Cloud Platform

Services

On creation, Unikraft Cloud assigns each instance a private IP address and private FQDN for internal connectivity. It connects them to the Internet through a service: create a service and attach instances to it.

A service defines how to reach a group of instances from the outside world. It maps an external FQDN port to an internal port common to all instances. The platform load balances incoming connections across instances. Avoid placing apps that expose different ports in the same service.

If you use the kraft cloud deploy command, part of the output lists a service, for example:


 
 ├─ service: frosty-sky-vz8kwsm

Because kraft cloud deploy is a single command to deploy a service, it automatically creates a service and attaches the new instance to it. The rest of this guide shows how to create a service first, then use kraft cloud deploy to create and attach instances to it.

First, create a new service with the kraft cloud service command:


 
kraft cloud service create --name my-service 443:8080/http+tls

This creates a new service named my-service listening on port 443. Unikraft Cloud terminates TLS and sends HTTP to port 8080. This example assumes that the app opens port 8080.

Now use kraft cloud deploy with the --service flag to attach the instance to the my-service service. For example, from the Go web server guide:


 
git clone https://github.com/unikraft-cloud/examples
cd examples/http-go1.21/
kraft cloud deploy --service my-service .

This creates a new Go web server instance and immediately attaches it to the my-service service. The output shows the instance address and other details:


 
[●] Deployed successfully!
 │
 ├────────── name: http-go121-fkt1x
 ├────────── uuid: 858da707-1851-46cb-9667-05b951471222
 ├───────── state: running
 ├─────────── url: https://my-service-rrtckyyi.fra.unikraft.app
 ├───────── image: http-go121@sha256:4d536236d226781874c3ad930dbc936c4f407aa3483a1f8e961ba63a7a72c78d
 ├───── boot time: 17.14 ms
 ├──────── memory: 128 MiB
 ├─────── service: my-service
 ├── private fqdn: http-go121-fkt1x.internal
 ├──── private ip: 172.16.6.6
 └────────── args: /server

In this case, the instance name is http-go121-fkt1x. The address is https://my-service-rrtckyyi.fra.unikraft.app. These values differ for each run.

Use curl to query the Go web server:


 
curl https://my-service-rrtckyyi.fra.unikraft.app


 
hello, world!

If you specify a port with the -p option when using kraft cloud deploy, the command creates a service automatically. In that case the platform deletes the service when the instance ends, and you can't define the service name.

That's it.

In the end, if you want to remove a service, use:


 
kraft cloud service remove my-service

Handlers

Handlers define how the service will handle incoming connections and forward traffic from the Internet to your app. For example, you can configure a service to terminate TLS connections, redirect HTTP traffic, or enable HTTP mode for load balancing. You configure the handlers for every published service port individually.

Currently, there are 3 supported handlers:

Terminate the TLS connection at the Unikraft Cloud gateway using the wildcard certificate issued for the unikraft.cloud domain. The gateway forwards the unencrypted traffic to your app.

The following set of constraints apply when publishing ports:

Port 80: must have http and must not have tls set.
Port 443: must have http and tls set.
The redirect handler can only be set on port 80 (HTTP) to redirect to port 443 (HTTPS).
All other ports must have tls and must not have http set.

For example, the following creates the service my-service with three published ports:

Port 443 with both http and tls handlers (HTTP mode).
Port 80 with the http and redirect handlers (HTTP mode).
Port 10000 with only the tls handler (TCP mode).


 
kraft cloud service create --name my-service 443:8080/http+tls 80:8080/http+redirect 10000:10000/tls

Learn more

The kraft cloud CLI reference, in particular the service subcommand
Unikraft Cloud's REST API reference, in particular the section on service groups

Edit this page

Last modified on November 19, 2025

Certificates Volumes

[●] Deployed successfully!
 │
 ├────────── name: http-go121-fkt1x
 ├────────── uuid: 858da707-1851-46cb-9667-05b951471222
 ├───────── state: running
 ├─────────── url: https://my-service-rrtckyyi.fra.unikraft.app
 ├───────── image: http-go121@sha256:4d536236d226781874c3ad930dbc936c4f407aa3483a1f8e961ba63a7a72c78d
 ├───── boot time: 17.14 ms
 ├──────── memory: 128 MiB
 ├─────── service: my-service
 ├── private fqdn: http-go121-fkt1x.internal
 ├──── private ip: 172.16.6.6
 └────────── args: /server

Handlers

Currently, there are 3 supported handlers:

Terminate the TLS connection at the Unikraft Cloud gateway using the wildcard certificate issued for the unikraft.cloud domain. The gateway forwards the unencrypted traffic to your app.

The following set of constraints apply when publishing ports:

Port 80: must have http and must not have tls set.
Port 443: must have http and tls set.
The redirect handler can only be set on port 80 (HTTP) to redirect to port 443 (HTTPS).
All other ports must have tls and must not have http set.

For example, the following creates the service my-service with three published ports:

Port 443 with both http and tls handlers (HTTP mode).

Port 80 with the http and redirect handlers (HTTP mode).

Port 10000 with only the tls handler (TCP mode).

kraft cloud service create --name my-service 443:8080/http+tls 80:8080/http+redirect 10000:10000/tls