[Yandex Cloud documentation](../../index.md) > [Yandex Serverless Containers](../index.md) > [Concepts](index.md) > Networking

# Networking in Serverless Containers

By default, the container is launched in the isolated IPv4 network with the enabled [NAT gateway](../../vpc/concepts/gateways.md). For this reason, only public IPv4 addresses are available from the container.

## User network {#user-network}

If necessary, you can specify a [cloud network](../../vpc/concepts/network.md#network) in container settings. In this case, it will have access to the internet and user resources in the specified network, such as databases and VMs.

A cloud network must have:
* [Subnets](../../vpc/concepts/network.md#subnet) in all [availability zones](../../overview/concepts/geo-scope.md).
* At least one resource with an IP address in the specified cloud network.

{% note info %}

If the network does not meet the conditions above, the service does not guarantee it will function properly.

{% endnote %}

If the user specifies a network in the container settings, this will create a service subnet with addresses from the 198.19.0.0/16 range for each [availability zone](../../overview/concepts/geo-scope.md). Once run, the container will be assigned an IP address from the respective subnet and will have access to all network resources.

{% note info %}

`198.19.0.0/16` service subnets are not displayed in the Yandex Cloud interface. When setting up [security groups](../../vpc/concepts/security-groups.md), you should consider this address range in your incoming and outgoing traffic rules.

{% endnote %}

Networking between two containers, as well as between containers and user resources, is limited:
* Outbound connections over TCP, UDP, and ICMP are supported. For example, a container may access a Compute Cloud VM or Managed Service for YDB database in the user network.
* Inbound connections are not supported. For example, there is no way to access the application port inside a container even if you know the IP address of a container instance.

It may take longer than usual to run a new instance of the container whose settings specify the network. Regardless of the settings, any container is only invoked via a public API. Learn more about [invoking a container](invoke.md).

To delete the network specified in the container, delete all the functions, containers, and API gateways it was set in and wait from 15 minutes to 24 hours.