Networking & egress
Control which domains code in a session can reach with a per-session egress allowlist.
Default: full egress
By default a session has full public outbound network access. Lateral movement is always blocked — code in a session cannot reach the host, the local network, the cloud metadata endpoint, or other sessions. Only public internet egress is open by default.
Per-session egress allowlist
For untrusted code you can lock a session down to an explicit allowlist. Set the egress policy at create time, or change it on a live session.
{
"egress": {
"default": "deny",
"allow": ["api.openai.com", "*.githubusercontent.com", "pypi.org"]
}
}default: "allow"(or omitted) — full public egress. Current behaviour.default: "deny"— block all outbound traffic except the domains inallow.allow— domains only (no IP ranges in this version). Each entry is either an exact hostname (api.openai.com) or a single leading wildcard (*.githubusercontent.com, which matches any subdomain but not the apex). Up to 256 entries.
On create
inis sessions create --egress-deny \
--allow api.openai.com \
--allow '*.pypi.org'from inis import Client
client = Client()
session = client.sessions.create(
egress_default="deny",
egress_allow=["api.openai.com", "*.githubusercontent.com"],
)const session = await client.sessions.create({
egress: { default: "deny", allow: ["api.openai.com", "*.githubusercontent.com"] },
});On a live session
Read or replace the policy at any time:
inis sessions egress <session-id> # print active policy
inis sessions egress <session-id> --egress-deny \
--allow api.openai.com # replace policyGET /v1/sessions/{id}/egress— read the active policy.POST /v1/sessions/{id}/egress— set or replace the policy.
The active policy is also reflected on GET /v1/sessions/{id} under egress.
Forks
A forked child inherits its parent's egress policy. Each child gets its own isolated network, so the policy is applied independently to every child.
Pause / resume
The policy is stored with the session and survives pause/resume. It is re-applied automatically when the session resumes.
Package installs in deny mode
A locked-down session still needs to reach its package mirrors. When the node is
configured with INIS_PYPI_INDEX_URL or INIS_NPM_REGISTRY_URL, those mirror
hosts are added to the allowlist automatically for default: "deny" sessions,
so pip install and npm install keep working without listing them yourself.
If you rely on the public indexes instead, allow the hosts you need explicitly, for example:
- pip:
pypi.org,files.pythonhosted.org - npm:
registry.npmjs.org
How it works
In deny mode, the session's outbound traffic is filtered at the host: DNS answers for allowed domains populate a per-session firewall set, and only those addresses are reachable. Because CDN addresses change, the set is kept current from live DNS answers rather than resolved once. Anything not on the list is dropped, and the standard lateral-movement blocks stay in place.