What can I manage with this skill?

Networks, subnets, routes, firewalls, firewall rules, floating IPs, primary IPs, load balancers, load balancer services and targets, and vSwitch integration using the hcloud CLI.

Which commands are commonly used?

Common commands include hcloud network create, hcloud network list/describe/delete, hcloud network add-subnet, hcloud network add-route, hcloud network expose-routes-to-vswitch, hcloud firewall create/list, hcloud floating-ip allocate/assign, and hcloud load-balancer create/list.

How do I enable vSwitch integration?

Use hcloud network expose-routes-to-vswitch to enable, and --disable to turn it off.

hcloud-networking

npx machina-cli add skill danjdewhurst/hcloud-skills/hcloud-networking --openclaw

Files (1)

SKILL.md

16.9 KB

Hetzner Cloud Networking

Networks

Create a Network

hcloud network create --name <name> --ip-range <cidr>

Flag	Description
`--name`	Network name (required)
`--ip-range`	Network IP range in CIDR notation (required)
`--label`	User-defined labels as `key=value` (repeatable)
`--enable-protection`	Enable protection: `delete`
`--expose-routes-to-vswitch`	Expose routes to connected vSwitch
`-o, --output`	Output options: `json\|yaml`

List Networks

hcloud network list

Columns: id, name, ip_range, servers, age, created, labels, protection, expose_routes_to_v_switch

Flag	Description
`-l, --selector`	Filter by label selector
`-s, --sort`	Sort results
`-o, --output`	Output options: `noheader\|columns=...\|json\|yaml`

Describe a Network

hcloud network describe <network>

Flag	Description
`-o, --output`	Output options: `json\|yaml\|format`

Delete Networks

hcloud network delete <network>...

Accepts one or more networks by name or ID.

Update a Network

hcloud network update --name <name> <network>

Add a Subnet

hcloud network add-subnet --network-zone <zone> --type <cloud|server|vswitch> <network>

Flag	Description
`--network-zone`	Name of network zone (required)
`--type`	Subnet type: `cloud`, `server`, or `vswitch` (required)
`--ip-range`	Range to allocate IPs from
`--vswitch-id`	ID of the vSwitch (required when type is `vswitch`)

Remove a Subnet

hcloud network remove-subnet --ip-range <cidr> <network>

Flag	Description
`--ip-range`	IP range of the subnet to remove (required)

Add a Route

hcloud network add-route --destination <cidr> --gateway <ip> <network>

Flag	Description
`--destination`	Destination network or host in CIDR notation (required)
`--gateway`	Gateway IP address (required)

Remove a Route

hcloud network remove-route --destination <cidr> --gateway <ip> <network>

Flag	Description
`--destination`	Destination network or host in CIDR notation (required)
`--gateway`	Gateway IP address (required)

Change IP Range

hcloud network change-ip-range --ip-range <cidr> <network>

The new range must contain the existing range. You can only expand, not shrink.

Expose Routes to vSwitch

hcloud network expose-routes-to-vswitch [--disable] <network>

Enables exposing routes to the connected vSwitch. Use --disable to remove exposed routes.

Labels and Protection

hcloud network add-label [--overwrite] <network> <key=value>...
hcloud network remove-label <network> (--all | <key>...)
hcloud network enable-protection <network> delete
hcloud network disable-protection <network> delete

Firewalls

Create a Firewall

hcloud firewall create --name <name>

Flag	Description
`--name`	Firewall name (required)
`--rules-file`	JSON file containing rules (use `-` for stdin); structure must match the API
`--label`	User-defined labels as `key=value` (repeatable)
`-o, --output`	Output options: `json\|yaml`

List Firewalls

hcloud firewall list

Columns: id, name, rules_count, applied_to_count, age, created, labels

Flag	Description
`-l, --selector`	Filter by label selector
`-s, --sort`	Sort results
`-o, --output`	Output options: `noheader\|columns=...\|json\|yaml`

Describe a Firewall

hcloud firewall describe <firewall>

Flag	Description
`-o, --output`	Output options: `json\|yaml\|format`

Delete Firewalls

hcloud firewall delete <firewall>...

Accepts one or more firewalls by name or ID.

Update a Firewall

hcloud firewall update --name <name> <firewall>

Add a Rule

hcloud firewall add-rule [options] (--direction in --source-ips <ips> | --direction out --destination-ips <ips>) (--protocol <tcp|udp> --port <port> | --protocol <icmp|esp|gre>) <firewall>

Flag	Description
`--direction`	Direction: `in` or `out` (required)
`--protocol`	Protocol: `tcp`, `udp`, `icmp`, `esp`, or `gre` (required)
`--port`	Port or port range (e.g. `80` or `80-85`); only for `tcp`/`udp`
`--source-ips`	Source IPs in CIDR notation (required when direction is `in`)
`--destination-ips`	Destination IPs in CIDR notation (required when direction is `out`)
`--description`	Description of the rule

Delete a Rule

hcloud firewall delete-rule [options] (--direction in --source-ips <ips> | --direction out --destination-ips <ips>) (--protocol <tcp|udp> --port <port> | --protocol <icmp|esp|gre>) <firewall>

Uses the same flags as add-rule to identify and remove the matching rule.

Replace All Rules

hcloud firewall replace-rules --rules-file <file> <firewall>

Replaces all rules from a JSON file. Use - to read from stdin. The JSON structure must match the Hetzner Cloud API format.

Apply Firewall to a Resource

hcloud firewall apply-to-resource --type <server|label_selector> <firewall>

Flag	Description
`--type`	Resource type: `server` or `label_selector` (required)
`--server`	Server name or ID (required when type is `server`)
`-l, --label-selector`	Label selector (required when type is `label_selector`)

Remove Firewall from a Resource

hcloud firewall remove-from-resource --type <server|label_selector> <firewall>

Uses the same flags as apply-to-resource.

Labels

hcloud firewall add-label [--overwrite] <firewall> <key=value>...
hcloud firewall remove-label <firewall> (--all | <key>...)

Floating IPs

Create a Floating IP

hcloud floating-ip create --type <ipv4|ipv6> (--home-location <location> | --server <server>)

Flag	Description
`--type`	IP type: `ipv4` or `ipv6` (required)
`--home-location`	Home location (mutually exclusive with `--server`)
`--server`	Server to assign the IP to (mutually exclusive with `--home-location`)
`--name`	Floating IP name
`--description`	Description
`--label`	User-defined labels as `key=value` (repeatable)
`--enable-protection`	Enable protection: `delete`
`-o, --output`	Output options: `json\|yaml`

List Floating IPs

hcloud floating-ip list

Columns: id, name, type, ip, server, home, dns, description, age, created, labels, protection, blocked

Flag	Description
`-l, --selector`	Filter by label selector
`-s, --sort`	Sort results
`-o, --output`	Output options: `noheader\|columns=...\|json\|yaml`

Describe a Floating IP

hcloud floating-ip describe <floating-ip>

Flag	Description
`-o, --output`	Output options: `json\|yaml\|format`

Delete Floating IPs

hcloud floating-ip delete <floating-ip>...

Accepts one or more floating IPs by name or ID.

Update a Floating IP

hcloud floating-ip update <floating-ip>

Flag	Description
`--name`	New name
`--description`	New description

Assign a Floating IP

hcloud floating-ip assign <floating-ip> <server>

Unassign a Floating IP

hcloud floating-ip unassign <floating-ip>

Set Reverse DNS

hcloud floating-ip set-rdns [--ip <ip>] (--hostname <hostname> | --reset) <floating-ip>

Flag	Description
`-i, --ip`	IP address for which the reverse DNS entry should be set
`-r, --hostname`	Hostname to set as a reverse DNS PTR entry
`--reset`	Reset the reverse DNS entry to the default value

Protection and Labels

hcloud floating-ip enable-protection <floating-ip> delete
hcloud floating-ip disable-protection <floating-ip> delete
hcloud floating-ip add-label [--overwrite] <floating-ip> <key=value>...
hcloud floating-ip remove-label <floating-ip> (--all | <key>...)

Primary IPs

Create a Primary IP

hcloud primary-ip create --type <ipv4|ipv6> --name <name>

Flag	Description
`--type`	IP type: `ipv4` or `ipv6` (required)
`--name`	Primary IP name (required)
`--location`	Location (ID or name)
`--assignee-id`	Assignee (usually a server) to assign the IP to
`--auto-delete`	Delete the IP when the assigned resource is deleted
`--label`	User-defined labels as `key=value` (repeatable)
`--enable-protection`	Enable protection: `delete`
`-o, --output`	Output options: `json\|yaml`

Note: The --datacenter flag is deprecated. Use --location or --assignee-id instead.

List Primary IPs

hcloud primary-ip list

Columns: id, name, type, ip, assignee, assignee_id, assignee_type, auto_delete, dns, age, created, labels, protection, blocked

Flag	Description
`-l, --selector`	Filter by label selector
`-s, --sort`	Sort results
`-o, --output`	Output options: `noheader\|columns=...\|json\|yaml`

Describe a Primary IP

hcloud primary-ip describe <primary-ip>

Flag	Description
`-o, --output`	Output options: `json\|yaml\|format`

Delete Primary IPs

hcloud primary-ip delete <primary-ip>...

Accepts one or more primary IPs by name or ID.

Update a Primary IP

hcloud primary-ip update <primary-ip>

Flag	Description
`--name`	New name
`--auto-delete`	Delete the IP when the assigned resource is deleted

Assign a Primary IP

hcloud primary-ip assign --server <server> <primary-ip>

Unassign a Primary IP

hcloud primary-ip unassign <primary-ip>

Set Reverse DNS

hcloud primary-ip set-rdns [--ip <ip>] (--hostname <hostname> | --reset) <primary-ip>

Flag	Description
`-i, --ip`	IP address for which the reverse DNS entry should be set
`-r, --hostname`	Hostname to set as a reverse DNS PTR entry
`--reset`	Reset the reverse DNS entry to the default value

Protection and Labels

hcloud primary-ip enable-protection <primary-ip> delete
hcloud primary-ip disable-protection <primary-ip> delete
hcloud primary-ip add-label [--overwrite] <primary-ip> <key=value>...
hcloud primary-ip remove-label <primary-ip> (--all | <key>...)

Load Balancers

Create a Load Balancer

hcloud load-balancer create --name <name> --type <type>

Flag	Description
`--name`	Load balancer name (required)
`--type`	Load balancer type ID or name (required)
`--algorithm-type`	Algorithm: `round_robin` or `least_connections`
`--location`	Location (ID or name)
`--network`	Network (ID or name) to attach on creation
`--network-zone`	Network zone
`--label`	User-defined labels as `key=value` (repeatable)
`--enable-protection`	Enable protection: `delete`
`-o, --output`	Output options: `json\|yaml`

List Load Balancers

hcloud load-balancer list

Columns: id, name, type, ipv4, ipv6, location, network_zone, health, age, created, labels, protection

Flag	Description
`-l, --selector`	Filter by label selector
`-s, --sort`	Sort results
`-o, --output`	Output options: `noheader\|columns=...\|json\|yaml`

Describe a Load Balancer

hcloud load-balancer describe <load-balancer>

Flag	Description
`--expand-targets`	Expand all label_selector targets
`-o, --output`	Output options: `json\|yaml\|format`

Delete Load Balancers

hcloud load-balancer delete <load-balancer>...

Accepts one or more load balancers by name or ID.

Update a Load Balancer

hcloud load-balancer update --name <name> <load-balancer>

Add a Service

hcloud load-balancer add-service [options] (--protocol http | --protocol tcp --listen-port <1-65535> --destination-port <1-65535> | --protocol https --http-certificates <ids>) <load-balancer>

Flag	Description
`--protocol`	Protocol: `http`, `tcp`, or `https` (required)
`--listen-port`	Listen port of the service
`--destination-port`	Destination port on targets
`--http-certificates`	IDs or names of certificates (for `https`)
`--http-redirect-http`	Redirect port 80 to port 443
`--http-sticky-sessions`	Enable sticky sessions
`--http-cookie-name`	Sticky sessions cookie name
`--http-cookie-lifetime`	Sticky sessions cookie lifetime
`--proxy-protocol`	Enable proxy protocol

Health check flags:

Flag	Default	Description
`--health-check-protocol`		Health check protocol
`--health-check-port`		Health check port
`--health-check-interval`	`15s`	Interval between health checks
`--health-check-timeout`	`10s`	Timeout before marking unhealthy
`--health-check-retries`	`3`	Retries before marking as failed
`--health-check-http-domain`		Domain for HTTP health checks
`--health-check-http-path`		Path for HTTP health checks
`--health-check-http-response`		Expected response body
`--health-check-http-status-codes`		Expected status codes
`--health-check-http-tls`		Verify TLS certificate on health check

Update a Service

hcloud load-balancer update-service --listen-port <port> <load-balancer>

Identifies the service by --listen-port and accepts all the same flags as add-service to modify properties.

Delete a Service

hcloud load-balancer delete-service --listen-port <port> <load-balancer>

Add a Target

hcloud load-balancer add-target [options] (--server <server> | --label-selector <selector> | --ip <ip>) <load-balancer>

Flag	Description
`--server`	Server name or ID
`--label-selector`	Label selector for server targets
`--ip`	IP address for IP targets
`--use-private-ip`	Connect to target via private network

Remove a Target

hcloud load-balancer remove-target [options] <load-balancer>

Flag	Description
`--server`	Server name or ID
`--label-selector`	Label selector
`--ip`	IP address of an IP target

Change Algorithm

hcloud load-balancer change-algorithm --algorithm-type <round_robin|least_connections> <load-balancer>

Change Type

hcloud load-balancer change-type <load-balancer> <load-balancer-type>

Attach to Network

hcloud load-balancer attach-to-network --network <network> <load-balancer>

Flag	Description
`-n, --network`	Network ID or name (required)
`--ip`	IP address to assign (auto-assigned if omitted)
`--ip-range`	Subnet IP range in CIDR notation (auto-assigned if omitted)

Detach from Network

hcloud load-balancer detach-from-network --network <network> <load-balancer>

Enable Public Interface

hcloud load-balancer enable-public-interface <load-balancer>

Disable Public Interface

hcloud load-balancer disable-public-interface <load-balancer>

Set Reverse DNS

hcloud load-balancer set-rdns [--ip <ip>] (--hostname <hostname> | --reset) <load-balancer>

Flag	Description
`-i, --ip`	IP address for which the reverse DNS entry should be set
`-r, --hostname`	Hostname to set as a reverse DNS PTR entry
`--reset`	Reset the reverse DNS entry to the default value

Protection and Labels

hcloud load-balancer enable-protection <load-balancer> delete
hcloud load-balancer disable-protection <load-balancer> delete
hcloud load-balancer add-label [--overwrite] <load-balancer> <key=value>...
hcloud load-balancer remove-label <load-balancer> (--all | <key>...)

Load Balancer Types

List Load Balancer Types

hcloud load-balancer-type list

Columns: id, name, description, max_connections, max_services, max_targets, max_assigned_certificates

Flag	Description
`-l, --selector`	Filter by label selector
`-s, --sort`	Sort results
`-o, --output`	Output options: `noheader\|columns=...\|json\|yaml`

Describe a Load Balancer Type

hcloud load-balancer-type describe <load-balancer-type>

Flag	Description
`-o, --output`	Output options: `json\|yaml\|format`

Source

git clone https://github.com/danjdewhurst/hcloud-skills/blob/main/skills/hcloud-networking/SKILL.mdView on GitHub

Overview

Manage Hetzner Cloud networking resources—networks, subnets, routes, firewalls, IPs, load balancers, and vSwitch integration. This skill covers creating and updating networks, configuring firewall rules, allocating IPs, and wiring load balancers and services for scalable, secure deployments.

How This Skill Works

Use the hcloud CLI commands shown in the skill (for example, hcloud network create, hcloud firewall create, hcloud network add-subnet, hcloud network add-route, and hcloud network expose-routes-to-vswitch) to declare and modify networking resources. The tool executes these commands to apply the desired state and outputs structured results for automation.

When to Use It

When you need to create an isolated network for a project or cluster (specify a CIDR) and manage its subnets.
When you want to connect networks to a vSwitch by adding subnets and exposing routes to the vSwitch.
When enforcing access and traffic controls by creating and updating firewall rules.
When allocating and attaching floating or primary IPs for high availability or external access.
When deploying or reconfiguring load balancers, services, and targets to expose applications behind a stable endpoint.

Quick Start

Step 1: Install and authenticate with the hcloud CLI.
Step 2: Create a network: hcloud network create --name my-net --ip-range 10.0.0.0/16
Step 3: Add a subnet and configure firewall rules, then attach IPs or set up a load balancer as needed.

Best Practices

Plan IP ranges and subnet topology before creating resources.
Label resources consistently for easy filtering and automation.
Start with restrictive firewall rules and test in staging.
Prefer vSwitch integration for cross-network connectivity where needed.
Regularly audit, back up configurations, and verify with describe outputs.

Example Use Cases

Create a new network with a specified CIDR (hcloud network create --name mynet --ip-range 10.0.0.0/16).
Add a subnet to a network with a chosen type (cloud, server, or vswitch) and zone.
Create a firewall with rules and apply it to a set of servers.
Allocate a floating IP and attach it to a server for external access or failover.
Create a load balancer and configure services and targets to expose an application.

Frequently Asked Questions

Add this skill to your agents