit microVM isolation intent
idyl subnet create --region us-east --allowed-isolation-class microvm

# Create a subnet that accepts only Kata + Firecracker microVM nodes
idyl subnet create --region us-east --allowed-isolation-class microvm --allowed-vmm-backend firecracker

# Show current subnet details
idyl subnet show

# List subnets
idyl subnet list

# Get subnet details (by slug or name)
idyl subnet get 100000000001
idyl subnet get my-app

# Set developer admission mode
idyl subnet admission set --subnet 100000000001 --admission-type developer --mode approval

# Admit a developer account
idyl subnet admission grant --subnet 100000000001 --developer-account acct_123

# Admit a provider fleet
idyl subnet admission grant --subnet 100000000001 --provider-fleet fleet_123

# Delete a subnet
idyl subnet delete 100000000001

Subcommand reference

`idyl subnet admission`

Manage typed subnet admission. Developer admission controls which accounts may submit workloads. Provider admission controls which fleets or nodes may join as capacity.

Usage

idyl subnet admission

Aliases

admissions

Commands

Command	Description
`idyl subnet admission get`	Get subnet admission
`idyl subnet admission grant`	Grant subnet admission
`idyl subnet admission revoke`	Revoke subnet admission
`idyl subnet admission set`	Set an admission mode

Examples

idyl subnet admission get --subnet seti
idyl subnet admission set --subnet seti --admission-type developer --mode approval
idyl subnet admission grant --subnet seti --developer-account 179976391094
idyl subnet admission grant --subnet seti --provider-fleet 391742608215
idyl subnet admission grant --subnet seti --provider-node En5p9qJPQKyem8kVzKzxqvUr8P5P6vpEru7yVHz1cyE
idyl subnet admission revoke --subnet seti --grant 550e8400-e29b-41d4-a716-446655440000

`idyl subnet admission get`

Get subnet admission

Usage

idyl subnet admission get [flags]

Aliases

list
ls

Flags

Flag	Description
`-o <string>, --output <string>`	Output format: table, json, yaml Default: `table`.
`--subnet <string>`	Required. Subnet slug or bound name

`idyl subnet admission grant`

Grant subnet admission

Usage

idyl subnet admission grant [flags]

Flags

Flag	Description
`--developer-account <string>`	Account ID to grant developer admission
`-o <string>, --output <string>`	Output format: table, json, yaml Default: `table`.
`--provider-fleet <string>`	Fleet ID to grant provider admission
`--provider-node <string>`	Node ID to grant provider admission
`--subnet <string>`	Required. Subnet slug or bound name

`idyl subnet admission revoke`

Revoke subnet admission

Usage

idyl subnet admission revoke [flags]

Flags

Flag	Description
`--grant <string>`	Required. Admission grant ID
`--subnet <string>`	Required. Subnet slug or bound name

`idyl subnet admission set`

Set an admission mode

Usage

idyl subnet admission set [flags]

Flags

Flag	Description
`--admission-type <string>`	Required. Admission type: developer or provider
`--mode <string>`	Required. Admission mode: open, approval, or invite
`-o <string>, --output <string>`	Output format: table, json, yaml Default: `table`.
`--subnet <string>`	Required. Subnet slug or bound name

`idyl subnet approve`

Approve a subnet for account deploy access. This grants the current account permission to create new workloads in the subnet, provided the subnet’s region is also enabled for the account. Provider capacity admission is managed separately with ‘idyl subnet admission’.

Usage

idyl subnet approve <slug-or-name> [flags]

Flags

Flag	Description
`-o <string>, --output <string>`	Output format: table, json, yaml Default: `table`.

Examples

idyl subnet approve default
idyl subnet approve 100000000001

`idyl subnet create`

Create a new subnet in a region. A unique slug is auto-generated server-side. Subnet names are purchased in the Idyl console and can be managed with ‘idyl sname’ after purchase. Use runtime policy flags when the subnet should accept only specific workload isolation intent or Kata VMM backends. If —default-isolation-class is set, workloads that omit —isolation-class inherit that default. If a runtime policy has no default, workloads must set —isolation-class explicitly. Runtime policy does not install or prove a runtime on provider nodes; scheduling still requires matching node capabilities.

Usage

idyl subnet create [flags]

Flags

Flag	Description
`--allowed-isolation-class <stringSlice>`	Allowed workload isolation intent for this subnet; repeat or comma-separate (container, microvm)
`--allowed-vmm-backend <stringSlice>`	Allowed Kata VMM backend for microvm nodes in this subnet; repeat or comma-separate (qemu, firecracker)
`--default-isolation-class <string>`	Default isolation intent for workloads that omit —isolation-class; must be allowed
`--description <string>`	Subnet description
`-o <string>, --output <string>`	Output format: table, json, yaml Default: `table`.
`--region <string>`	Region to host the subnet in

Examples

# Interactive — prompts for all required values
idyl subnet create

# Fully non-interactive
idyl subnet create --region us-east

# Create a subnet that accepts only microVM isolation intent and defaults omitted isolation
idyl subnet create --region us-east --allowed-isolation-class microvm --default-isolation-class microvm

# Create a subnet that accepts only explicit microVM isolation intent
idyl subnet create --region us-east --allowed-isolation-class microvm

# Create a subnet that accepts only Kata + Firecracker microVM nodes
idyl subnet create --region us-east --allowed-isolation-class microvm --allowed-vmm-backend firecracker

# Accept both container and microVM isolation intent
idyl subnet create --region us-east --allowed-isolation-class container --allowed-isolation-class microvm

`idyl subnet delete`

Delete a subnet. The argument can be a subnet slug or a bound name. You will be prompted for confirmation unless the —yes flag is provided.

Usage

idyl subnet delete <slug-or-name> [flags]

Flags

Flag	Description
`-y, --yes`	Skip confirmation prompts

Examples

# Delete a subnet by slug (with confirmation)
idyl subnet delete 100000000001

# Delete using a bound name without confirmation
idyl subnet delete my-subnet --yes

`idyl subnet edit`

Edit a subnet’s properties. The argument can be a subnet slug or a bound name. Runtime policy flags replace the subnet runtime policy. Use —allowed-isolation-class to set the allowed workload isolation intent and —allowed-vmm-backend to restrict Kata microVM nodes by backend. Use —default-isolation-class when workloads without explicit —isolation-class should inherit a subnet default. Use —clear-runtime-policy to remove subnet runtime policy. Runtime policy does not install or prove a runtime on provider nodes; scheduling still requires matching node capabilities.

Usage

idyl subnet edit <slug-or-name> [flags]

Flags

Flag	Description
`--allowed-isolation-class <stringSlice>`	Allowed workload isolation intent for this subnet; repeat or comma-separate (container, microvm)
`--allowed-vmm-backend <stringSlice>`	Allowed Kata VMM backend for microvm nodes in this subnet; repeat or comma-separate (qemu, firecracker)
`--clear-runtime-policy`	Clear subnet runtime policy so the subnet no longer filters by workload isolation intent
`--default-isolation-class <string>`	Default isolation intent for workloads that omit —isolation-class; must be allowed
`-o <string>, --output <string>`	Output format: table, json, yaml Default: `table`.
`--set-description <string>`	Set the subnet description

Examples

# Update subnet description
idyl subnet edit 100000000001 --set-description "New description"

# Accept only microVM isolation intent and default omitted isolation
idyl subnet edit 100000000001 --allowed-isolation-class microvm --default-isolation-class microvm

# Accept only explicit microVM isolation intent
idyl subnet edit 100000000001 --allowed-isolation-class microvm

# Accept only Kata + Firecracker microVM nodes
idyl subnet edit 100000000001 --allowed-isolation-class microvm --allowed-vmm-backend firecracker

# Accept both container and microVM isolation intent
idyl subnet edit 100000000001 --allowed-isolation-class container --allowed-isolation-class microvm

# Clear runtime policy
idyl subnet edit 100000000001 --clear-runtime-policy

# Update typed admission policy
idyl subnet admission set --subnet 100000000001 --admission-type developer --mode approval

`idyl subnet get`

Get details of a specific managed subnet, or list managed subnets. With no arguments, lists subnets owned by the current account. With a slug or name argument, gets details of that managed subnet.

Usage

idyl subnet get [slug-or-name] [flags]

Aliases

list
ls

Flags

Flag	Description
`-o <string>, --output <string>`	Output format: table, json, yaml Default: `table`.

Examples

# List subnets
idyl subnet get

# Get subnet details by slug
idyl subnet get 100000000001

# Get subnet details by name
idyl subnet get my-subnet

# Get in JSON format
idyl subnet get 100000000001 -o json

`idyl subnet show`

Show details of the current subnet from the active context. The subnet is resolved from the —subnet flag, IDYL_SUBNET environment variable, or the current context.

Usage

idyl subnet show [flags]

Flags

Flag	Description
`-o <string>, --output <string>`	Output format: table, json, yaml Default: `table`.

Examples

# Show current subnet details
idyl subnet show

# Show current subnet in JSON format
idyl subnet show -o json

`idyl subnet unapprove`

Remove subnet deploy access from the account. Existing workloads are not stopped, but new deployments to the subnet will be blocked once access is removed.

Usage

idyl subnet unapprove <slug-or-name> [flags]

Flags

Flag	Description
`-y, --yes`	Skip confirmation prompts

Examples

idyl subnet unapprove default
idyl subnet unapprove 100000000001 --yes

​Usage

​Aliases

​Commands

​Inherited flags

​Examples

​Subcommand reference

​idyl subnet admission

​Usage

​Aliases

​Commands

​Examples

​idyl subnet admission get

​Usage

​Aliases

​Flags

​idyl subnet admission grant

​Usage

​Flags

​idyl subnet admission revoke

​Usage

​Flags

​idyl subnet admission set

​Usage

​Flags

​idyl subnet approve

​Usage

​Flags

​Examples

​idyl subnet create

​Usage

​Flags

​Examples

​idyl subnet delete

​Usage

​Flags

​Examples

​idyl subnet edit

​Usage

​Flags

​Examples

​idyl subnet get

​Usage

​Aliases

​Flags

​Examples

​idyl subnet show

​Usage

​Flags

​Examples

​idyl subnet unapprove

​Usage

​Flags

​Examples

Usage

Aliases

Commands

Inherited flags

Examples

Subcommand reference

`idyl subnet admission`

Usage

Aliases

Commands

Examples

`idyl subnet admission get`

Usage

Aliases

Flags

`idyl subnet admission grant`

Usage

Flags

`idyl subnet admission revoke`

Usage

Flags

`idyl subnet admission set`

Usage

Flags

`idyl subnet approve`

Usage

Flags

Examples

`idyl subnet create`

Usage

Flags

Examples

`idyl subnet delete`

Usage

Flags

Examples

`idyl subnet edit`

Usage

Flags

Examples

`idyl subnet get`

Usage

Aliases

Flags

Examples

`idyl subnet show`

Usage

Flags

Examples

`idyl subnet unapprove`

Usage

Flags

Examples