From f248f45792bfd7e04dee78ed3440725c9f9210d3 Mon Sep 17 00:00:00 2001
From: Erik Sipsma <sipsma@amazon.com>
Date: Thu, 19 Sep 2019 01:39:03 +0000
Subject: [PATCH] Add support for CNI-configured VM network interfaces.

Signed-off-by: Erik Sipsma <sipsma@amazon.com>
---
 Makefile                                      |  28 ++
 docs/getting-started.md                       |  84 +++-
 docs/networking.md                            |  81 ++--
 docs/quickstart.md                            |  21 +-
 examples/Makefile                             |  16 +-
 examples/taskworkflow.go                      |  77 ++--
 go.mod                                        |  12 +-
 go.sum                                        |  77 +++-
 internal/network_test_utils.go                | 150 +++++++
 proto/events.pb.go                            |   2 +-
 proto/firecracker.pb.go                       |   2 +-
 proto/firecracker.proto                       |   2 +-
 proto/service/fccontrol/ttrpc/fccontrol.pb.go |   2 +-
 proto/types.pb.go                             | 413 +++++++++++++++---
 proto/types.proto                             |  80 +++-
 runtime/Makefile                              |   2 +-
 runtime/cni_integ_test.go                     | 216 +++++++++
 runtime/config.go                             |   6 +
 runtime/firecrackeroci/network.go             |  43 ++
 runtime/helpers.go                            |  53 ++-
 runtime/helpers_test.go                       |  87 +++-
 runtime/service.go                            |  17 +-
 runtime/service_integ_test.go                 |  75 ++--
 tools/demo/fcnet.conflist                     |  19 +
 tools/docker/Dockerfile                       |  43 +-
 tools/docker/firecracker-runtime.json         |  10 +-
 .../files_debootstrap/etc/resolv.conf         |   1 +
 27 files changed, 1378 insertions(+), 241 deletions(-)
 create mode 100644 internal/network_test_utils.go
 create mode 100644 runtime/cni_integ_test.go
 create mode 100644 runtime/firecrackeroci/network.go
 create mode 100644 tools/demo/fcnet.conflist
 create mode 120000 tools/image-builder/files_debootstrap/etc/resolv.conf

diff --git a/Makefile b/Makefile
index d4b6a0cea..dca30d252 100644
--- a/Makefile
+++ b/Makefile
@@ -131,6 +131,34 @@ firecracker-containerd-naive-integ-test-image: $(RUNC_BIN) $(FIRECRACKER_BIN) $(
 
 .PHONY: all $(SUBDIRS) clean proto deps lint install image test-images firecracker-container-test-image firecracker-containerd-naive-integ-test-image test test-in-docker $(TEST_SUBDIRS) integ-test $(INTEG_TEST_SUBDIRS)
 
+##########################
+# CNI Network
+##########################
+
+CNI_BIN_ROOT?=/opt/cni/bin
+$(CNI_BIN_ROOT):
+	mkdir -p $(CNI_BIN_ROOT)
+
+PTP_BIN?=$(CNI_BIN_ROOT)/ptp
+$(PTP_BIN): $(CNI_BIN_ROOT)
+	GOBIN=$(CNI_BIN_ROOT) GO111MODULE=off go get -u github.com/containernetworking/plugins/plugins/main/ptp
+
+HOSTLOCAL_BIN?=$(CNI_BIN_ROOT)/host-local
+$(HOSTLOCAL_BIN): $(CNI_BIN_ROOT)
+	GOBIN=$(CNI_BIN_ROOT) GO111MODULE=off go get -u github.com/containernetworking/plugins/plugins/ipam/host-local
+
+TC_REDIRECT_TAP_BIN?=$(CNI_BIN_ROOT)/tc-redirect-tap
+$(TC_REDIRECT_TAP_BIN): $(CNI_BIN_ROOT)
+	GOBIN=$(CNI_BIN_ROOT) go install github.com/firecracker-microvm/firecracker-go-sdk/cni/cmd/tc-redirect-tap
+
+FCNET_CONFIG?=/etc/cni/conf.d/fcnet.conflist
+$(FCNET_CONFIG):
+	mkdir -p $(dir $(FCNET_CONFIG))
+	cp tools/demo/fcnet.conflist $(FCNET_CONFIG)
+
+.PHONY: demo-network
+demo-network: $(PTP_BIN) $(HOSTLOCAL_BIN) $(TC_REDIRECT_TAP_BIN) $(FCNET_CONFIG)
+
 ##########################
 # Firecracker submodule
 ##########################
diff --git a/docs/getting-started.md b/docs/getting-started.md
index 5cda2aa09..406daff67 100644
--- a/docs/getting-started.md
+++ b/docs/getting-started.md
@@ -193,6 +193,10 @@ configuration file has the following fields:
   delivered.
 * `ht_enabled` (unused) - Reserved for future use.
 * `debug` (optional) - Enable debug-level logging from the runtime.
+* `default_network_interfaces` (optional) - a list of network interfaces to configure
+  a VM with if no list of network interfaces is provided with a CreateVM call. Defaults
+  to an empty list. The structure of the items in the list is the same as the Go API
+  FirecrackerNetworkInterface defined [in protobuf here](../proto/types.proto).
 
 <details>
 <summary>A reasonable example configuration</summary>
@@ -206,8 +210,7 @@ configuration file has the following fields:
   "cpu_template": "T2",
   "log_fifo": "fc-logs.fifo",
   "log_level": "Debug",
-  "metrics_fifo": "fc-metrics.fifo",
-
+  "metrics_fifo": "fc-metrics.fifo"
 }
 ```
 </details>
@@ -241,11 +244,13 @@ And start a container!
 
 ```bash
 $ sudo firecracker-ctr --address /run/firecracker-containerd/containerd.sock \
-  run --snapshotter firecracker-naive --runtime aws.firecracker --tty \
+  run --snapshotter firecracker-naive --runtime aws.firecracker \ 
+  --rm --tty --net-host \
   docker.io/library/busybox:latest busybox-test
 ```
 
-Alternatively you can specify `--runtime` and `--snapshotter` just once when creating a new namespace using containerd's default labels:
+Alternatively you can specify `--runtime` and `--snapshotter` just once when 
+creating a new namespace using containerd's default labels:
 
 ```bash
 $ sudo firecracker-ctr --address /run/firecracker-containerd/containerd.sock \
@@ -258,6 +263,75 @@ $ sudo firecracker-ctr --address /run/firecracker-containerd/containerd.sock \
 
 $ sudo firecracker-ctr --address /run/firecracker-containerd/containerd.sock \
   -n fc \
-  run --tty \
+  run --rm --tty --net-host \
   docker.io/library/busybox:latest busybox-test
 ```
+
+## Networking support 
+Firecracker-containerd supports the same networking options as provided by the 
+Firecracker Go SDK, [documented here](https://github.com/firecracker-microvm/firecracker-go-sdk#network-configuration).
+This includes support for configuring VM network interfaces both with
+pre-created tap devices and with tap devices created automatically by 
+[CNI](https://github.com/containernetworking/cni) plugins.
+
+### CNI Setup
+CNI-configured networks offer the quickest way to get VMs up and running with 
+connectivity to external networks. Setting one up requires a few extra steps in 
+addition to the above Setup steps.
+
+To install the required CNI dependencies, run the following make target from the 
+previously cloned firecracker-containerd repository:
+```bash
+$ sudo make demo-network
+```
+
+You can check the Makefile to see exactly what is installed and where, but for a 
+quick summary:
+* [`ptp` CNI plugin](https://github.com/containernetworking/plugins/tree/master/plugins/main/ptp) 
+  - Creates a [veth](http://man7.org/linux/man-pages/man4/veth.4.html) pair with 
+  one end in a private network namespace and the other end in the host's network namespace.
+* [`host-local` CNI
+  plugin](https://github.com/containernetworking/plugins/tree/master/plugins/ipam/host-local)
+  - Manages IP allocations of network devices present on the local machine by 
+  vending them from a statically defined subnet.
+* [`tc-redirect-tap` CNI
+  plugin](https://github.com/firecracker-microvm/firecracker-go-sdk/tree/master/cni) 
+  - A CNI plugin that adapts other CNI plugins to be usable by Firecracker VMs.
+  [See this doc for more details](networking.md). It is used here to adapt veth 
+  devices created by the `ptp` plugin to tap devices provided to VMs.
+* [`fcnet.conflist`](../tools/demo/fcnet.conflist) - A sample CNI configuration 
+  file that defines a `fcnet` network created via the `ptp`, `host-local` and 
+  `tc-redirect-tap` plugins
+
+After those dependencies are installed, an update to the firecracker-containerd 
+configuration file is required for VMs to use the `fcnet` CNI-configuration as 
+their default way of generating network interfaces. Just include the following `
+default_network_interfaces` key in your runtime configuration file (by default 
+at `/etc/containerd/firecracker-runtime.json`):
+```json
+"default_network_interfaces": [
+  {
+    "CNIConfig": {
+      "NetworkName": "fcnet",
+      "InterfaceName": "veth0"
+    }
+  }
+]
+```
+
+After that, start up a container (as described in the above Usage section) and 
+try pinging your host IP.
+
+At the time of this writing, there is a bug in the ptp plugin that prevents the
+DNS settings from the IPAM plugin being propagated. This is being addressed, but
+until that time DNS resolution will require users manually tweak the installed
+CNI configuration to specify static DNS nameservers appropriate to their local
+network in [the `dns` section of the PTP plugin](https://github.com/containernetworking/plugins/tree/master/plugins/main/ptp#network-configuration-reference)
+
+While your host's IP should always be reachable from the VM given the above
+networking setup, your VM may or may not have outbound internet access depending
+on the details of your host's network. The ptp plugin attempts to setup iptables
+rules to allow the VM's traffic to be forwarded on your host's network but may
+not be able to if there are pre-existing iptables rules that overlap. In those
+cases, granting your VM outbound internet access may require customization of
+the CNI configuration past what's installed above.
diff --git a/docs/networking.md b/docs/networking.md
index cbb75255c..f931c5796 100644
--- a/docs/networking.md
+++ b/docs/networking.md
@@ -70,6 +70,7 @@ The Linux Kernel’s [Traffic Control (TC)](http://tldp.org/HOWTO/Traffic-Contro
 Most relevant to our interests, the [U32 filter](http://man7.org/linux/man-pages/man8/tc-u32.8.html) provided as part of TC allows you to create a rule that essentially says “take all the packets entering the ingress queue of this device and move them to the egress queue of this other device”. For example, if you have DeviceA and DeviceB you can setup that rule on each of them such that the end effect is every packet sent into DeviceA goes out of DeviceB and every packet sent to DeviceB goes out of DeviceA. The host kernel just moves the ethernet packets from one device’s queue to the other’s, so the redirection is entirely transparent to any userspace application or VM guest kernel all the way down to and including the link layer.
 
 * We first learned about this approach from [Kata Containers](https://github.com/kata-containers/runtime), who are using it for similar purposes in their framework. They have [some more background information documented here](https://gist.github.com/mcastelino/7d85f4164ffdaf48242f9281bb1d0f9b).
+* Another use of TC redirect filters in the context of CNI plugins can be found in the [bandwidth CNI plugin](https://github.com/containernetworking/plugins/tree/master/plugins/meta/bandwidth).
 
 This technique can be used to redirect between a Firecracker VM’s tap device and another device in the network namespace Firecracker is running in. If, for example, the VM tap is redirecting with a veth device in a network namespace, the VM guest internally gets a network device with the same mac address as the veth and needs to assign to it the same IP and routes the veth uses. After that, the VM guest essentially operates as though its nic is the same as the veth device outside on the host.
 
@@ -117,51 +118,45 @@ VMs will execute in.
 In this option, Firecracker-containerd just asks for CNI configuration during a CreateVM call, which it will use to configure a network namespace for the Firecracker VM to execute in. The API updates may look something like:
 
 ```
-message FirecrackerNetworkConfiguration {
-    // CNI Configuration to use to create the network namespace in which the
-    // VM will execute. It's an error to specify both this and any NetworkInterfaces
-    // below.
-    FirecrackerCNIConfiguration CNIConfiguration;
+message FirecrackerNetworkInterface {
+    // <existing fields...>
+    
+    // CNI Configuration that will be used to configure the network interface
+    CNIConfiguration CNIConfig;
 
-    // The existing FirecrackerNetworkInterface configuration
-    // which specifies the name of the tap device on the host and rate limiters
-    repeated FirecrackerNetworkInterface NetworkInterfaces;
+    // Static configuration that will be used to configure the network interface
+    StaticNetworkConfiguration StaticConfig;
 }
 
 message FirecrackerCNIConfiguration {
     // Name of the CNI network that will be used to configure the VM
     string NetworkName;
     
-    // Path to CNI bin directory and CNI conf directory, respectively, that will
-    // be used to configure the VM.
-    string BinDirectory;
+    // IF_NAME CNI parameter provided to plugins for the name of devices to create
+    string InterfaceName;
+    
+    // Paths to CNI bin directories, CNI conf directory and CNI cache directory, 
+    // respectively, that will be used to configure the VM.
+    repeated string BinPath;
     string ConfDirectory;
+    string CacheDirectory;
+    
+    // CNI Args passed to plugins
+    repeated CNIArg Args;
 }
 
-message FirecrackerNetworkInterface {
-    // <existing fields...>
-
-    // (Optional) Static configuration that will be applied internally in the
-    // Guest VM. At first, it will be an error to specify this for multiple
-    // NetworkInterfacesin the same CreateVM call (due to the limitations of
-    // using "ip=..."). In time, we may be able to lift that restriction with
-    // updates to the implementation.
-    StaticIPConfiguration StaticIP;
+message StaticNetworkConfiguration {
+    string MacAddress;
+    string HostDevName;
+    IPConfiguration IPConfig;
 }
 
-message StaticIPConfiguration {
+message IPConfiguration {
     // Network configuration that will be applied to a network interface in a
     // Guest VM on boot.
-    string IP;
-    string SubnetMask;
-    string DefaultGateway;
+    string PrimaryAddress;
+    string GatewayAddress;
     repeated string Nameservers;
-    string Hostname;
-}
-
-message CreateVMRequest {
-    // <same existing fields except FirecrackerNetworkInterface which is replaced with the following...>
-    FirecrackerNetworkConfiguration NetworkConfiguration;
 }
 ```
 
@@ -258,7 +253,7 @@ In order for networking to work as expected inside the VM, it needs to have IP a
 
 The IP configuration is just pre-configured in the kernel when the system starts (the same end effect of having run the corresponding netlink commands to configure IP and routes). The DNS configuration is applied by writing the nameserver and search domain configuration to /proc/net/pnp in a format that is compatible with /etc/resolv.conf. The typical approach is to then have /etc/resolv.conf be a symlink to /proc/net/pnp.
 
-Users of Firecracker-containerd are also free to provide their own kernel boot options, which could include their own static IP/DNS configuration. In those cases, if they have enabled CNI configuration, Firecracker-containerd will return an error.  
+Users of Firecracker-containerd are also free to provide their own kernel boot options, which could include their own static IP/DNS configuration. In those cases, if they have enabled CNI configuration, Firecracker-containerd will return an error.
 
 **Pros**
 
@@ -335,21 +330,15 @@ The biggest immediate downside of Option A is the requirement that /etc/resolv.c
 
 Firecracker-containerd will build the current binaries it does today plus a new CNI-plugin compatible binary, `tc-redirect-tap`, that takes an existing network namespace and creates within it a tap device that is redirected via a TC filter to an already networked device in the netns. This CNI plugin is only useful when chained with other CNI-plugins (which will setup the device that the tap will redirect with).
 
-When setting up Firecracker-containerd, users can optionally include CNI configuration in Firecracker-containerd’s runtime config file. If CNI configuration is not passed during CreateVM (such as the single-container VM use case), the runtime will fall back to configuration in the runtime config. If there’s no CNI configuration present in either the CreateVM call or the runtime config, the behavior will remain the same as it is today.
+When setting up Firecracker-containerd, users can optionally include a set of default network interfaces to provide to a VM if none are specified by the user. This allows users to optionally set their VMs to use CNI-configured network interfaces by default. The user is free to provide an explicit NetworkInterfaces list during the CreateVM call (including an empty list), in which case that will be used instead of any defaults present in the runtime config file.
 
-On a high-level, the implementation of CreateVM relevant to the new networking configuration will look something like this:
-
-1. Parse what, if any, CNI configuration is provided via either the CreateVM call or the defaults in the runtime config file.
-2. If CNI Configuration is not present, just continue the VM creation process as it is today
-3. If CNI Configuration is present, check to see if the Jailer configuration specifies a network namespace
-    1. If it does, that will be the network namespace provided to the CNI plugins
-    2. If it does not, a new empty network namespace will be created by the runtime and provided to the CNI plugins
-4. Use the provided CNI configuration to configure the network namespace
-5. Start the Firecracker VM in the network namespace via the Jailer and with the corresponding `ip=...` kernel boot parameters
+The Firecracker Go SDK will take care of checking whether any Jailer config specifies a pre-existing network namespace to use and, if not, creating a new network namespace for the VM on behalf of the user. The Go SDK will also take care of invoking CNI on that network namespace, starting the VMM inside of it, and handling CNI network deletion after the VM stops.
 
 If CreateVM succeeds, any containers running inside the VM with a “host” network namespace will have access to the network configured via CNI outside the VM.
 
-The CNI configuration Firecracker-containerd asks for are just references to a CNI network name, a CNI bin directory (i.e. `/opt/cni/bin`) and a CNI configuration directory (i.e. `/etc/cni/net.d`). A hypothetical example CNI configuration file that uses the standard [ptp CNI plugin](https://github.com/containernetworking/plugins/tree/master/plugins/main/ptp) to create a veth device whose traffic is redirected with a tap device:
+The CNI configuration Firecracker-containerd requires from users are a CNI network name and an IfName parameter to provide to CNI plugins. Other values such as the a CNI bin directories and CNI configuration directories can be provided but will have sensible defaults if not provided.
+
+A hypothetical example CNI configuration file that uses the standard [ptp CNI plugin](https://github.com/containernetworking/plugins/tree/master/plugins/main/ptp) to create a veth device whose traffic is redirected with a tap device:
 
 ```
 {
@@ -361,10 +350,8 @@ The CNI configuration Firecracker-containerd asks for are just references to a C
       "ipMasq": true,
       "ipam": {
         "type": "host-local",
-        "subnet": "192.168.1.0/24"
-      },
-      "dns": {
-        "nameservers": [ "1.1.1.1" ]
+        "subnet": "192.168.1.0/24",
+        "resolvConf": "/etc/resolv.conf"
       }
     },
     {
@@ -376,7 +363,7 @@ The CNI configuration Firecracker-containerd asks for are just references to a C
 
 Given the above configuration, the containers inside the VM will have access to the 192.168.1.0/24 network. Thanks to setting `ipMasq: true`, the containers should also have internet access (assuming the host itself has internet access).
 
-Firecracker-containerd will also provide an example CNI configuration that, if used, will result in Firecracker VMs being spun up with the same access to the network the host has on its default interface (something comparable to Docker’s default networking configuration). This can be setup via a Makefile target (i.e. `install-default-network`), which allows users trying out Firecracker-containerd to get networking, including outbound internet access, working in their Firecracker VMs by default if they so choose.
+Firecracker-containerd will also provide an example CNI configuration that, if used, will result in Firecracker VMs being spun up with the same access to the network the host has on its default interface (something comparable to Docker’s default networking configuration). This can be setup via a Makefile target (i.e. `demo-network`), which allows users trying out Firecracker-containerd to get networking, including outbound internet access, working in their Firecracker VMs by default if they so choose.
 
 ## Hypothetical CRI interactions
 
diff --git a/docs/quickstart.md b/docs/quickstart.md
index fde155baf..d183e5d29 100644
--- a/docs/quickstart.md
+++ b/docs/quickstart.md
@@ -4,7 +4,10 @@ This quickstart guide provides simple steps to get a working
 firecracker-containerd environment, with each of the major components built from
 source.  Once you have completed this quickstart, you should be able to run and
 develop firecracker-containerd (the components in this repository), the
-Firecracker VMM, and containerd.
+Firecracker VMM, and containerd. Note that the guide below should result in VMs
+by default having network access to IPs assigned on the host and may, depending
+on the configuration of your host's network, also have outbound access to the
+internet.
 
 This quickstart will clone repositories under your `$HOME` directory and install
 files into `/usr/local/bin`.
@@ -67,7 +70,6 @@ sudo DEBIAN_FRONTEND=noninteractive apt-get \
      install --yes \
      docker-ce aufs-tools-
 sudo usermod -aG docker $(whoami)
-exec newgrp docker
 
 cd ~
 
@@ -80,11 +82,14 @@ cd ~
 #   overlay
 # * firecracker-containerd, an alternative containerd binary that includes the
 #   firecracker VM lifecycle plugin and API
+# * tc-redirect-tap and other CNI dependencies that enable VMs to start with
+#   access to networks available on the host
 git clone https://github.com/firecracker-microvm/firecracker-containerd.git
 cd firecracker-containerd
 sudo DEBIAN_FRONTEND=noninteractive apt-get install -y dmsetup
-make all image
+sg docker -c 'make all image'
 sudo make install
+sudo make demo-network
 
 cd ~
 
@@ -128,7 +133,13 @@ sudo tee /etc/containerd/firecracker-runtime.json <<EOF
   "log_fifo": "fc-logs.fifo",
   "log_level": "Debug",
   "metrics_fifo": "fc-metrics.fifo",
-  "kernel_args": "console=ttyS0 noapic reboot=k panic=1 pci=off nomodules ro systemd.journald.forward_to_console systemd.unit=firecracker.target init=/sbin/overlay-init"
+  "kernel_args": "console=ttyS0 noapic reboot=k panic=1 pci=off nomodules ro systemd.journald.forward_to_console systemd.unit=firecracker.target init=/sbin/overlay-init",
+  "default_network_interfaces": [{
+    "CNIConfig": {
+      "NetworkName": "fcnet",
+      "InterfaceName": "veth0"
+    }
+  }]
 }
 EOF
 
@@ -164,7 +175,7 @@ sudo firecracker-ctr --address /run/firecracker-containerd/containerd.sock \
      run \
      --snapshotter firecracker-naive \
      --runtime aws.firecracker \
-     --tty \
+     --rm --tty --net-host \
      docker.io/library/debian:latest \
      test
 ```
diff --git a/examples/Makefile b/examples/Makefile
index 1ef32604f..ee4fd0541 100644
--- a/examples/Makefile
+++ b/examples/Makefile
@@ -35,13 +35,23 @@ integ-test:
 		--privileged \
 		--ipc=host \
 		--volume /dev:/dev \
-		--volume /sys:/sys \
 		--volume /run/udev/control:/run/udev/control \
 		--volume $(CURDIR)/logs:/var/log/firecracker-containerd-test \
 		--env EXTRAGOARGS="${EXTRAGOARGS}" \
 		--workdir="/firecracker-containerd/examples" \
 		localhost/firecracker-containerd-naive-integ-test:${DOCKER_IMAGE_TAG} \
-		"make examples && ./taskworkflow"
+		"make examples && make testtap && ./taskworkflow -ip $(TEST_IP)$(TEST_SUBNET) -gw $(TEST_GATEWAY)"
+
+TEST_GATEWAY?=172.16.0.1
+TEST_IP?=172.16.0.2
+TEST_SUBNET?=/24
+testtap:
+	ip link add br0 type bridge
+	ip tuntap add tap0 mode tap
+	ip link set tap0 master br0
+	ip link set dev tap0 up
+	ip link set dev br0 up
+	ip addr add dev br0 $(TEST_GATEWAY)$(TEST_SUBNET)
 
 clean:
 	- rm -f taskworkflow
@@ -51,4 +61,4 @@ distclean: clean
 
 install:
 
-.PHONY: all examples clean distclean install test integ-test
+.PHONY: all examples clean distclean install test integ-test testtap
diff --git a/examples/taskworkflow.go b/examples/taskworkflow.go
index 829da2e3e..bfb4d3039 100644
--- a/examples/taskworkflow.go
+++ b/examples/taskworkflow.go
@@ -19,6 +19,7 @@ import (
 	"fmt"
 	"io/ioutil"
 	"log"
+	"net"
 	"net/http"
 	"syscall"
 	"time"
@@ -27,7 +28,6 @@ import (
 	"github.com/containerd/containerd/cio"
 	"github.com/containerd/containerd/namespaces"
 	"github.com/containerd/containerd/oci"
-	specs "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/pkg/errors"
 
 	fcclient "github.com/firecracker-microvm/firecracker-containerd/firecracker-control/client"
@@ -39,37 +39,36 @@ const (
 	containerdAddress      = "/run/containerd/containerd.sock"
 	containerdTTRPCAddress = containerdAddress + ".ttrpc"
 	namespaceName          = "firecracker-containerd-example"
-	kernelArgsFormat       = "console=ttyS0 noapic reboot=k panic=1 pci=off nomodules rw ip=%s::%s:%s:::off::::"
+	kernelArgs             = "console=ttyS0 noapic reboot=k panic=1 pci=off nomodules rw"
 	macAddress             = "AA:FC:00:00:00:01"
 	hostDevName            = "tap0"
 )
 
 func main() {
-	var ip = flag.String("ip", "", "ip address assigned to the container. Example: -ip 172.16.0.1")
-	var gateway = flag.String("gw", "", "gateway ip address. Example: -gw 172.16.0.1")
-	var netMask = flag.String("mask", "", "subnet gatway mask. Example: -mask 255.255.255.0")
+	var containerCIDR = flag.String("ip", "", "ip address and subnet assigned to the container in CIDR notation. Example: -ip 172.16.0.2/24")
+	var gatewayIP = flag.String("gw", "", "gateway ip address. Example: -gw 172.16.0.1")
 	log.SetFlags(log.Ldate | log.Ltime | log.Lmicroseconds)
 	flag.Parse()
-	if *ip != "" && (*gateway == "" || *netMask == "") {
-		log.Fatal("Incorrect usage. 'gw' and 'mask' need to be specified when 'ip' is specified")
+	if *containerCIDR != "" && *gatewayIP == "" {
+		log.Fatal("Incorrect usage. 'gw' needs to be specified when 'ip' is specified")
 	}
-	if err := taskWorkflow(*ip, *gateway, *netMask); err != nil {
+	if err := taskWorkflow(*containerCIDR, *gatewayIP); err != nil {
 		log.Fatal(err)
 	}
 }
 
-func taskWorkflow(containerIP string, gateway string, netMask string) (err error) {
+func taskWorkflow(containerCIDR string, gateway string) (err error) {
 	log.Println("Creating containerd client")
 	client, err := containerd.New(containerdAddress)
 	if err != nil {
 		return errors.Wrapf(err, "creating client")
-
 	}
+
 	defer client.Close()
 	log.Println("Created containerd client")
 
 	ctx := namespaces.WithNamespace(context.Background(), namespaceName)
-	image, err := client.Pull(ctx, "docker.io/library/nginx:latest",
+	image, err := client.Pull(ctx, "docker.io/library/nginx:1.17-alpine",
 		containerd.WithPullUnpack,
 		containerd.WithPullSnapshotter("firecracker-naive"),
 	)
@@ -85,16 +84,22 @@ func taskWorkflow(containerIP string, gateway string, netMask string) (err error
 	defer fcClient.Close()
 
 	vmID := "fc-example"
-	createVMRequest := &proto.CreateVMRequest{VMID: vmID}
+	createVMRequest := &proto.CreateVMRequest{
+		VMID:       vmID,
+		KernelArgs: kernelArgs,
+	}
 
-	if containerIP != "" {
-		createVMRequest.NetworkInterfaces = []*proto.FirecrackerNetworkInterface{
-			{
+	if containerCIDR != "" {
+		createVMRequest.NetworkInterfaces = []*proto.FirecrackerNetworkInterface{{
+			StaticConfig: &proto.StaticNetworkConfiguration{
 				MacAddress:  macAddress,
 				HostDevName: hostDevName,
+				IPConfig: &proto.IPConfiguration{
+					PrimaryAddr: containerCIDR,
+					GatewayAddr: gateway,
+				},
 			},
-		}
-		createVMRequest.KernelArgs = fmt.Sprintf(kernelArgsFormat, containerIP, gateway, netMask)
+		}}
 	}
 
 	_, err = fcClient.CreateVM(ctx, createVMRequest)
@@ -120,10 +125,8 @@ func taskWorkflow(containerIP string, gateway string, netMask string) (err error
 		containerd.WithNewSnapshot("demo-snapshot", image),
 		containerd.WithNewSpec(
 			oci.WithImageConfig(image),
-			oci.WithHostNamespace(specs.NetworkNamespace),
-			oci.WithHostHostsFile,
-			oci.WithHostResolvconf,
 			firecrackeroci.WithVMID(vmID),
+			firecrackeroci.WithVMNetwork,
 		),
 		containerd.WithRuntime("aws.firecracker", nil),
 	)
@@ -155,37 +158,47 @@ func taskWorkflow(containerIP string, gateway string, netMask string) (err error
 	log.Println("Successfully started the container task")
 	time.Sleep(3 * time.Second)
 
-	if containerIP != "" {
-		log.Println("Executing http GET on " + containerIP)
-		getResponse(containerIP)
+	var httpGetErr error
+	if containerCIDR != "" {
+		ip, _, err := net.ParseCIDR(containerCIDR)
+		if err != nil {
+			// this is validated as part of the CreateVM call, should never happen
+			return errors.Wrapf(err, "failed parsing CIDR %q", containerCIDR)
+		}
+
+		log.Println("Executing http GET on " + ip.String())
+		httpGetErr = getResponse(ip.String())
+		if httpGetErr != nil {
+			log.Printf("error making http GET request: %v\n", err)
+		}
 	}
 
 	if err := task.Kill(ctx, syscall.SIGTERM); err != nil {
 		return errors.Wrapf(err, "killing task")
-
 	}
+
 	status := <-exitStatusC
 	code, _, err := status.Result()
 	if err != nil {
 		return errors.Wrapf(err, "getting task's exit code")
-
 	}
 	log.Printf("task exited with status: %d\n", code)
-	return nil
+
+	return httpGetErr
 }
 
-func getResponse(containerIP string) {
-	response, err := http.Get("http://" + containerIP)
+func getResponse(containerIP string) error {
+	response, err := http.Get(fmt.Sprintf("http://%s/", containerIP))
 	if err != nil {
-		log.Println("Unable to get response from " + containerIP)
-		return
+		return errors.Wrapf(err, "Unable to get response from %s", containerIP)
 	}
 	defer response.Body.Close()
+
 	contents, err := ioutil.ReadAll(response.Body)
 	if err != nil {
-		log.Printf("Unable to read response body: %v\n", err)
-		return
+		return errors.Wrapf(err, "Unable to read response body from %s", containerIP)
 	}
 
 	log.Printf("Response from [%s]: \n[%s]\n", containerIP, contents)
+	return nil
 }
diff --git a/go.mod b/go.mod
index 41e3c6667..372c1db22 100644
--- a/go.mod
+++ b/go.mod
@@ -2,7 +2,6 @@ module github.com/firecracker-microvm/firecracker-containerd
 
 require (
 	github.com/Microsoft/go-winio v0.4.14 // indirect
-	github.com/Microsoft/hcsshim v0.8.1 // indirect
 	github.com/StackExchange/wmi v0.0.0-20181212234831-e0a55b97c705 // indirect
 	github.com/containerd/cgroups v0.0.0-20181105182409-82cb49fc1779 // indirect
 	github.com/containerd/console v0.0.0-20181022165439-0650fd9eeb50 // indirect
@@ -17,16 +16,17 @@ require (
 	github.com/docker/go-events v0.0.0-20170721190031-9461782956ad // indirect
 	github.com/docker/go-metrics v0.0.0-20181218153428-b84716841b82 // indirect
 	github.com/docker/go-units v0.3.3
-	github.com/firecracker-microvm/firecracker-go-sdk v0.17.0
+	github.com/firecracker-microvm/firecracker-go-sdk v0.17.1-0.20190912001513-a4afb10dd9d7
 	github.com/go-ole/go-ole v1.2.4 // indirect
 	github.com/godbus/dbus v0.0.0-20181025153459-66d97aec3384 // indirect
 	github.com/gofrs/uuid v3.2.0+incompatible
 	github.com/gogo/googleapis v1.1.0 // indirect
-	github.com/gogo/protobuf v1.2.1
-	github.com/golang/protobuf v1.2.0
+	github.com/gogo/protobuf v1.3.0
+	github.com/golang/protobuf v1.3.1
 	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect
 	github.com/hashicorp/go-multierror v1.0.0
 	github.com/mdlayher/vsock v0.0.0-20190329173812-a92c53d5dcab
+	github.com/miekg/dns v1.1.16
 	github.com/opencontainers/go-digest v1.0.0-rc1 // indirect
 	github.com/opencontainers/image-spec v1.0.1 // indirect
 	github.com/opencontainers/runc v1.0.0-rc8
@@ -36,12 +36,12 @@ require (
 	github.com/shirou/gopsutil v2.18.12+incompatible
 	github.com/shirou/w32 v0.0.0-20160930032740-bb4de0191aa4 // indirect
 	github.com/sirupsen/logrus v1.4.1
-	github.com/stretchr/testify v1.2.2
+	github.com/stretchr/testify v1.3.0
 	github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2 // indirect
 	github.com/urfave/cli v1.20.0 // indirect
 	go.etcd.io/bbolt v1.3.1-etcd.8
 	golang.org/x/sync v0.0.0-20181108010431-42b317875d0f
-	golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b
+	golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f
 	google.golang.org/genproto v0.0.0-20181109154231-b5d43981345b // indirect
 	google.golang.org/grpc v1.21.0
 	gotest.tools v2.2.0+incompatible // indirect
diff --git a/go.sum b/go.sum
index 333312e75..163c6d7fc 100644
--- a/go.sum
+++ b/go.sum
@@ -1,20 +1,23 @@
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/Microsoft/go-winio v0.4.11/go.mod h1:VhR8bwka0BXejwEJY73c50VrPtXAaKcyvVC4A4RozmA=
 github.com/Microsoft/go-winio v0.4.14 h1:+hMXMk01us9KgxGb7ftKQt2Xpf5hH/yky+TDA+qxleU=
 github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA=
-github.com/Microsoft/hcsshim v0.8.1 h1:0RKPd1pQB/4YRjdw0jFwq3A5nWFN4n1ojNzcm4B+8ZI=
-github.com/Microsoft/hcsshim v0.8.1/go.mod h1:Op3hHsoHPAvb6lceZHDtd9OkTew38wNoXnJs8iY7rUg=
+github.com/Microsoft/hcsshim v0.8.6 h1:ZfF0+zZeYdzMIVMZHKtDKJvLHj76XCuVae/jNkjj0IA=
+github.com/Microsoft/hcsshim v0.8.6/go.mod h1:Op3hHsoHPAvb6lceZHDtd9OkTew38wNoXnJs8iY7rUg=
 github.com/PuerkitoBio/purell v1.1.0 h1:rmGxhojJlM0tuKtfdvliR84CFHljx9ag64t2xmVkjK4=
 github.com/PuerkitoBio/purell v1.1.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
 github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 h1:d+Bc7a5rLufV/sSk/8dngufqelfh6jnri85riMAaF/M=
 github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
 github.com/StackExchange/wmi v0.0.0-20181212234831-e0a55b97c705 h1:UUppSQnhf4Yc6xGxSkoQpPhb7RVzuv5Nb1mwJ5VId9s=
 github.com/StackExchange/wmi v0.0.0-20181212234831-e0a55b97c705/go.mod h1:3eOhrUMpNV+6aFIbp5/iudMxNCF27Vw2OZgy4xEx0Fg=
+github.com/alexflint/go-filemutex v0.0.0-20171022225611-72bdc8eae2ae/go.mod h1:CgnQgUtFrFz9mxFNtED3jI5tLDjKlOM+oUF/sTk6ps0=
 github.com/asaskevich/govalidator v0.0.0-20180720115003-f9ffefc3facf h1:eg0MeVzsP1G42dRafH3vf+al2vQIJU0YHX+1Tw87oco=
 github.com/asaskevich/govalidator v0.0.0-20180720115003-f9ffefc3facf/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973 h1:xJ4a3vCFaGF/jqvzLMYoU8P317H5OQ+Via4RmuPwCS0=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
+github.com/buger/jsonparser v0.0.0-20180808090653-f4dd9f5a6b44/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/containerd/cgroups v0.0.0-20181105182409-82cb49fc1779 h1:j1IsLW6/hNZPIyBH1v0hhEeB1WXE2ffhHaqSuXhgknY=
 github.com/containerd/cgroups v0.0.0-20181105182409-82cb49fc1779/go.mod h1:X9rLEHIqSf/wfK8NsPqxJmeZgW4pcfzdXITDrUSJ6uI=
@@ -32,8 +35,20 @@ github.com/containerd/ttrpc v0.0.0-20190613183316-1fb3814edf44 h1:vG5QXCUakUhR2C
 github.com/containerd/ttrpc v0.0.0-20190613183316-1fb3814edf44/go.mod h1:PvCDdDGpgqzQIzDW1TphrGLssLDZp2GuS+X5DkEJB8o=
 github.com/containerd/typeurl v0.0.0-20181015155603-461401dc8f19 h1:gzdItdct+4eLnZxiZi1YcIXx3uo5QWa/xXKnsldEqY8=
 github.com/containerd/typeurl v0.0.0-20181015155603-461401dc8f19/go.mod h1:Cm3kwCdlkCfMSHURc+r6fwoGH6/F1hH3S4sg0rLFWPc=
+github.com/containernetworking/cni v0.7.0/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY=
+github.com/containernetworking/cni v0.7.2-0.20190807151350-8c6c47d1c7fc h1:zUNdrf9w09mWodVhZ9hX4Yk4Uu84n/OgdfPattAwwt8=
+github.com/containernetworking/cni v0.7.2-0.20190807151350-8c6c47d1c7fc/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY=
+github.com/containernetworking/plugins v0.8.2 h1:5lnwfsAYO+V7yXhysJKy3E1A2Gy9oVut031zfdOzI9w=
+github.com/containernetworking/plugins v0.8.2/go.mod h1:TxALKWZpWL79BC3GOYKJzzXr7U8R23PdhwaLp6F3adc=
+github.com/coreos/go-iptables v0.4.2/go.mod h1:/mVI274lEDI2ns62jHCDnCyBF9Iwsmekav8Dbxlm1MU=
+github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/coreos/go-systemd v0.0.0-20181031085051-9002847aa142 h1:3jFq2xL4ZajGK4aZY8jz+DAF0FHjI51BXjjSwCzS1Dk=
 github.com/coreos/go-systemd v0.0.0-20181031085051-9002847aa142/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
+github.com/d2g/dhcp4 v0.0.0-20170904100407-a1d1b6c41b1c/go.mod h1:Ct2BUK8SB0YC1SMSibvLzxjeJLnrYEVLULFNiHY9YfQ=
+github.com/d2g/dhcp4client v1.0.0/go.mod h1:j0hNfjhrt2SxUOw55nL0ATM/z4Yt3t2Kd1mW34z5W5s=
+github.com/d2g/dhcp4server v0.0.0-20181031114812-7d4a0a7f59a5/go.mod h1:Eo87+Kg/IX2hfWJfwxMzLyuSZyxSoAug2nGa1G2QAi8=
+github.com/d2g/hardwareaddr v0.0.0-20190221164911-e7d9fbe030e4/go.mod h1:bMl4RjIciD2oAxI7DmWRx6gbeqrkoLqv3MV0vzNad+I=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/docker/distribution v2.7.1-0.20190205005809-0d3efadf0154+incompatible h1:dvc1KSkIYTVjZgHf/CTC2diTYC8PzhaA5sFISRfNVrE=
@@ -44,8 +59,8 @@ github.com/docker/go-metrics v0.0.0-20181218153428-b84716841b82 h1:X0fj836zx99zF
 github.com/docker/go-metrics v0.0.0-20181218153428-b84716841b82/go.mod h1:/u0gXw0Gay3ceNrsHubL3BtdOL2fHf93USgMTe0W5dI=
 github.com/docker/go-units v0.3.3 h1:Xk8S3Xj5sLGlG5g67hJmYMmUgXv5N4PhkjJHHqrwnTk=
 github.com/docker/go-units v0.3.3/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
-github.com/firecracker-microvm/firecracker-go-sdk v0.17.0 h1:k0Nj15aYbuuJ3nP8yUDWvQKqAoQgxUXtw6go8RLFP4k=
-github.com/firecracker-microvm/firecracker-go-sdk v0.17.0/go.mod h1:QcNsz2gYkcTI/zAQl3dYeLwf7KxtjKnt7aGklhn9yYk=
+github.com/firecracker-microvm/firecracker-go-sdk v0.17.1-0.20190912001513-a4afb10dd9d7 h1:9suT/hW4u++sJdgHLU1duoiRuRHwrGf/RKSKG2prsJY=
+github.com/firecracker-microvm/firecracker-go-sdk v0.17.1-0.20190912001513-a4afb10dd9d7/go.mod h1:tVXziw7GjioCKVjI5/agymYxUaqJM6q7cp9e6kwjo8Q=
 github.com/globalsign/mgo v0.0.0-20180905125535-1ca0a4f7cbcb h1:D4uzjWwKYQ5XnAvUbuvHW93esHg7F8N/OYeBBcJoTr0=
 github.com/globalsign/mgo v0.0.0-20180905125535-1ca0a4f7cbcb/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q=
 github.com/go-ole/go-ole v1.2.4 h1:nNBDSCOigTSiarFpYE9J/KtEA1IOW4CNeqT9TQDqCxI=
@@ -76,14 +91,15 @@ github.com/go-openapi/swag v0.17.1/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/
 github.com/go-openapi/validate v0.17.0/go.mod h1:Uh4HdOzKt19xGIGm1qHf/ofbX1YQ4Y+MYsct2VUrAJ4=
 github.com/go-openapi/validate v0.17.1 h1:RfQTLHm/gEu0oSUmbTOy0PMufjkE5/pPfnqYpor3WLc=
 github.com/go-openapi/validate v0.17.1/go.mod h1:Uh4HdOzKt19xGIGm1qHf/ofbX1YQ4Y+MYsct2VUrAJ4=
+github.com/godbus/dbus v0.0.0-20180201030542-885f9cc04c9c/go.mod h1:/YcGZj5zSblfDWMMoOzV4fas9FZnQYTkDnsGvmh2Grw=
 github.com/godbus/dbus v0.0.0-20181025153459-66d97aec3384 h1:xNwo3yd3PZYRDAr/Dz0sBfDWY6El2xPCKJrwJVfMFjY=
 github.com/godbus/dbus v0.0.0-20181025153459-66d97aec3384/go.mod h1:/YcGZj5zSblfDWMMoOzV4fas9FZnQYTkDnsGvmh2Grw=
 github.com/gofrs/uuid v3.2.0+incompatible h1:y12jRkkFxsd7GpqdSZ+/KCs/fJbqpEXSGd4+jfEaewE=
 github.com/gofrs/uuid v3.2.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
 github.com/gogo/googleapis v1.1.0 h1:kFkMAZBNAn4j7K0GiZr8cRYzejq68VbheufiV3YuyFI=
 github.com/gogo/googleapis v1.1.0/go.mod h1:gf4bu3Q80BeJ6H1S1vYPm8/ELATdvryBaNFGgqEef3s=
-github.com/gogo/protobuf v1.2.1 h1:/s5zKNz0uPFCZ5hddgPdo2TK2TVrUNMn0OOX8/aZMTE=
-github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
+github.com/gogo/protobuf v1.3.0 h1:G8O7TerXerS4F6sx9OV7/nRfJdnXgHZu/S/7F2SN+UE=
+github.com/gogo/protobuf v1.3.0/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/lint v0.0.0-20180702182130-06c8688daad7/go.mod h1:tluoj9z5200jBnyusfRPU2LqT6J+DAorxEvtC7LHB+E=
@@ -91,6 +107,8 @@ github.com/golang/mock v1.1.1 h1:G5FRp8JnTd7RQH5kemVNlMeyXQAztQ3mOWV95KxsXH8=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/protobuf v1.2.0 h1:P3YflyNX/ehuJFLhxviNdFxQPkGK5cDcApsge1SqnvM=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.1 h1:YF8+flBXS5eO826T4nzqPrxfhQThhXl0YzfuUPu4SBg=
+github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/google/go-cmp v0.2.0 h1:+dTQ8DZQJz0Mb/HjFlkptS1FeQ4cWSnN941F8aEG4SQ=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/uuid v1.0.0 h1:b4Gk+7WdP/d3HZH8EJsZpvV7EtDOgaZLtnaNGIu1adA=
@@ -101,19 +119,35 @@ github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/U
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/go-multierror v1.0.0 h1:iVjPR7a6H0tWELX5NxNe7bYopibicUzc7uPribsnS6o=
 github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
-github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
+github.com/j-keck/arping v0.0.0-20160618110441-2cf9dc699c56/go.mod h1:ymszkNOg6tORTn+6F6j+Jc8TOr5osrynvN6ivFWZ2GA=
+github.com/juju/errors v0.0.0-20180806074554-22422dad46e1/go.mod h1:W54LbzXuIE0boCoNJfwqpmkKJ1O4TCTZMetAt6jGk7Q=
+github.com/juju/loggo v0.0.0-20190526231331-6e530bcce5d8/go.mod h1:vgyd7OREkbtVEN/8IXZe5Ooef3LQePvuBm9UWj6ZL8U=
+github.com/juju/testing v0.0.0-20190613124551-e81189438503/go.mod h1:63prj8cnj0tU0S9OHjGJn+b1h0ZghCndfnbQolrYTwA=
+github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/konsorten/go-windows-terminal-sequences v0.0.0-20180402223658-b729f2633dfe/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1 h1:mweAR1A6xJ3oS2pRaGiHgQ4OO8tzTaLawm8vnODuwDk=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
+github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/mailru/easyjson v0.0.0-20180823135443-60711f1a8329 h1:2gxZ0XQIU/5z3Z3bUBu+FXuk2pFbkN6tcwi/pjyaDic=
 github.com/mailru/easyjson v0.0.0-20180823135443-60711f1a8329/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
+github.com/mattn/go-shellwords v1.0.3/go.mod h1:3xCvwCdWdlDJUrvuMn7Wuy9eWs4pE8vqg+NOMyg4B2o=
 github.com/matttproud/golang_protobuf_extensions v1.0.1 h1:4hp9jkHxhMHkqkrB3Ix0jegS5sx/RkqARlsWZ6pIwiU=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
 github.com/mdlayher/vsock v0.0.0-20190329173812-a92c53d5dcab h1:E28+3hGUcb3qollqPbcWwUeQqHI7DtBqQ2m9WG3zOpk=
 github.com/mdlayher/vsock v0.0.0-20190329173812-a92c53d5dcab/go.mod h1:D7ATxm5dbu8KgVaJHLbtcFfkt6/ERTpnCK7kVpGOqsk=
+github.com/miekg/dns v1.1.16 h1:iMEQ/IVHxPTtx2Q07JP/k4CKRvSjiAZjZ0hnhgYEDmE=
+github.com/miekg/dns v1.1.16/go.mod h1:YNV562EiewvSmpCB6/W4c6yqjK7Z+M/aIS1JHsIVeg8=
 github.com/mitchellh/mapstructure v1.1.2 h1:fmNYVwqnSfB9mZU6OS2O6GsXM+wcskZDuKQzvN1EDeE=
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
+github.com/onsi/ginkgo v0.0.0-20151202141238-7f8ab55aaf3b h1:Ey6yH0acn50T/v6CB75bGP4EMJqnv9WvnjN7oZaj+xE=
+github.com/onsi/ginkgo v0.0.0-20151202141238-7f8ab55aaf3b/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/gomega v0.0.0-20151007035656-2152b45fa28a h1:KfNOeFvoAssuZLT7IntKZElKwi/5LRuxY71k+t6rfaM=
+github.com/onsi/gomega v0.0.0-20151007035656-2152b45fa28a/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
 github.com/opencontainers/go-digest v1.0.0-rc1 h1:WzifXhOVOEOuFYOJAW6aQqW0TooG2iki3E3Ii+WN7gQ=
 github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
 github.com/opencontainers/image-spec v1.0.1 h1:JMemWkRwHx4Zj+fVxWoMCFm/8sYGGrUVojFA6h/TRcI=
@@ -136,30 +170,45 @@ github.com/prometheus/common v0.0.0-20181126121408-4724e9255275 h1:PnBWHBf+6L0jO
 github.com/prometheus/common v0.0.0-20181126121408-4724e9255275/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
 github.com/prometheus/procfs v0.0.0-20181204211112-1dc9a6cbc91a h1:9a8MnZMP0X2nLJdBg+pBmGgkJlSaKC2KaQmTCk1XDtE=
 github.com/prometheus/procfs v0.0.0-20181204211112-1dc9a6cbc91a/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
+github.com/safchain/ethtool v0.0.0-20190326074333-42ed695e3de8/go.mod h1:Z0q5wiBQGYcxhMZ6gUqHn6pYNLypFAvaL3UvgZLR0U4=
 github.com/shirou/gopsutil v2.18.12+incompatible h1:1eaJvGomDnH74/5cF4CTmTbLHAriGFsTZppLXDX93OM=
 github.com/shirou/gopsutil v2.18.12+incompatible/go.mod h1:5b4v6he4MtMOwMlS0TUMTu2PcXUg8+E1lC7eC3UO/RA=
 github.com/shirou/w32 v0.0.0-20160930032740-bb4de0191aa4 h1:udFKJ0aHUL60LboW/A+DfgoHVedieIzIXE8uylPue0U=
 github.com/shirou/w32 v0.0.0-20160930032740-bb4de0191aa4/go.mod h1:qsXQc7+bwAM3Q1u/4XEfrquwF8Lw7D7y5cD8CuHnfIc=
+github.com/sirupsen/logrus v1.0.6/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc=
 github.com/sirupsen/logrus v1.1.1/go.mod h1:zrgwTnHtNr00buQ1vSptGe8m1f/BbgsPukg8qsT7A+A=
 github.com/sirupsen/logrus v1.4.1 h1:GL2rEmy6nsikmW0r8opw9JIRScdMF5hA8cOYLH7In1k=
 github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
+github.com/sparrc/go-ping v0.0.0-20190613174326-4e5b6552494c h1:gqEdF4VwBu3lTKGHS9rXE9x1/pEaSwCXRLOZRF6qtlw=
+github.com/sparrc/go-ping v0.0.0-20190613174326-4e5b6552494c/go.mod h1:eMyUVp6f/5jnzM+3zahzl7q6UXLbgSc3MKg/+ow9QW0=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.2.2 h1:bSDNvY7ZPG5RlJ8otE/7V6gMiyenm9RtJ7IUVIAoJ1w=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2 h1:b6uOv7YOFK0TYG7HtkIgExQo+2RdLuwRft63jn2HWj8=
 github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
 github.com/urfave/cli v1.20.0 h1:fDqGv3UG/4jbVl/QkFwEdddtEDjh/5Ov6X+0B/3bPaw=
 github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
+github.com/vishvananda/netlink v0.0.0-20181108222139-023a6dafdcdf h1:3J37+NPjNyGW/dbfXtj3yWuF9OEepIdGOXRaJGbORV8=
+github.com/vishvananda/netlink v0.0.0-20181108222139-023a6dafdcdf/go.mod h1:+SR5DhBJrl6ZM7CoCKvpw5BKroDKQ+PJqOg65H/2ktk=
+github.com/vishvananda/netns v0.0.0-20180720170159-13995c7128cc h1:R83G5ikgLMxrBvLh22JhdfI8K6YXEPHx5P03Uu3DRs4=
+github.com/vishvananda/netns v0.0.0-20180720170159-13995c7128cc/go.mod h1:ZjcWmFBXmLKZu9Nxj3WKYEafiSqer2rnvPr0en9UNpI=
 go.etcd.io/bbolt v1.3.1-etcd.8 h1:6J7QAKqfFBGnU80KRnuQxfjjeE5xAGE/qB810I3FQHQ=
 go.etcd.io/bbolt v1.3.1-etcd.8/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793 h1:u+LnwYTOOW7Ukr/fppxEb1Nwz0AtPflrblfvUudpo+I=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
+golang.org/x/crypto v0.0.0-20181001203147-e3636079e1a4/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
+golang.org/x/crypto v0.0.0-20181009213950-7c1a557ab941/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2 h1:VklqNMn3ovrHsnt90PveolxSbWFaJdECFbxSq0Mqo2M=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/lint v0.0.0-20180702182130-06c8688daad7/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20180926154720-4dfa2610cdf3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181005035420-146acd28ed58/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20181011144130-49bb7cea24b1/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181106065722-10aee1819953/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
@@ -171,17 +220,20 @@ golang.org/x/sync v0.0.0-20181108010431-42b317875d0f h1:Bl/8QSvNqXvPGPGXa2z5xUTm
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20180928133829-e4b3c5e90611/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190329044733-9eb1bfa1ce65 h1:hOY+O8MxdkPV10pNf7/XEHaySCiPKxixMKUshfHsGn0=
 golang.org/x/sys v0.0.0-20190329044733-9eb1bfa1ce65/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b h1:ag/x1USPSsqHud38I9BAC88qdNLDHHtQ4mlgQIZPPNA=
 golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f h1:25KHgbfyiSm6vwQLbM3zZIe1v9p/3ea4Rz+nnM5K/i4=
+golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
 golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180828015842-6cd1fcedba52/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
@@ -191,10 +243,17 @@ google.golang.org/grpc v1.16.0 h1:dz5IJGuC2BB7qXR5AyHNwAUBhZscK2xVez7mznh72sY=
 google.golang.org/grpc v1.16.0/go.mod h1:0JHn/cJsOMiMfNA9+DeHDlAU7KAAB5GDlYFpa9MZMio=
 google.golang.org/grpc v1.21.0 h1:G+97AoqBnmZIT91cLG/EkCoK9NSelj64P8bOHHNmGn0=
 google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
+gopkg.in/airbrake/gobrake.v2 v2.0.9/go.mod h1:/h5ZAUhDkGaJfjzjKLSjv6zCL6O0LLBxU4K+aSYdM/U=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/gemnasium/logrus-airbrake-hook.v2 v2.1.2/go.mod h1:Xk6kEKp8OKb+X14hQBKWaSkCsqBpgog8nAV2xsGOxlo=
+gopkg.in/mgo.v2 v2.0.0-20180705113604-9856a29383ce/go.mod h1:yeKp02qBN3iKW1OzL3MGk2IdtZzaj7SFntXj72NppTA=
 gopkg.in/yaml.v2 v2.2.1 h1:mUhvW9EsL+naU5Q3cakzfE91YhliOondGd6ZrsDBHQE=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo=
 gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
 honnef.co/go/tools v0.0.0-20180728063816-88497007e858/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
diff --git a/internal/network_test_utils.go b/internal/network_test_utils.go
new file mode 100644
index 000000000..e3937b8a0
--- /dev/null
+++ b/internal/network_test_utils.go
@@ -0,0 +1,150 @@
+// Copyright 2018-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License"). You may
+// not use this file except in compliance with the License. A copy of the
+// License is located at
+//
+//	http://aws.amazon.com/apache2.0/
+//
+// or in the "license" file accompanying this file. This file is distributed
+// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+// express or implied. See the License for the specific language governing
+// permissions and limitations under the License.
+
+package internal
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"net/http"
+	"os/exec"
+
+	"github.com/miekg/dns"
+	"github.com/pkg/errors"
+	"golang.org/x/sync/errgroup"
+)
+
+const (
+	domainName = "phony.domain.test"
+)
+
+// LocalNetworkServices provides a way of running bare-bones
+// DNS and HTTP servers bound to the ip of a created device,
+// which enables testing VM networking without relying on an
+// external network.
+type LocalNetworkServices interface {
+	// DNSServerIP returns the IP address of the DNS server
+	// (useful for seting resolv.conf)
+	DNSServerIP() string
+
+	// URL returns the full URL to use when querying the provided
+	// subpath. i.e. if subpath is "foo/bar", this will return
+	// something like "http://phony.domain.test/foo/bar"
+	URL(subpath string) string
+
+	// Serve will start the DNS and HTTP servers, blocking until
+	// either of them shuts down.
+	Serve(ctx context.Context) error
+}
+
+// NewLocalNetworkServices returns an implementation of
+// LocalNetworkServices where the DNS server will bind to the
+// ip of a created device and serve a single mapping from
+// "domain" to that ip. The HTTP server will serve a pages at
+// paths defined in the keys of "webpages", with the content set
+// in the values of that map.
+func NewLocalNetworkServices(webpages map[string]string) (LocalNetworkServices, error) {
+	testDevName := "testdev0"
+	ipAddr := "10.0.0.1"
+	ipCidr := fmt.Sprintf("%s/32", ipAddr)
+
+	output, err := exec.Command("ip", "tuntap", "add", testDevName, "mode", "tun").CombinedOutput()
+	if err != nil {
+		return nil, errors.Wrapf(err, `failed to add tun dev, "ip" command output: %s`, string(output))
+	}
+
+	output, err = exec.Command("ip", "addr", "add", ipCidr, "dev", testDevName).CombinedOutput()
+	if err != nil {
+		return nil, errors.Wrapf(err, `failed to assign ip to tun dev, "ip" command output: %s`, string(output))
+	}
+
+	output, err = exec.Command("ip", "link", "set", "dev", testDevName, "up").CombinedOutput()
+	if err != nil {
+		return nil, errors.Wrapf(err, `failed to set tun dev up, "ip" command output: %s`, string(output))
+	}
+
+	return &localNetworkServices{
+		domain:   domainName,
+		webpages: webpages,
+		ipAddr:   ipAddr,
+	}, nil
+}
+
+type localNetworkServices struct {
+	domain   string
+	webpages map[string]string
+	ipAddr   string
+}
+
+func (l localNetworkServices) DNSServerIP() string {
+	return l.ipAddr
+}
+
+func (l localNetworkServices) URL(subpath string) string {
+	return fmt.Sprintf("http://%s/%s", l.domain, subpath)
+}
+
+func (l localNetworkServices) Serve(ctx context.Context) error {
+	errGroup, _ := errgroup.WithContext(ctx)
+
+	errGroup.Go(func() error {
+		dnsSrv := &dns.Server{
+			Addr: l.ipAddr + ":53",
+			Net:  "udp",
+			Handler: &dnsHandler{
+				records: map[string]string{
+					l.domain + ".": l.ipAddr,
+				},
+			},
+		}
+		return dnsSrv.ListenAndServe()
+	})
+
+	errGroup.Go(func() error {
+		for path, contents := range l.webpages {
+			webpage := contents
+			http.HandleFunc("/"+path, func(w http.ResponseWriter, r *http.Request) {
+				fmt.Fprintf(w, webpage)
+			})
+		}
+
+		return http.ListenAndServe(l.ipAddr+":80", nil)
+	})
+
+	return errGroup.Wait()
+}
+
+type dnsHandler struct {
+	records map[string]string
+}
+
+func (h dnsHandler) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
+	msg := dns.Msg{}
+	msg.SetReply(r)
+	if r.Question[0].Qtype == dns.TypeA {
+		msg.Authoritative = true
+		domain := msg.Question[0].Name
+		address, ok := h.records[domain]
+		if ok {
+			msg.Answer = append(msg.Answer, &dns.A{
+				Hdr: dns.RR_Header{Name: domain, Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: 3600},
+				A:   net.ParseIP(address),
+			})
+		} else {
+			msg.SetRcode(r, dns.RcodeNameError)
+		}
+	}
+
+	w.WriteMsg(&msg)
+}
diff --git a/proto/events.pb.go b/proto/events.pb.go
index 80b0bdf7d..95486da1f 100644
--- a/proto/events.pb.go
+++ b/proto/events.pb.go
@@ -18,7 +18,7 @@ var _ = math.Inf
 // is compatible with the proto package it is being compiled against.
 // A compilation error at this line likely means your copy of the
 // proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
 
 type VMStart struct {
 	VMID                 string   `protobuf:"bytes,1,opt,name=VMID,json=vMID,proto3" json:"VMID,omitempty"`
diff --git a/proto/firecracker.pb.go b/proto/firecracker.pb.go
index 9aad97e06..2df343d8a 100644
--- a/proto/firecracker.pb.go
+++ b/proto/firecracker.pb.go
@@ -18,7 +18,7 @@ var _ = math.Inf
 // is compatible with the proto package it is being compiled against.
 // A compilation error at this line likely means your copy of the
 // proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
 
 // CreateVMRequest specifies creation parameters for a new FC instance
 type CreateVMRequest struct {
diff --git a/proto/firecracker.proto b/proto/firecracker.proto
index 718a62c8b..bc2a5edee 100644
--- a/proto/firecracker.proto
+++ b/proto/firecracker.proto
@@ -53,4 +53,4 @@ message GetVMInfoResponse {
 message SetVMMetadataRequest {
     string VMID = 1;
     string Metadata = 2;
-}
+}
\ No newline at end of file
diff --git a/proto/service/fccontrol/ttrpc/fccontrol.pb.go b/proto/service/fccontrol/ttrpc/fccontrol.pb.go
index 299326ccf..1c3e4a7a3 100644
--- a/proto/service/fccontrol/ttrpc/fccontrol.pb.go
+++ b/proto/service/fccontrol/ttrpc/fccontrol.pb.go
@@ -22,7 +22,7 @@ var _ = math.Inf
 // is compatible with the proto package it is being compiled against.
 // A compilation error at this line likely means your copy of the
 // proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
 
 func init() { proto.RegisterFile("fccontrol.proto", fileDescriptor_b99f53e2bf82c5ef) }
 
diff --git a/proto/types.pb.go b/proto/types.pb.go
index 2db346d45..14b7cb2b7 100644
--- a/proto/types.pb.go
+++ b/proto/types.pb.go
@@ -19,7 +19,7 @@ var _ = math.Inf
 // is compatible with the proto package it is being compiled against.
 // A compilation error at this line likely means your copy of the
 // proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
 
 // Message to store bundle/config.json bytes
 type ExtraData struct {
@@ -102,14 +102,18 @@ func (m *ExtraData) GetDriveID() string {
 
 // Message to specify network config for a Firecracker VM
 type FirecrackerNetworkInterface struct {
-	MacAddress           string                  `protobuf:"bytes,1,opt,name=MacAddress,json=macAddress,proto3" json:"MacAddress,omitempty"`
-	HostDevName          string                  `protobuf:"bytes,2,opt,name=HostDevName,json=hostDevName,proto3" json:"HostDevName,omitempty"`
-	AllowMMDS            bool                    `protobuf:"varint,3,opt,name=AllowMMDS,json=allowMMDS,proto3" json:"AllowMMDS,omitempty"`
-	InRateLimiter        *FirecrackerRateLimiter `protobuf:"bytes,4,opt,name=InRateLimiter,json=inRateLimiter,proto3" json:"InRateLimiter,omitempty"`
-	OutRateLimiter       *FirecrackerRateLimiter `protobuf:"bytes,5,opt,name=OutRateLimiter,json=outRateLimiter,proto3" json:"OutRateLimiter,omitempty"`
-	XXX_NoUnkeyedLiteral struct{}                `json:"-"`
-	XXX_unrecognized     []byte                  `json:"-"`
-	XXX_sizecache        int32                   `json:"-"`
+	AllowMMDS      bool                    `protobuf:"varint,1,opt,name=AllowMMDS,json=allowMMDS,proto3" json:"AllowMMDS,omitempty"`
+	InRateLimiter  *FirecrackerRateLimiter `protobuf:"bytes,2,opt,name=InRateLimiter,json=inRateLimiter,proto3" json:"InRateLimiter,omitempty"`
+	OutRateLimiter *FirecrackerRateLimiter `protobuf:"bytes,3,opt,name=OutRateLimiter,json=outRateLimiter,proto3" json:"OutRateLimiter,omitempty"`
+	// CNIConfiguration specifies CNI configuration that will be used to generate
+	// a network interface for a Firecracker VM.
+	CNIConfig *CNIConfiguration `protobuf:"bytes,4,opt,name=CNIConfig,json=cNIConfig,proto3" json:"CNIConfig,omitempty"`
+	// StaticNetworkConfiguration specifies static configuration parameters for a
+	// Firecracker VM's network interface
+	StaticConfig         *StaticNetworkConfiguration `protobuf:"bytes,5,opt,name=StaticConfig,json=staticConfig,proto3" json:"StaticConfig,omitempty"`
+	XXX_NoUnkeyedLiteral struct{}                    `json:"-"`
+	XXX_unrecognized     []byte                      `json:"-"`
+	XXX_sizecache        int32                       `json:"-"`
 }
 
 func (m *FirecrackerNetworkInterface) Reset()         { *m = FirecrackerNetworkInterface{} }
@@ -136,37 +140,301 @@ func (m *FirecrackerNetworkInterface) XXX_DiscardUnknown() {
 
 var xxx_messageInfo_FirecrackerNetworkInterface proto.InternalMessageInfo
 
-func (m *FirecrackerNetworkInterface) GetMacAddress() string {
+func (m *FirecrackerNetworkInterface) GetAllowMMDS() bool {
+	if m != nil {
+		return m.AllowMMDS
+	}
+	return false
+}
+
+func (m *FirecrackerNetworkInterface) GetInRateLimiter() *FirecrackerRateLimiter {
+	if m != nil {
+		return m.InRateLimiter
+	}
+	return nil
+}
+
+func (m *FirecrackerNetworkInterface) GetOutRateLimiter() *FirecrackerRateLimiter {
+	if m != nil {
+		return m.OutRateLimiter
+	}
+	return nil
+}
+
+func (m *FirecrackerNetworkInterface) GetCNIConfig() *CNIConfiguration {
+	if m != nil {
+		return m.CNIConfig
+	}
+	return nil
+}
+
+func (m *FirecrackerNetworkInterface) GetStaticConfig() *StaticNetworkConfiguration {
+	if m != nil {
+		return m.StaticConfig
+	}
+	return nil
+}
+
+// Message to specify CNI configuration that will be used to
+// generate a network interface for a Firecracker VM
+type CNIConfiguration struct {
+	// NetworkName is the name of a CNI network (as found in CNI
+	// configuration files) that will be used to generate the
+	// network interface.
+	NetworkName string `protobuf:"bytes,1,opt,name=NetworkName,json=networkName,proto3" json:"NetworkName,omitempty"`
+	// InterfaceName corresponds to the CNI_IFNAME parameter that will be
+	// provided to CNI plugins during invocation.
+	InterfaceName string `protobuf:"bytes,2,opt,name=InterfaceName,json=interfaceName,proto3" json:"InterfaceName,omitempty"`
+	// BinPath is a list of directories that will be searched when
+	// looking for CNI plugin binaries. Defaults to just "/opt/cni/bin"
+	BinPath []string `protobuf:"bytes,3,rep,name=BinPath,json=binPath,proto3" json:"BinPath,omitempty"`
+	// ConfDir is the directory in which CNI configuration will be sought.
+	// If not specified, will default to "/etc/cni/conf.d".
+	ConfDir string `protobuf:"bytes,4,opt,name=ConfDir,json=confDir,proto3" json:"ConfDir,omitempty"`
+	// CacheDir is the directory in which CNI results will be temporarily
+	// cached by the runtime. If not specified, it will default to
+	// "/var/lib/cni"
+	CacheDir string `protobuf:"bytes,5,opt,name=CacheDir,json=cacheDir,proto3" json:"CacheDir,omitempty"`
+	// Args corresponds to the CNI_ARGS parameter that will be provided to
+	// CNI plugins on invocation.
+	Args                 []*CNIConfiguration_CNIArg `protobuf:"bytes,6,rep,name=Args,json=args,proto3" json:"Args,omitempty"`
+	XXX_NoUnkeyedLiteral struct{}                   `json:"-"`
+	XXX_unrecognized     []byte                     `json:"-"`
+	XXX_sizecache        int32                      `json:"-"`
+}
+
+func (m *CNIConfiguration) Reset()         { *m = CNIConfiguration{} }
+func (m *CNIConfiguration) String() string { return proto.CompactTextString(m) }
+func (*CNIConfiguration) ProtoMessage()    {}
+func (*CNIConfiguration) Descriptor() ([]byte, []int) {
+	return fileDescriptor_d938547f84707355, []int{2}
+}
+func (m *CNIConfiguration) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_CNIConfiguration.Unmarshal(m, b)
+}
+func (m *CNIConfiguration) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_CNIConfiguration.Marshal(b, m, deterministic)
+}
+func (m *CNIConfiguration) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_CNIConfiguration.Merge(m, src)
+}
+func (m *CNIConfiguration) XXX_Size() int {
+	return xxx_messageInfo_CNIConfiguration.Size(m)
+}
+func (m *CNIConfiguration) XXX_DiscardUnknown() {
+	xxx_messageInfo_CNIConfiguration.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_CNIConfiguration proto.InternalMessageInfo
+
+func (m *CNIConfiguration) GetNetworkName() string {
+	if m != nil {
+		return m.NetworkName
+	}
+	return ""
+}
+
+func (m *CNIConfiguration) GetInterfaceName() string {
+	if m != nil {
+		return m.InterfaceName
+	}
+	return ""
+}
+
+func (m *CNIConfiguration) GetBinPath() []string {
+	if m != nil {
+		return m.BinPath
+	}
+	return nil
+}
+
+func (m *CNIConfiguration) GetConfDir() string {
+	if m != nil {
+		return m.ConfDir
+	}
+	return ""
+}
+
+func (m *CNIConfiguration) GetCacheDir() string {
+	if m != nil {
+		return m.CacheDir
+	}
+	return ""
+}
+
+func (m *CNIConfiguration) GetArgs() []*CNIConfiguration_CNIArg {
+	if m != nil {
+		return m.Args
+	}
+	return nil
+}
+
+type CNIConfiguration_CNIArg struct {
+	Key                  string   `protobuf:"bytes,1,opt,name=Key,json=key,proto3" json:"Key,omitempty"`
+	Value                string   `protobuf:"bytes,2,opt,name=Value,json=value,proto3" json:"Value,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *CNIConfiguration_CNIArg) Reset()         { *m = CNIConfiguration_CNIArg{} }
+func (m *CNIConfiguration_CNIArg) String() string { return proto.CompactTextString(m) }
+func (*CNIConfiguration_CNIArg) ProtoMessage()    {}
+func (*CNIConfiguration_CNIArg) Descriptor() ([]byte, []int) {
+	return fileDescriptor_d938547f84707355, []int{2, 0}
+}
+func (m *CNIConfiguration_CNIArg) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_CNIConfiguration_CNIArg.Unmarshal(m, b)
+}
+func (m *CNIConfiguration_CNIArg) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_CNIConfiguration_CNIArg.Marshal(b, m, deterministic)
+}
+func (m *CNIConfiguration_CNIArg) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_CNIConfiguration_CNIArg.Merge(m, src)
+}
+func (m *CNIConfiguration_CNIArg) XXX_Size() int {
+	return xxx_messageInfo_CNIConfiguration_CNIArg.Size(m)
+}
+func (m *CNIConfiguration_CNIArg) XXX_DiscardUnknown() {
+	xxx_messageInfo_CNIConfiguration_CNIArg.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_CNIConfiguration_CNIArg proto.InternalMessageInfo
+
+func (m *CNIConfiguration_CNIArg) GetKey() string {
+	if m != nil {
+		return m.Key
+	}
+	return ""
+}
+
+func (m *CNIConfiguration_CNIArg) GetValue() string {
+	if m != nil {
+		return m.Value
+	}
+	return ""
+}
+
+// Message to specify static configuration parameters for a
+// Firecracker VM's network interface
+type StaticNetworkConfiguration struct {
+	MacAddress  string `protobuf:"bytes,1,opt,name=MacAddress,json=macAddress,proto3" json:"MacAddress,omitempty"`
+	HostDevName string `protobuf:"bytes,2,opt,name=HostDevName,json=hostDevName,proto3" json:"HostDevName,omitempty"`
+	// IPConfig optionally provides static IP configuration that will be configured
+	// on the VM's internal networking interface. If not specified, no IP
+	// configuration will be applied to the VM's internal nic automatically.
+	IPConfig             *IPConfiguration `protobuf:"bytes,3,opt,name=IPConfig,json=iPConfig,proto3" json:"IPConfig,omitempty"`
+	XXX_NoUnkeyedLiteral struct{}         `json:"-"`
+	XXX_unrecognized     []byte           `json:"-"`
+	XXX_sizecache        int32            `json:"-"`
+}
+
+func (m *StaticNetworkConfiguration) Reset()         { *m = StaticNetworkConfiguration{} }
+func (m *StaticNetworkConfiguration) String() string { return proto.CompactTextString(m) }
+func (*StaticNetworkConfiguration) ProtoMessage()    {}
+func (*StaticNetworkConfiguration) Descriptor() ([]byte, []int) {
+	return fileDescriptor_d938547f84707355, []int{3}
+}
+func (m *StaticNetworkConfiguration) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_StaticNetworkConfiguration.Unmarshal(m, b)
+}
+func (m *StaticNetworkConfiguration) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_StaticNetworkConfiguration.Marshal(b, m, deterministic)
+}
+func (m *StaticNetworkConfiguration) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_StaticNetworkConfiguration.Merge(m, src)
+}
+func (m *StaticNetworkConfiguration) XXX_Size() int {
+	return xxx_messageInfo_StaticNetworkConfiguration.Size(m)
+}
+func (m *StaticNetworkConfiguration) XXX_DiscardUnknown() {
+	xxx_messageInfo_StaticNetworkConfiguration.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_StaticNetworkConfiguration proto.InternalMessageInfo
+
+func (m *StaticNetworkConfiguration) GetMacAddress() string {
 	if m != nil {
 		return m.MacAddress
 	}
 	return ""
 }
 
-func (m *FirecrackerNetworkInterface) GetHostDevName() string {
+func (m *StaticNetworkConfiguration) GetHostDevName() string {
 	if m != nil {
 		return m.HostDevName
 	}
 	return ""
 }
 
-func (m *FirecrackerNetworkInterface) GetAllowMMDS() bool {
+func (m *StaticNetworkConfiguration) GetIPConfig() *IPConfiguration {
 	if m != nil {
-		return m.AllowMMDS
+		return m.IPConfig
 	}
-	return false
+	return nil
 }
 
-func (m *FirecrackerNetworkInterface) GetInRateLimiter() *FirecrackerRateLimiter {
+// Message to specify static IP configuration that will be
+// applied to a Firecracker VM's network interface internally
+type IPConfiguration struct {
+	// PrimaryAddr specifies, in CIDR notation, the primary address
+	// and subnet that a network interface will be assigned inside
+	// the VM.
+	PrimaryAddr string `protobuf:"bytes,1,opt,name=PrimaryAddr,json=primaryAddr,proto3" json:"PrimaryAddr,omitempty"`
+	// GatewayAddr specifies the default gateway that a network interface
+	// should use inside the VM.
+	GatewayAddr string `protobuf:"bytes,3,opt,name=GatewayAddr,json=gatewayAddr,proto3" json:"GatewayAddr,omitempty"`
+	// Nameservers is a list of nameservers that the VM will be configured
+	// to use internally. Currently only up to 2 nameservers can be specified
+	// (any more in the list will be ignored) and configuration is provided
+	// to the VM via /proc/net/pnp.
+	Nameservers          []string `protobuf:"bytes,4,rep,name=Nameservers,json=nameservers,proto3" json:"Nameservers,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *IPConfiguration) Reset()         { *m = IPConfiguration{} }
+func (m *IPConfiguration) String() string { return proto.CompactTextString(m) }
+func (*IPConfiguration) ProtoMessage()    {}
+func (*IPConfiguration) Descriptor() ([]byte, []int) {
+	return fileDescriptor_d938547f84707355, []int{4}
+}
+func (m *IPConfiguration) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_IPConfiguration.Unmarshal(m, b)
+}
+func (m *IPConfiguration) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_IPConfiguration.Marshal(b, m, deterministic)
+}
+func (m *IPConfiguration) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_IPConfiguration.Merge(m, src)
+}
+func (m *IPConfiguration) XXX_Size() int {
+	return xxx_messageInfo_IPConfiguration.Size(m)
+}
+func (m *IPConfiguration) XXX_DiscardUnknown() {
+	xxx_messageInfo_IPConfiguration.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_IPConfiguration proto.InternalMessageInfo
+
+func (m *IPConfiguration) GetPrimaryAddr() string {
 	if m != nil {
-		return m.InRateLimiter
+		return m.PrimaryAddr
 	}
-	return nil
+	return ""
 }
 
-func (m *FirecrackerNetworkInterface) GetOutRateLimiter() *FirecrackerRateLimiter {
+func (m *IPConfiguration) GetGatewayAddr() string {
 	if m != nil {
-		return m.OutRateLimiter
+		return m.GatewayAddr
+	}
+	return ""
+}
+
+func (m *IPConfiguration) GetNameservers() []string {
+	if m != nil {
+		return m.Nameservers
 	}
 	return nil
 }
@@ -177,7 +445,7 @@ type FirecrackerMachineConfiguration struct {
 	HtEnabled   bool   `protobuf:"varint,2,opt,name=HtEnabled,json=htEnabled,proto3" json:"HtEnabled,omitempty"`
 	// Specifies the memory size of VM
 	// This lets us create a Firecracker VM of up to 4096 TiB, which
-	// for a mircroVM should be large enough
+	// for a microVM should be large enough
 	MemSizeMib           uint32   `protobuf:"varint,3,opt,name=MemSizeMib,json=memSizeMib,proto3" json:"MemSizeMib,omitempty"`
 	VcpuCount            uint32   `protobuf:"varint,4,opt,name=VcpuCount,json=vcpuCount,proto3" json:"VcpuCount,omitempty"`
 	XXX_NoUnkeyedLiteral struct{} `json:"-"`
@@ -189,7 +457,7 @@ func (m *FirecrackerMachineConfiguration) Reset()         { *m = FirecrackerMach
 func (m *FirecrackerMachineConfiguration) String() string { return proto.CompactTextString(m) }
 func (*FirecrackerMachineConfiguration) ProtoMessage()    {}
 func (*FirecrackerMachineConfiguration) Descriptor() ([]byte, []int) {
-	return fileDescriptor_d938547f84707355, []int{2}
+	return fileDescriptor_d938547f84707355, []int{5}
 }
 func (m *FirecrackerMachineConfiguration) XXX_Unmarshal(b []byte) error {
 	return xxx_messageInfo_FirecrackerMachineConfiguration.Unmarshal(m, b)
@@ -253,7 +521,7 @@ func (m *FirecrackerDrive) Reset()         { *m = FirecrackerDrive{} }
 func (m *FirecrackerDrive) String() string { return proto.CompactTextString(m) }
 func (*FirecrackerDrive) ProtoMessage()    {}
 func (*FirecrackerDrive) Descriptor() ([]byte, []int) {
-	return fileDescriptor_d938547f84707355, []int{3}
+	return fileDescriptor_d938547f84707355, []int{6}
 }
 func (m *FirecrackerDrive) XXX_Unmarshal(b []byte) error {
 	return xxx_messageInfo_FirecrackerDrive.Unmarshal(m, b)
@@ -321,7 +589,7 @@ func (m *FirecrackerRateLimiter) Reset()         { *m = FirecrackerRateLimiter{}
 func (m *FirecrackerRateLimiter) String() string { return proto.CompactTextString(m) }
 func (*FirecrackerRateLimiter) ProtoMessage()    {}
 func (*FirecrackerRateLimiter) Descriptor() ([]byte, []int) {
-	return fileDescriptor_d938547f84707355, []int{4}
+	return fileDescriptor_d938547f84707355, []int{7}
 }
 func (m *FirecrackerRateLimiter) XXX_Unmarshal(b []byte) error {
 	return xxx_messageInfo_FirecrackerRateLimiter.Unmarshal(m, b)
@@ -369,7 +637,7 @@ func (m *FirecrackerTokenBucket) Reset()         { *m = FirecrackerTokenBucket{}
 func (m *FirecrackerTokenBucket) String() string { return proto.CompactTextString(m) }
 func (*FirecrackerTokenBucket) ProtoMessage()    {}
 func (*FirecrackerTokenBucket) Descriptor() ([]byte, []int) {
-	return fileDescriptor_d938547f84707355, []int{5}
+	return fileDescriptor_d938547f84707355, []int{8}
 }
 func (m *FirecrackerTokenBucket) XXX_Unmarshal(b []byte) error {
 	return xxx_messageInfo_FirecrackerTokenBucket.Unmarshal(m, b)
@@ -413,6 +681,10 @@ func (m *FirecrackerTokenBucket) GetCapacity() int64 {
 func init() {
 	proto.RegisterType((*ExtraData)(nil), "ExtraData")
 	proto.RegisterType((*FirecrackerNetworkInterface)(nil), "FirecrackerNetworkInterface")
+	proto.RegisterType((*CNIConfiguration)(nil), "CNIConfiguration")
+	proto.RegisterType((*CNIConfiguration_CNIArg)(nil), "CNIConfiguration.CNIArg")
+	proto.RegisterType((*StaticNetworkConfiguration)(nil), "StaticNetworkConfiguration")
+	proto.RegisterType((*IPConfiguration)(nil), "IPConfiguration")
 	proto.RegisterType((*FirecrackerMachineConfiguration)(nil), "FirecrackerMachineConfiguration")
 	proto.RegisterType((*FirecrackerDrive)(nil), "FirecrackerDrive")
 	proto.RegisterType((*FirecrackerRateLimiter)(nil), "FirecrackerRateLimiter")
@@ -422,43 +694,58 @@ func init() {
 func init() { proto.RegisterFile("types.proto", fileDescriptor_d938547f84707355) }
 
 var fileDescriptor_d938547f84707355 = []byte{
-	// 604 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x94, 0x93, 0x4f, 0x6f, 0xd3, 0x4c,
-	0x10, 0xc6, 0xe5, 0x37, 0x6f, 0x5b, 0xef, 0x38, 0xad, 0x90, 0x85, 0x20, 0x14, 0x04, 0x51, 0x4e,
-	0xe1, 0x92, 0x4a, 0x45, 0x20, 0x71, 0x40, 0xa8, 0x49, 0x8a, 0x1a, 0x44, 0x9a, 0x68, 0x53, 0x38,
-	0x70, 0xdb, 0xac, 0x27, 0xcd, 0x12, 0x7b, 0xd7, 0x5a, 0xaf, 0xdb, 0xa6, 0x5f, 0x86, 0x4f, 0xc4,
-	0x99, 0x4f, 0x83, 0x84, 0x76, 0x63, 0x3b, 0x2e, 0x02, 0x24, 0x4e, 0xd1, 0xfc, 0xe6, 0xcf, 0xce,
-	0xf3, 0x4c, 0x0c, 0x81, 0x59, 0xa7, 0x98, 0xf5, 0x52, 0xad, 0x8c, 0x3a, 0x7c, 0x74, 0xa9, 0xd4,
-	0x65, 0x8c, 0x47, 0x2e, 0x9a, 0xe7, 0x8b, 0x23, 0x26, 0xd7, 0x9b, 0x54, 0xe7, 0xbb, 0x07, 0xe4,
-	0xf4, 0xc6, 0x68, 0x36, 0x64, 0x86, 0x85, 0x87, 0xe0, 0xbf, 0xcf, 0x94, 0x9c, 0xa5, 0xc8, 0x5b,
-	0x5e, 0xdb, 0xeb, 0x36, 0xa9, 0xff, 0xa5, 0x88, 0xc3, 0x57, 0x10, 0xd0, 0x5c, 0xf2, 0x49, 0x6a,
-	0x84, 0x92, 0x59, 0xeb, 0xbf, 0xb6, 0xd7, 0x0d, 0x8e, 0xef, 0xf7, 0x36, 0xa3, 0x7b, 0xe5, 0xe8,
-	0xde, 0x89, 0x5c, 0xd3, 0x40, 0x6f, 0x0b, 0xc3, 0x27, 0x40, 0x66, 0x26, 0x12, 0x72, 0xaa, 0xb4,
-	0x69, 0x35, 0xda, 0x5e, 0x77, 0x9f, 0x92, 0xac, 0x04, 0xe1, 0x53, 0x80, 0x99, 0x89, 0x54, 0x6e,
-	0x5c, 0xfa, 0x7f, 0x97, 0x86, 0xac, 0x22, 0x45, 0x1e, 0xb5, 0x76, 0xf9, 0x9d, 0x2a, 0x5f, 0x90,
-	0xb0, 0x05, 0x7b, 0x43, 0x2d, 0xae, 0x70, 0x34, 0x6c, 0xed, 0xb6, 0xbd, 0x2e, 0xa1, 0x7b, 0xd1,
-	0x26, 0xec, 0xfc, 0xf0, 0xe0, 0xf1, 0x3b, 0xa1, 0x91, 0x6b, 0xc6, 0x57, 0xa8, 0xcf, 0xd1, 0x5c,
-	0x2b, 0xbd, 0x1a, 0x49, 0x83, 0x7a, 0xc1, 0x38, 0xda, 0xc9, 0x63, 0xc6, 0x4f, 0xa2, 0x48, 0x63,
-	0x96, 0x39, 0xb5, 0x84, 0x42, 0x52, 0x91, 0xb0, 0x0d, 0xc1, 0x99, 0xca, 0xcc, 0x10, 0xaf, 0xce,
-	0x59, 0x82, 0x4e, 0x2f, 0xa1, 0xc1, 0x72, 0x8b, 0xac, 0xb2, 0x93, 0x38, 0x56, 0xd7, 0xe3, 0xf1,
-	0x70, 0xe6, 0x94, 0xf9, 0x94, 0xb0, 0x12, 0x84, 0x6f, 0x60, 0x7f, 0x24, 0x29, 0x33, 0xf8, 0x41,
-	0x24, 0xc2, 0xa0, 0x76, 0xe2, 0x82, 0xe3, 0x87, 0xbd, 0xda, 0x52, 0xb5, 0x34, 0xdd, 0x17, 0xf5,
-	0xea, 0xf0, 0x2d, 0x1c, 0x4c, 0x72, 0x53, 0xef, 0xdf, 0xf9, 0x7b, 0xff, 0x81, 0xba, 0x53, 0xde,
-	0xf9, 0xea, 0xc1, 0xb3, 0x5a, 0xe9, 0x98, 0xf1, 0xa5, 0x90, 0x38, 0x50, 0x72, 0x21, 0x2e, 0x73,
-	0xcd, 0xec, 0x71, 0xac, 0xc6, 0xc1, 0xf4, 0xe3, 0x05, 0x26, 0x69, 0xcc, 0x0c, 0x16, 0x26, 0x04,
-	0x7c, 0x8b, 0xac, 0xc6, 0x33, 0x73, 0x2a, 0xd9, 0x3c, 0xc6, 0xc8, 0x79, 0xe0, 0x53, 0xb2, 0x2c,
-	0x81, 0xf3, 0x10, 0x93, 0x99, 0xb8, 0xc5, 0xb1, 0x98, 0x17, 0xc7, 0x85, 0xa4, 0x22, 0xb6, 0xfb,
-	0x13, 0x4f, 0xf3, 0x81, 0xca, 0x65, 0x79, 0x5c, 0x72, 0x55, 0x82, 0xce, 0x37, 0x0f, 0xee, 0xd5,
-	0x36, 0x74, 0x77, 0xb4, 0x23, 0x47, 0x19, 0x45, 0x16, 0x4d, 0x64, 0xbc, 0x76, 0x1b, 0xf9, 0x14,
-	0x44, 0x45, 0xc2, 0x0e, 0x34, 0x47, 0x19, 0x55, 0xca, 0x5e, 0x41, 0x70, 0x2c, 0x76, 0x6a, 0x8a,
-	0x1a, 0xb3, 0x7f, 0xe3, 0x29, 0xd3, 0x26, 0xcf, 0x45, 0xe4, 0x96, 0x22, 0xd4, 0x4f, 0x8b, 0xd8,
-	0xce, 0x9f, 0x32, 0xb3, 0x9c, 0x48, 0x7b, 0x5c, 0xb7, 0x13, 0xa1, 0x90, 0x56, 0x24, 0x7c, 0x0d,
-	0xc1, 0x3f, 0x98, 0x1e, 0xe8, 0x9a, 0xe3, 0xb7, 0xf0, 0xe0, 0xf7, 0x65, 0xe1, 0x4b, 0x20, 0x7d,
-	0x26, 0xa3, 0x6b, 0x11, 0x99, 0xa5, 0xd3, 0xf4, 0xcb, 0xc8, 0x0b, 0xb5, 0x42, 0xd9, 0xcf, 0xf9,
-	0x0a, 0x0d, 0x25, 0xf3, 0xb2, 0x32, 0x7c, 0x0e, 0x8d, 0x49, 0x5a, 0x7e, 0x6a, 0x7f, 0x6c, 0x68,
-	0xa8, 0x34, 0xeb, 0xdc, 0xdc, 0x79, 0xbb, 0x96, 0xb6, 0x86, 0x4d, 0x24, 0x5e, 0x88, 0x04, 0xfb,
-	0xb9, 0xce, 0x8c, 0x7b, 0xbe, 0x41, 0x9b, 0xaa, 0xc6, 0xac, 0x29, 0x14, 0x17, 0x22, 0x8e, 0x2d,
-	0x72, 0xef, 0x35, 0x28, 0xe8, 0x8a, 0x58, 0x43, 0x07, 0x2c, 0x65, 0x5c, 0x98, 0xb5, 0x33, 0xb4,
-	0x41, 0x7d, 0x5e, 0xc4, 0xfd, 0xbd, 0xcf, 0x3b, 0x9b, 0x8f, 0x7f, 0xd7, 0xfd, 0xbc, 0xf8, 0x19,
-	0x00, 0x00, 0xff, 0xff, 0x8e, 0xfa, 0x2b, 0x26, 0x7b, 0x04, 0x00, 0x00,
+	// 842 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x7c, 0x95, 0xdd, 0x8e, 0xe3, 0x34,
+	0x14, 0xc7, 0xd5, 0xc9, 0x74, 0xa6, 0x39, 0xe9, 0x2c, 0x83, 0xb5, 0x82, 0x30, 0x8b, 0xa0, 0x8a,
+	0xb8, 0x28, 0xd2, 0xaa, 0x8b, 0x06, 0x81, 0xc4, 0x05, 0x5a, 0xf5, 0x63, 0x61, 0x0b, 0x74, 0x5a,
+	0xb9, 0xc3, 0x5e, 0x70, 0xe7, 0x26, 0x9e, 0xd6, 0x34, 0xb1, 0x23, 0xdb, 0x69, 0xb7, 0xfb, 0x08,
+	0x88, 0x77, 0xe0, 0x09, 0x78, 0x14, 0xae, 0x79, 0x1d, 0x64, 0xc7, 0x49, 0x33, 0xb3, 0xcb, 0x5e,
+	0x55, 0xe7, 0x77, 0xbe, 0xec, 0xff, 0x39, 0x4e, 0x21, 0xd0, 0x87, 0x9c, 0xaa, 0x41, 0x2e, 0x85,
+	0x16, 0x57, 0x9f, 0xac, 0x85, 0x58, 0xa7, 0xf4, 0x99, 0xb5, 0x56, 0xc5, 0xdd, 0x33, 0xc2, 0x0f,
+	0xa5, 0x2b, 0xfa, 0xb7, 0x05, 0xfe, 0x8b, 0xd7, 0x5a, 0x92, 0x09, 0xd1, 0x04, 0x5d, 0x41, 0xe7,
+	0x27, 0x25, 0xf8, 0x32, 0xa7, 0x71, 0xd8, 0xea, 0xb5, 0xfa, 0x5d, 0xdc, 0xf9, 0xdd, 0xd9, 0xe8,
+	0x5b, 0x08, 0x70, 0xc1, 0xe3, 0x79, 0xae, 0x99, 0xe0, 0x2a, 0x3c, 0xe9, 0xb5, 0xfa, 0xc1, 0xf5,
+	0xe3, 0x41, 0x59, 0x7a, 0x50, 0x95, 0x1e, 0x0c, 0xf9, 0x01, 0x07, 0xf2, 0x18, 0x88, 0x3e, 0x05,
+	0x7f, 0xa9, 0x13, 0xc6, 0x17, 0x42, 0xea, 0xd0, 0xeb, 0xb5, 0xfa, 0x17, 0xd8, 0x57, 0x15, 0x40,
+	0x9f, 0x01, 0x2c, 0x75, 0x22, 0x0a, 0x6d, 0xdd, 0xa7, 0xd6, 0x0d, 0xaa, 0x26, 0xce, 0x4f, 0xa5,
+	0xb4, 0xfe, 0x76, 0xed, 0x77, 0x04, 0x85, 0x70, 0x3e, 0x91, 0x6c, 0x47, 0xa7, 0x93, 0xf0, 0xac,
+	0xd7, 0xea, 0xfb, 0xf8, 0x3c, 0x29, 0xcd, 0xe8, 0xef, 0x13, 0x78, 0xf2, 0x03, 0x93, 0x34, 0x96,
+	0x24, 0xde, 0x52, 0x79, 0x43, 0xf5, 0x5e, 0xc8, 0xed, 0x94, 0x6b, 0x2a, 0xef, 0x48, 0x4c, 0xcd,
+	0xb9, 0x86, 0x69, 0x2a, 0xf6, 0xb3, 0xd9, 0x64, 0x69, 0x2f, 0xdb, 0xc1, 0x3e, 0xa9, 0x00, 0xfa,
+	0x1e, 0x2e, 0xa6, 0x1c, 0x13, 0x4d, 0x7f, 0x61, 0x19, 0xd3, 0x54, 0xba, 0xfb, 0x7e, 0x3c, 0x68,
+	0x94, 0x6c, 0xb8, 0xf1, 0x05, 0x6b, 0x46, 0xa3, 0xe7, 0xf0, 0x68, 0x5e, 0xe8, 0x66, 0xbe, 0xf7,
+	0xfe, 0xfc, 0x47, 0xe2, 0x5e, 0x38, 0x7a, 0x06, 0xfe, 0xf8, 0x66, 0x3a, 0x16, 0xfc, 0x8e, 0xad,
+	0xad, 0x2c, 0xc1, 0xf5, 0x87, 0x83, 0x9a, 0x14, 0x92, 0x18, 0x71, 0xb1, 0x1f, 0x57, 0x04, 0x3d,
+	0x87, 0xee, 0x52, 0x13, 0xcd, 0x62, 0x97, 0xd3, 0xb6, 0x39, 0x4f, 0x06, 0x25, 0x74, 0xb7, 0xbf,
+	0x9f, 0xdd, 0x55, 0x8d, 0x84, 0xe8, 0x8f, 0x13, 0xb8, 0x7c, 0xd8, 0x00, 0xf5, 0x20, 0x70, 0xa9,
+	0x37, 0x24, 0xa3, 0x56, 0x26, 0x1f, 0x07, 0xfc, 0x88, 0xd0, 0x17, 0x46, 0x28, 0xa7, 0xa9, 0x8d,
+	0x39, 0xb1, 0x31, 0x17, 0xac, 0x09, 0xcd, 0x98, 0x46, 0x8c, 0x2f, 0x88, 0xde, 0x84, 0x5e, 0xcf,
+	0x33, 0x63, 0x5a, 0x95, 0xa6, 0xf1, 0x98, 0x96, 0x13, 0x26, 0xed, 0x35, 0x7d, 0x7c, 0x1e, 0x97,
+	0xa6, 0x59, 0xc6, 0x31, 0x89, 0x37, 0xd4, 0xb8, 0xda, 0xd6, 0xd5, 0x89, 0x9d, 0x8d, 0x9e, 0xc2,
+	0xe9, 0x50, 0xae, 0x55, 0x78, 0xd6, 0xf3, 0xfa, 0xc1, 0x75, 0xf8, 0x96, 0x32, 0x06, 0x0c, 0xe5,
+	0x1a, 0x9f, 0x12, 0xb9, 0x56, 0x57, 0x5f, 0xc1, 0x59, 0x69, 0xa3, 0x4b, 0xf0, 0x7e, 0xa6, 0x07,
+	0x77, 0x0f, 0x6f, 0x4b, 0x0f, 0xe8, 0x31, 0xb4, 0x5f, 0x91, 0xb4, 0xa8, 0xce, 0xdd, 0xde, 0x19,
+	0x23, 0xfa, 0xb3, 0x05, 0x57, 0xff, 0xaf, 0x9c, 0xd9, 0xca, 0x19, 0x89, 0x87, 0x49, 0x22, 0xa9,
+	0x52, 0xae, 0x1a, 0x64, 0x35, 0x31, 0xb2, 0xbd, 0x14, 0x4a, 0x4f, 0xe8, 0xae, 0x21, 0x49, 0xb0,
+	0x39, 0x22, 0xf4, 0x14, 0x3a, 0xd3, 0x85, 0x1b, 0x55, 0xb9, 0x1a, 0x97, 0x83, 0x0a, 0x54, 0xf3,
+	0xe9, 0x30, 0x07, 0xa2, 0x3d, 0x7c, 0xf0, 0xc0, 0x69, 0x5a, 0x2c, 0x24, 0xcb, 0x88, 0x3c, 0x98,
+	0xa6, 0xd5, 0x64, 0xf2, 0x23, 0x32, 0x11, 0x3f, 0x12, 0x4d, 0xf7, 0xa4, 0x8c, 0xf0, 0xca, 0x88,
+	0xf5, 0x11, 0xd9, 0xe9, 0x92, 0x8c, 0x2a, 0x2a, 0x77, 0x54, 0xaa, 0xf0, 0xd4, 0x4e, 0x26, 0xe0,
+	0x47, 0x14, 0xfd, 0xd5, 0x82, 0xcf, 0x1b, 0x1b, 0x3b, 0x23, 0xf1, 0x86, 0x71, 0xfa, 0xd6, 0x49,
+	0xc6, 0x8b, 0x5f, 0x6f, 0x69, 0x96, 0xa7, 0x44, 0xd7, 0x3b, 0x12, 0x1f, 0x91, 0x79, 0x6a, 0x2f,
+	0xf5, 0x0b, 0x4e, 0x56, 0x29, 0x4d, 0xac, 0x18, 0x1d, 0xec, 0x6f, 0x2a, 0x60, 0xc5, 0xa4, 0xd9,
+	0x92, 0xbd, 0xa1, 0x33, 0xb6, 0x72, 0x5f, 0x08, 0xc8, 0x6a, 0x62, 0xb2, 0x5f, 0xc5, 0x79, 0x31,
+	0x16, 0x05, 0xaf, 0xbe, 0x10, 0xfe, 0xae, 0x02, 0xd1, 0x3f, 0x2d, 0xb8, 0x6c, 0x9c, 0xd0, 0x7e,
+	0x0c, 0x4c, 0xc9, 0xa9, 0xc2, 0x94, 0x24, 0x73, 0x9e, 0x1e, 0xdc, 0xe3, 0x06, 0x56, 0x13, 0x14,
+	0x41, 0x77, 0xaa, 0xb0, 0x10, 0x66, 0x1c, 0x2c, 0xa6, 0xee, 0x4c, 0x5d, 0xd6, 0x60, 0x66, 0xfd,
+	0x16, 0x44, 0xea, 0xa2, 0x60, 0x89, 0xd3, 0xae, 0x93, 0x3b, 0xdb, 0xd4, 0x37, 0xcb, 0x3b, 0xe7,
+	0x66, 0xca, 0x6e, 0x6f, 0x21, 0xaf, 0x09, 0xfa, 0x0e, 0x82, 0xe6, 0xdb, 0x6f, 0xbf, 0xff, 0xed,
+	0x07, 0xf2, 0x68, 0x44, 0x6f, 0xe0, 0xa3, 0x77, 0x87, 0xa1, 0x6f, 0xc0, 0x1f, 0x11, 0x9e, 0xec,
+	0x59, 0xa2, 0x37, 0xf6, 0x4e, 0x0f, 0x4a, 0xde, 0x8a, 0x2d, 0xe5, 0xa3, 0x22, 0xde, 0x52, 0x8d,
+	0xfd, 0x55, 0x15, 0x89, 0xbe, 0x04, 0x6f, 0x9e, 0xab, 0x77, 0x7d, 0xbf, 0x9a, 0x09, 0x9e, 0xc8,
+	0x55, 0xf4, 0xfa, 0x5e, 0xef, 0x86, 0xdb, 0x08, 0x36, 0xe7, 0xf4, 0x96, 0x65, 0x74, 0x54, 0x48,
+	0xa5, 0x6d, 0x7b, 0x0f, 0x77, 0x45, 0x83, 0x19, 0x51, 0x30, 0xbd, 0x63, 0x69, 0x6a, 0x90, 0xed,
+	0xe7, 0x61, 0x90, 0x35, 0x29, 0xdf, 0x73, 0x4e, 0x62, 0xa6, 0x0f, 0x56, 0x50, 0xcf, 0xbc, 0xe7,
+	0xd2, 0x1e, 0x9d, 0xff, 0xd6, 0x2e, 0xff, 0x41, 0xce, 0xec, 0xcf, 0xd7, 0xff, 0x05, 0x00, 0x00,
+	0xff, 0xff, 0xb5, 0x59, 0xac, 0x4c, 0xc0, 0x06, 0x00, 0x00,
 }
diff --git a/proto/types.proto b/proto/types.proto
index 5227afe89..27c92e195 100644
--- a/proto/types.proto
+++ b/proto/types.proto
@@ -16,11 +16,83 @@ message ExtraData {
 
 // Message to specify network config for a Firecracker VM
 message FirecrackerNetworkInterface {
+	bool AllowMMDS = 1; // Specifies if metadata service should be available on this network interface
+	FirecrackerRateLimiter InRateLimiter = 2; // Specifies a rate limiter for incoming bytes
+	FirecrackerRateLimiter OutRateLimiter = 3; // Specifies a rate limiter for outgoing bytes
+
+	// CNIConfiguration specifies CNI configuration that will be used to generate
+	// a network interface for a Firecracker VM.
+	CNIConfiguration CNIConfig = 4;
+
+	// StaticNetworkConfiguration specifies static configuration parameters for a
+	// Firecracker VM's network interface
+	StaticNetworkConfiguration StaticConfig = 5;
+}
+
+// Message to specify CNI configuration that will be used to
+// generate a network interface for a Firecracker VM
+message CNIConfiguration {
+	// NetworkName is the name of a CNI network (as found in CNI
+	// configuration files) that will be used to generate the
+	// network interface.
+	string NetworkName = 1;
+
+	// InterfaceName corresponds to the CNI_IFNAME parameter that will be
+	// provided to CNI plugins during invocation.
+	string InterfaceName = 2;
+
+	// BinPath is a list of directories that will be searched when
+	// looking for CNI plugin binaries. Defaults to just "/opt/cni/bin"
+	repeated string BinPath = 3;
+
+	// ConfDir is the directory in which CNI configuration will be sought.
+	// If not specified, will default to "/etc/cni/conf.d".
+	string ConfDir = 4;
+
+	// CacheDir is the directory in which CNI results will be temporarily
+	// cached by the runtime. If not specified, it will default to
+	// "/var/lib/cni"
+	string CacheDir = 5;
+
+	message CNIArg {
+		string Key = 1;
+		string Value = 2;
+	}
+
+	// Args corresponds to the CNI_ARGS parameter that will be provided to
+	// CNI plugins on invocation.
+	repeated CNIArg Args = 6;
+}
+
+// Message to specify static configuration parameters for a
+// Firecracker VM's network interface
+message StaticNetworkConfiguration {
 	string MacAddress = 1; // Specifies the mac address for the the device
 	string HostDevName = 2; // Specifies the name of the tap device on the host
-	bool AllowMMDS = 3; // Specifies if metadata service should be available on this network interface
-	FirecrackerRateLimiter InRateLimiter = 4; // Specifies a rate limiter for incoming bytes
-	FirecrackerRateLimiter OutRateLimiter = 5; // Specifies a rate limiter for outgoing bytes
+
+	// IPConfig optionally provides static IP configuration that will be configured
+	// on the VM's internal networking interface. If not specified, no IP
+	// configuration will be applied to the VM's internal nic automatically.
+	IPConfiguration IPConfig = 3;
+}
+
+// Message to specify static IP configuration that will be
+// applied to a Firecracker VM's network interface internally
+message IPConfiguration {
+	// PrimaryAddr specifies, in CIDR notation, the primary address
+	// and subnet that a network interface will be assigned inside
+	// the VM.
+	string PrimaryAddr = 1;
+
+	// GatewayAddr specifies the default gateway that a network interface
+	// should use inside the VM.
+	string GatewayAddr = 3;
+
+	// Nameservers is a list of nameservers that the VM will be configured
+	// to use internally. Currently only up to 2 nameservers can be specified
+	// (any more in the list will be ignored) and configuration is provided
+	// to the VM via /proc/net/pnp.
+	repeated string Nameservers = 4;
 }
 
 // Message to set the machine config for a Firecracker VM
@@ -29,7 +101,7 @@ message FirecrackerMachineConfiguration {
 	bool HtEnabled = 2; // Specifies if hyper-threading should be enabled
 	 // Specifies the memory size of VM
 	 // This lets us create a Firecracker VM of up to 4096 TiB, which
-	 // for a mircroVM should be large enough
+	 // for a microVM should be large enough
 	uint32 MemSizeMib = 3;
 	uint32 VcpuCount = 4; // Specifies the number of vCPUs for the VM
 }
diff --git a/runtime/Makefile b/runtime/Makefile
index ae5239132..d2cf7d8d6 100644
--- a/runtime/Makefile
+++ b/runtime/Makefile
@@ -46,8 +46,8 @@ integ-test:
 		docker run --rm -it \
 			--privileged \
 			--ipc=host \
+			--network=none \
 			--volume /dev:/dev \
-			--volume /sys:/sys \
 			--volume /run/udev/control:/run/udev/control \
 			--volume $(CURDIR)/logs:/var/log/firecracker-containerd-test \
 			--env ENABLE_ISOLATED_TESTS=1 \
diff --git a/runtime/cni_integ_test.go b/runtime/cni_integ_test.go
new file mode 100644
index 000000000..2ee5da1f3
--- /dev/null
+++ b/runtime/cni_integ_test.go
@@ -0,0 +1,216 @@
+// Copyright 2018-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License"). You may
+// not use this file except in compliance with the License. A copy of the
+// License is located at
+//
+//	http://aws.amazon.com/apache2.0/
+//
+// or in the "license" file accompanying this file. This file is distributed
+// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+// express or implied. See the License for the specific language governing
+// permissions and limitations under the License.
+
+package main
+
+import (
+	"context"
+	"fmt"
+	"io/ioutil"
+	"sync"
+	"testing"
+	"time"
+
+	"github.com/containerd/containerd"
+	"github.com/containerd/containerd/namespaces"
+	"github.com/containerd/containerd/oci"
+	"github.com/containerd/containerd/pkg/ttrpcutil"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/firecracker-microvm/firecracker-containerd/internal"
+	"github.com/firecracker-microvm/firecracker-containerd/proto"
+	fccontrol "github.com/firecracker-microvm/firecracker-containerd/proto/service/fccontrol/ttrpc"
+	"github.com/firecracker-microvm/firecracker-containerd/runtime/firecrackeroci"
+)
+
+func TestCNISupport_Isolated(t *testing.T) {
+	internal.RequiresIsolation(t)
+
+	testTimeout := 120 * time.Second
+	ctx, cancel := context.WithTimeout(namespaces.WithNamespace(context.Background(), defaultNamespace), testTimeout)
+	defer cancel()
+
+	client, err := containerd.New(containerdSockPath, containerd.WithDefaultRuntime(firecrackerRuntime))
+	require.NoError(t, err, "unable to create client to containerd service at %s, is containerd running?", containerdSockPath)
+	defer client.Close()
+
+	pluginClient, err := ttrpcutil.NewClient(containerdSockPath + ".ttrpc")
+	require.NoError(t, err, "failed to create ttrpc client")
+
+	image, err := alpineImage(ctx, client, naiveSnapshotterName)
+	require.NoError(t, err, "failed to get alpine image")
+
+	numVMs := 5
+	var vmIDs []string
+	webpages := make(map[string]string)
+	for i := 0; i < numVMs; i++ {
+		vmID := fmt.Sprintf("vm-%d", i)
+		vmIDs = append(vmIDs, vmID)
+		webpages[vmID] = fmt.Sprintf("Hello, my virtual machine %s\n", vmID)
+	}
+
+	localServices, err := internal.NewLocalNetworkServices(webpages)
+	require.NoError(t, err, "failed to create local network test services")
+
+	cniNetworkName := "fcnet-test"
+	err = writeCNIConf("/etc/cni/conf.d/fcnet-test.conflist", cniNetworkName, localServices.DNSServerIP())
+	require.NoError(t, err, "failed to write test cni conf")
+
+	go func() {
+		defer cancel()
+		err := localServices.Serve(ctx)
+		if err != nil {
+			t.Logf("failed serving local dns and http: %v", err)
+		}
+	}()
+
+	var vmGroup sync.WaitGroup
+	for _, vmID := range vmIDs {
+		vmGroup.Add(1)
+		go func(vmID string) {
+			defer vmGroup.Done()
+
+			fcClient := fccontrol.NewFirecrackerClient(pluginClient.Client())
+			_, err = fcClient.CreateVM(ctx, &proto.CreateVMRequest{
+				VMID: vmID,
+				MachineCfg: &proto.FirecrackerMachineConfiguration{
+					MemSizeMib: 512,
+				},
+				RootDrive: &proto.FirecrackerDrive{
+					PathOnHost:   defaultVMRootfsPath,
+					IsReadOnly:   false,
+					IsRootDevice: true,
+				},
+				NetworkInterfaces: []*proto.FirecrackerNetworkInterface{{
+					CNIConfig: &proto.CNIConfiguration{
+						NetworkName:   cniNetworkName,
+						InterfaceName: "veth0",
+					},
+				}},
+			})
+			require.NoError(t, err, "failed to create vm")
+
+			containerName := fmt.Sprintf("%s-container", vmID)
+			snapshotName := fmt.Sprintf("%s-snapshot", vmID)
+
+			newContainer, err := client.NewContainer(ctx,
+				containerName,
+				containerd.WithSnapshotter(naiveSnapshotterName),
+				containerd.WithNewSnapshot(snapshotName, image),
+				containerd.WithNewSpec(
+					oci.WithProcessArgs("/usr/bin/wget",
+						"-q",      // don't print to stderr unless an error occurs
+						"-O", "-", // write to stdout
+						localServices.URL(vmID)),
+					firecrackeroci.WithVMID(vmID),
+					firecrackeroci.WithVMNetwork,
+				),
+			)
+			require.NoError(t, err, "failed to create container %s", containerName)
+
+			stdout := startAndWaitTask(ctx, t, newContainer)
+			t.Logf("stdout output from task %q: %s", containerName, stdout)
+			assert.Equalf(t, webpages[vmID], stdout, "container %q did not emit expected stdout", containerName)
+		}(vmID)
+	}
+
+	vmGroup.Wait()
+}
+
+func TestAutomaticCNISupport_Isolated(t *testing.T) {
+	internal.RequiresIsolation(t)
+
+	testTimeout := 120 * time.Second
+	ctx, cancel := context.WithTimeout(namespaces.WithNamespace(context.Background(), defaultNamespace), testTimeout)
+	defer cancel()
+
+	client, err := containerd.New(containerdSockPath, containerd.WithDefaultRuntime(firecrackerRuntime))
+	require.NoError(t, err, "unable to create client to containerd service at %s, is containerd running?", containerdSockPath)
+	defer client.Close()
+
+	image, err := alpineImage(ctx, client, naiveSnapshotterName)
+	require.NoError(t, err, "failed to get alpine image")
+
+	numVMs := 5
+	var taskIDs []string
+	webpages := make(map[string]string)
+	for i := 0; i < numVMs; i++ {
+		taskID := fmt.Sprintf("task-%d", i)
+		taskIDs = append(taskIDs, taskID)
+		webpages[taskID] = fmt.Sprintf("Hello, my task %s\n", taskID)
+	}
+
+	localServices, err := internal.NewLocalNetworkServices(webpages)
+	require.NoError(t, err, "failed to create local network test services")
+
+	cniNetworkName := "fcnet"
+	err = writeCNIConf("/etc/cni/conf.d/fcnet.conflist", cniNetworkName, localServices.DNSServerIP())
+	require.NoError(t, err, "failed to write test cni conf")
+
+	go func() {
+		require.NoError(t, localServices.Serve(ctx), "failed serving local dns and http")
+	}()
+
+	var taskGroup sync.WaitGroup
+	for _, taskID := range taskIDs {
+		taskGroup.Add(1)
+		go func(taskID string) {
+			defer taskGroup.Done()
+
+			snapshotName := fmt.Sprintf("%s-snapshot", taskID)
+
+			newContainer, err := client.NewContainer(ctx,
+				taskID,
+				containerd.WithSnapshotter(naiveSnapshotterName),
+				containerd.WithNewSnapshot(snapshotName, image),
+				containerd.WithNewSpec(
+					oci.WithProcessArgs("/usr/bin/wget",
+						"-q",      // don't print to stderr unless an error occurs
+						"-O", "-", // write to stdout
+						localServices.URL(taskID)),
+					firecrackeroci.WithVMNetwork,
+				),
+			)
+			require.NoError(t, err, "failed to create container %s", taskID)
+
+			stdout := startAndWaitTask(ctx, t, newContainer)
+			t.Logf("stdout output from task %q: %s", taskID, stdout)
+			assert.Equalf(t, webpages[taskID], stdout, "container %q did not emit expected stdout", taskID)
+		}(taskID)
+	}
+
+	taskGroup.Wait()
+}
+
+func writeCNIConf(path string, networkName string, nameserver string) error {
+	return ioutil.WriteFile(path, []byte(fmt.Sprintf(`{
+  "cniVersion": "0.3.1",
+  "name": "%s",
+  "plugins": [
+    {
+      "type": "ptp",
+      "ipMasq": true,
+      "mtu": 1500,
+      "ipam": {
+        "type": "host-local",
+        "subnet": "192.168.1.0/24"
+      },
+      "dns": {"nameservers": ["%s"]}
+    },
+    {
+      "type": "tc-redirect-tap"
+    }
+  ]
+}`, networkName, nameserver)), 0644)
+}
diff --git a/runtime/config.go b/runtime/config.go
index 4410cf72a..428c93865 100644
--- a/runtime/config.go
+++ b/runtime/config.go
@@ -20,6 +20,7 @@ import (
 
 	"github.com/pkg/errors"
 
+	"github.com/firecracker-microvm/firecracker-containerd/proto"
 	models "github.com/firecracker-microvm/firecracker-go-sdk/client/models"
 )
 
@@ -46,6 +47,11 @@ type Config struct {
 	LogLevel              string `json:"log_level"`
 	HtEnabled             bool   `json:"ht_enabled"`
 	Debug                 bool   `json:"debug"`
+
+	// If a CreateVM call specifies no network interfaces and DefaultNetworkInterfaces is non-empty,
+	// the VM will default to using the network interfaces as specified here. This is especially
+	// useful when a CNI-based network interface is provided in DefaultNetworkInterfaces.
+	DefaultNetworkInterfaces []proto.FirecrackerNetworkInterface `json:"default_network_interfaces"`
 }
 
 // LoadConfig loads configuration from JSON file at 'path'
diff --git a/runtime/firecrackeroci/network.go b/runtime/firecrackeroci/network.go
new file mode 100644
index 000000000..234a51284
--- /dev/null
+++ b/runtime/firecrackeroci/network.go
@@ -0,0 +1,43 @@
+// Copyright 2018-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License"). You may
+// not use this file except in compliance with the License. A copy of the
+// License is located at
+//
+//	http://aws.amazon.com/apache2.0/
+//
+// or in the "license" file accompanying this file. This file is distributed
+// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+// express or implied. See the License for the specific language governing
+// permissions and limitations under the License.
+
+package firecrackeroci
+
+import (
+	"context"
+
+	"github.com/containerd/containerd/containers"
+	"github.com/containerd/containerd/oci"
+	"github.com/opencontainers/runtime-spec/specs-go"
+)
+
+var _ oci.SpecOpts = WithVMNetwork
+
+// WithVMNetwork modifies a container to use its host network settings (host netns, host utsns, host
+// /etc/resolv.conf and host /etc/hosts). It's intended to configure Firecracker-containerd containers
+// to have access to the network (if any) their VM was configured with.
+func WithVMNetwork(ctx context.Context, cli oci.Client, ctr *containers.Container, spec *oci.Spec) error {
+	for _, opt := range []oci.SpecOpts{
+		oci.WithHostNamespace(specs.NetworkNamespace),
+		oci.WithHostNamespace(specs.UTSNamespace),
+		oci.WithHostResolvconf,
+		oci.WithHostHostsFile,
+	} {
+		err := opt(ctx, cli, ctr, spec)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
diff --git a/runtime/helpers.go b/runtime/helpers.go
index dbe99742f..b7b058a4d 100644
--- a/runtime/helpers.go
+++ b/runtime/helpers.go
@@ -14,8 +14,11 @@
 package main
 
 import (
+	"net"
 	"time"
 
+	"github.com/pkg/errors"
+
 	"github.com/firecracker-microvm/firecracker-go-sdk"
 	models "github.com/firecracker-microvm/firecracker-go-sdk/client/models"
 
@@ -53,11 +56,9 @@ func machineConfigurationFromProto(cfg *Config, req *proto.FirecrackerMachineCon
 
 // networkConfigFromProto creates a firecracker NetworkInterface object from
 // the protobuf FirecrackerNetworkInterface message.
-func networkConfigFromProto(nwIface *proto.FirecrackerNetworkInterface) firecracker.NetworkInterface {
-	result := firecracker.NetworkInterface{
-		MacAddress:  nwIface.MacAddress,
-		HostDevName: nwIface.HostDevName,
-		AllowMMDS:   nwIface.AllowMMDS,
+func networkConfigFromProto(nwIface *proto.FirecrackerNetworkInterface, vmID string) (*firecracker.NetworkInterface, error) {
+	result := &firecracker.NetworkInterface{
+		AllowMMDS: nwIface.AllowMMDS,
 	}
 
 	if nwIface.InRateLimiter != nil {
@@ -68,7 +69,47 @@ func networkConfigFromProto(nwIface *proto.FirecrackerNetworkInterface) firecrac
 		result.OutRateLimiter = rateLimiterFromProto(nwIface.OutRateLimiter)
 	}
 
-	return result
+	if staticConf := nwIface.StaticConfig; staticConf != nil {
+		result.StaticConfiguration = &firecracker.StaticNetworkConfiguration{
+			HostDevName: staticConf.HostDevName,
+			MacAddress:  staticConf.MacAddress,
+		}
+
+		if ipConf := staticConf.IPConfig; ipConf != nil {
+			ip, ipNet, err := net.ParseCIDR(ipConf.PrimaryAddr)
+			if err != nil {
+				return nil, errors.Wrapf(err, "failed to parse CIDR from %q", ipConf.PrimaryAddr)
+			}
+
+			result.StaticConfiguration.IPConfiguration = &firecracker.IPConfiguration{
+				IPAddr: net.IPNet{
+					IP:   ip,
+					Mask: ipNet.Mask,
+				},
+				Gateway:     net.ParseIP(ipConf.GatewayAddr),
+				Nameservers: ipConf.Nameservers,
+			}
+		}
+	}
+
+	if cniConf := nwIface.CNIConfig; cniConf != nil {
+		result.CNIConfiguration = &firecracker.CNIConfiguration{
+			NetworkName: cniConf.NetworkName,
+			IfName:      cniConf.InterfaceName,
+			BinPath:     cniConf.BinPath,
+			ConfDir:     cniConf.ConfDir,
+			CacheDir:    cniConf.CacheDir,
+		}
+
+		for _, cniArg := range cniConf.Args {
+			var kv [2]string
+			kv[0] = cniArg.Key
+			kv[1] = cniArg.Value
+			result.CNIConfiguration.Args = append(result.CNIConfiguration.Args, kv)
+		}
+	}
+
+	return result, nil
 }
 
 func addDriveFromProto(builder firecracker.DrivesBuilder, drive *proto.FirecrackerDrive) firecracker.DrivesBuilder {
diff --git a/runtime/helpers_test.go b/runtime/helpers_test.go
index 28180793a..b52944f63 100644
--- a/runtime/helpers_test.go
+++ b/runtime/helpers_test.go
@@ -19,6 +19,7 @@ import (
 	"github.com/firecracker-microvm/firecracker-go-sdk"
 	models "github.com/firecracker-microvm/firecracker-go-sdk/client/models"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 
 	"github.com/firecracker-microvm/firecracker-containerd/proto"
 )
@@ -111,18 +112,88 @@ func TestMachineConfigurationFromProto(t *testing.T) {
 	}
 }
 
-func TestNetworkConfigFromProto(t *testing.T) {
-	network := networkConfigFromProto(&proto.FirecrackerNetworkInterface{
-		MacAddress:  mac,
-		HostDevName: hostDevName,
-		AllowMMDS:   true,
-	})
+func TestNetworkConfigFromProto_Static(t *testing.T) {
+	primaryAddr := "198.51.100.2/24"
+	gatewayAddr := "198.51.100.1"
+	nameservers := []string{"192.0.2.1", "192.0.2.2", "192.0.2.3"}
+
+	network, err := networkConfigFromProto(&proto.FirecrackerNetworkInterface{
+		AllowMMDS: true,
+		StaticConfig: &proto.StaticNetworkConfiguration{
+			MacAddress:  mac,
+			HostDevName: hostDevName,
+			IPConfig: &proto.IPConfiguration{
+				PrimaryAddr: primaryAddr,
+				GatewayAddr: gatewayAddr,
+				Nameservers: nameservers,
+			},
+		},
+	}, "vmID")
+	require.NoError(t, err, "failed to parse static network config from proto")
+
+	assert.Equal(t, mac, network.StaticConfiguration.MacAddress)
+	assert.Equal(t, hostDevName, network.StaticConfiguration.HostDevName)
+	assert.Equal(t, primaryAddr, network.StaticConfiguration.IPConfiguration.IPAddr.String())
+	assert.Equal(t, gatewayAddr, network.StaticConfiguration.IPConfiguration.Gateway.String())
+	assert.Equal(t, nameservers, network.StaticConfiguration.IPConfiguration.Nameservers)
+
+	assert.True(t, network.AllowMMDS)
+	assert.Nil(t, network.InRateLimiter)
+	assert.Nil(t, network.OutRateLimiter)
+}
+
+func TestNetworkConfigFromProto_CNI(t *testing.T) {
+	networkName := "da-network"
+	ifName := "da-iface"
+	vmID := "da-vm"
+	cniConfDir := "/da/cni/config"
+	cniCacheDir := "/da/cni/cache"
+	cniBinPath := []string{"/foo", "/boo/far"}
+	cniKey1 := "foo"
+	cniVal1 := "bar"
+	cniKey2 := "boo"
+	cniVal2 := "far"
+
+	inputArgs := []*proto.CNIConfiguration_CNIArg{
+		{
+			Key:   cniKey1,
+			Value: cniVal1,
+		},
+		{
+			Key:   cniKey2,
+			Value: cniVal2,
+		},
+	}
+
+	network, err := networkConfigFromProto(&proto.FirecrackerNetworkInterface{
+		AllowMMDS: true,
+		CNIConfig: &proto.CNIConfiguration{
+			NetworkName:   networkName,
+			InterfaceName: ifName,
+			ConfDir:       cniConfDir,
+			CacheDir:      cniCacheDir,
+			BinPath:       cniBinPath,
+			Args:          inputArgs,
+		},
+	}, vmID)
+	require.NoError(t, err, "failed to parse CNI network config from proto")
 
-	assert.Equal(t, mac, network.MacAddress)
-	assert.Equal(t, hostDevName, network.HostDevName)
 	assert.True(t, network.AllowMMDS)
 	assert.Nil(t, network.InRateLimiter)
 	assert.Nil(t, network.OutRateLimiter)
+
+	assert.Equal(t, network.CNIConfiguration.NetworkName, networkName)
+	assert.Equal(t, network.CNIConfiguration.IfName, ifName)
+	assert.Equal(t, network.CNIConfiguration.ConfDir, cniConfDir)
+	assert.Equal(t, network.CNIConfiguration.CacheDir, cniCacheDir)
+	assert.Equal(t, network.CNIConfiguration.BinPath, cniBinPath)
+
+	require.Len(t, network.CNIConfiguration.Args, 2, "unexpected number of CNI args")
+	for i, inputArg := range inputArgs {
+		outputArg := network.CNIConfiguration.Args[i]
+		assert.Equal(t, inputArg.Key, outputArg[0])
+		assert.Equal(t, inputArg.Value, outputArg[1])
+	}
 }
 
 func TestTokenBucketFromProto(t *testing.T) {
diff --git a/runtime/service.go b/runtime/service.go
index c538cf73f..f4242c9fe 100644
--- a/runtime/service.go
+++ b/runtime/service.go
@@ -596,6 +596,7 @@ func (s *service) buildVMConfiguration(req *proto.CreateVMRequest) (*firecracker
 		MachineCfg:   machineConfigurationFromProto(s.config, req.MachineCfg),
 		LogLevel:     s.config.LogLevel,
 		Debug:        s.config.Debug,
+		VMID:         s.vmID,
 	}
 
 	logger.Debugf("using socket path: %s", cfg.SocketPath)
@@ -645,10 +646,22 @@ func (s *service) buildVMConfiguration(req *proto.CreateVMRequest) (*firecracker
 	// a micro VM must know all drives
 	cfg.Drives = append(handler.GetDrives(), driveBuilder.Build()...)
 
-	// Setup network interfaces
+	// If no value for NetworkInterfaces was specified (not even an empty but non-nil list) and
+	// the runtime config specifies a default list, use those defaults
+	if req.NetworkInterfaces == nil {
+		for _, ni := range s.config.DefaultNetworkInterfaces {
+			niCopy := ni // we don't want to allow any further calls to modify structs in s.config.DefaultNetworkInterfaces
+			req.NetworkInterfaces = append(req.NetworkInterfaces, &niCopy)
+		}
+	}
 
 	for _, ni := range req.NetworkInterfaces {
-		cfg.NetworkInterfaces = append(cfg.NetworkInterfaces, networkConfigFromProto(ni))
+		netCfg, err := networkConfigFromProto(ni, s.vmID)
+		if err != nil {
+			return nil, errors.Wrapf(err, "failed to convert network config %+v", ni)
+		}
+
+		cfg.NetworkInterfaces = append(cfg.NetworkInterfaces, *netCfg)
 	}
 
 	return &cfg, nil
diff --git a/runtime/service_integ_test.go b/runtime/service_integ_test.go
index 140592173..8e12854a7 100644
--- a/runtime/service_integ_test.go
+++ b/runtime/service_integ_test.go
@@ -54,7 +54,6 @@ const (
 	defaultNamespace = namespaces.Default
 
 	containerdSockPath = "/run/containerd/containerd.sock"
-	guestDockerImage   = "docker.io/library/alpine:3.10.1"
 
 	firecrackerRuntime   = "aws.firecracker"
 	naiveSnapshotterName = "firecracker-naive"
@@ -65,6 +64,27 @@ const (
 	varRunDir           = "/var/run/firecracker-containerd"
 )
 
+// Images are presumed by the isolated tests to have already been pulled
+// into the content store. This will just unpack the layers into an
+// image with the provided snapshotter.
+func unpackImage(ctx context.Context, client *containerd.Client, snapshotterName string, imageRef string) (containerd.Image, error) {
+	img, err := client.GetImage(ctx, imageRef)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to get image")
+	}
+
+	err = img.Unpack(ctx, snapshotterName)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to unpack image")
+	}
+
+	return img, nil
+}
+
+func alpineImage(ctx context.Context, client *containerd.Client, snapshotterName string) (containerd.Image, error) {
+	return unpackImage(ctx, client, snapshotterName, "docker.io/library/alpine:3.10.1")
+}
+
 func TestShimExitsUponContainerDelete_Isolated(t *testing.T) {
 	internal.RequiresIsolation(t)
 
@@ -74,12 +94,8 @@ func TestShimExitsUponContainerDelete_Isolated(t *testing.T) {
 	require.NoError(t, err, "unable to create client to containerd service at %s, is containerd running?", containerdSockPath)
 	defer client.Close()
 
-	pullTimeout := 180 * time.Second
-	pullCtx, pullCancel := context.WithTimeout(ctx, pullTimeout)
-	defer pullCancel()
-
-	image, err := client.Pull(pullCtx, guestDockerImage, containerd.WithPullUnpack, containerd.WithPullSnapshotter(naiveSnapshotterName))
-	require.NoError(t, err, "failed to pull image %s, is the the %s snapshotter running?", guestDockerImage, naiveSnapshotterName)
+	image, err := alpineImage(ctx, client, naiveSnapshotterName)
+	require.NoError(t, err, "failed to get alpine image")
 
 	testTimeout := 60 * time.Second
 	testCtx, testCancel := context.WithTimeout(ctx, testTimeout)
@@ -215,8 +231,8 @@ func TestMultipleVMs_Isolated(t *testing.T) {
 	require.NoError(t, err, "unable to create client to containerd service at %s, is containerd running?", containerdSockPath)
 	defer client.Close()
 
-	image, err := client.Pull(ctx, guestDockerImage, containerd.WithPullUnpack, containerd.WithPullSnapshotter(naiveSnapshotterName))
-	require.NoError(t, err, "failed to pull image %s, is the the %s snapshotter running?", guestDockerImage, naiveSnapshotterName)
+	image, err := alpineImage(ctx, client, naiveSnapshotterName)
+	require.NoError(t, err, "failed to get alpine image")
 
 	pluginClient, err := ttrpcutil.NewClient(containerdSockPath + ".ttrpc")
 	require.NoError(t, err, "failed to create ttrpc client")
@@ -249,9 +265,11 @@ func TestMultipleVMs_Isolated(t *testing.T) {
 				},
 				NetworkInterfaces: []*proto.FirecrackerNetworkInterface{
 					{
-						HostDevName: tapName,
-						MacAddress:  vmIDtoMacAddr(uint(vmID)),
-						AllowMMDS:   true,
+						AllowMMDS: true,
+						StaticConfig: &proto.StaticNetworkConfiguration{
+							HostDevName: tapName,
+							MacAddress:  vmIDtoMacAddr(uint(vmID)),
+						},
 					},
 				},
 				ContainerCount: containersPerVM,
@@ -440,8 +458,8 @@ func TestStubBlockDevices_Isolated(t *testing.T) {
 	require.NoError(t, err, "unable to create client to containerd service at %s, is containerd running?", containerdSockPath)
 	defer client.Close()
 
-	image, err := client.Pull(ctx, guestDockerImage, containerd.WithPullUnpack, containerd.WithPullSnapshotter(naiveSnapshotterName))
-	require.NoError(t, err, "failed to pull image %s, is the the %s snapshotter running?", guestDockerImage, naiveSnapshotterName)
+	image, err := alpineImage(ctx, client, naiveSnapshotterName)
+	require.NoError(t, err, "failed to get alpine image")
 
 	rootfsPath := defaultVMRootfsPath
 
@@ -465,9 +483,11 @@ func TestStubBlockDevices_Isolated(t *testing.T) {
 		},
 		NetworkInterfaces: []*proto.FirecrackerNetworkInterface{
 			{
-				HostDevName: tapName,
-				MacAddress:  vmIDtoMacAddr(uint(vmID)),
-				AllowMMDS:   true,
+				AllowMMDS: true,
+				StaticConfig: &proto.StaticNetworkConfiguration{
+					HostDevName: tapName,
+					MacAddress:  vmIDtoMacAddr(uint(vmID)),
+				},
 			},
 		},
 		ContainerCount: 5,
@@ -560,16 +580,19 @@ func startAndWaitTask(ctx context.Context, t *testing.T, c containerd.Container)
 	err = task.Start(ctx)
 	require.NoError(t, err, "failed to start task for container %s", c.ID())
 	defer func() {
-		status, err := task.Delete(ctx)
-		require.NoError(t, status.Error())
 		require.NoError(t, err, "failed to delete task for container %s", c.ID())
 	}()
 
 	select {
 	case exitStatus := <-exitCh:
-		require.NoError(t, exitStatus.Error(), "failed to retrieve exitStatus")
-		require.Equal(t, uint32(0), exitStatus.ExitCode())
-		require.Equal(t, "", stderr.String())
+		assert.Equal(t, uint32(0), exitStatus.ExitCode())
+
+		status, err := task.Delete(ctx)
+		assert.NoErrorf(t, err, "failed to delete task %q after exit", c.ID())
+		assert.NoError(t, status.Error())
+		assert.NoError(t, exitStatus.Error(), "failed to retrieve exitStatus")
+
+		assert.Equal(t, "", stderr.String())
 	case <-ctx.Done():
 		require.Fail(t, "context cancelled",
 			"context cancelled while waiting for container %s to exit, err: %v", c.ID(), ctx.Err())
@@ -605,8 +628,8 @@ func testCreateContainerWithSameName(t *testing.T, vmID string) {
 	require.NoError(t, err, "unable to create client to containerd service at %s, is containerd running?", containerdSockPath)
 	defer client.Close()
 
-	image, err := client.Pull(ctx, guestDockerImage, containerd.WithPullUnpack, containerd.WithPullSnapshotter(naiveSnapshotterName))
-	require.NoError(t, err, "failed to pull image %s, is the the %s snapshotter running?", guestDockerImage, naiveSnapshotterName)
+	image, err := alpineImage(ctx, client, naiveSnapshotterName)
+	require.NoError(t, err, "failed to get alpine image")
 
 	containerName := fmt.Sprintf("%s-%d", t.Name(), time.Now().UnixNano())
 	snapshotName := fmt.Sprintf("%s-snapshot", containerName)
@@ -677,8 +700,8 @@ func TestCreateTooManyContainers_Isolated(t *testing.T) {
 	require.NoError(t, err, "unable to create client to containerd service at %s, is containerd running?", containerdSockPath)
 	defer client.Close()
 
-	image, err := client.Pull(ctx, guestDockerImage, containerd.WithPullUnpack, containerd.WithPullSnapshotter(naiveSnapshotterName))
-	require.NoError(t, err, "failed to pull image %s, is the the %s snapshotter running?", guestDockerImage, naiveSnapshotterName)
+	image, err := alpineImage(ctx, client, naiveSnapshotterName)
+	require.NoError(t, err, "failed to get alpine image")
 
 	runEchoHello := containerd.WithNewSpec(oci.WithProcessArgs("echo", "-n", "hello"), firecrackeroci.WithVMID("reuse-same-vm"), oci.WithDefaultPathEnv)
 
diff --git a/tools/demo/fcnet.conflist b/tools/demo/fcnet.conflist
new file mode 100644
index 000000000..2459b3eec
--- /dev/null
+++ b/tools/demo/fcnet.conflist
@@ -0,0 +1,19 @@
+{
+  "cniVersion": "0.3.1",
+  "name": "fcnet",
+  "plugins": [
+    {
+      "type": "ptp",
+      "ipMasq": true,
+      "mtu": 1500,
+      "ipam": {
+        "type": "host-local",
+        "subnet": "192.168.1.0/24",
+        "resolvConf": "/etc/resolv.conf"
+      }
+    },
+    {
+      "type": "tc-redirect-tap"
+    }
+  ]
+}
diff --git a/tools/docker/Dockerfile b/tools/docker/Dockerfile
index 55b858f1c..dba193dc2 100644
--- a/tools/docker/Dockerfile
+++ b/tools/docker/Dockerfile
@@ -72,20 +72,7 @@ ENV STATIC_AGENT='true'
 # directory to a tmp location and copy to one we will actually use (giving ourselves permission to it in the process).
 RUN --mount=type=bind,target=_firecracker-containerd cp -R _firecracker-containerd firecracker-containerd
 RUN --mount=type=cache,from=build-base,source=/home/builder/go/pkg/mod,target=/home/builder/go/pkg/mod \
-	cd firecracker-containerd \
-	&& make \
-	&& cp \
-		agent/agent \
-		runtime/containerd-shim-aws-firecracker \
-		snapshotter/cmd/devmapper/devmapper_snapshotter \
-		snapshotter/cmd/naive/naive_snapshotter \
-		/output
-RUN --mount=type=cache,from=build-base,source=/home/builder/go/pkg/mod,target=/home/builder/go/pkg/mod \
-  cd firecracker-containerd/firecracker-control/cmd/containerd/ \
-  && make \
-  && cp firecracker-containerd /output/containerd \
-  && cp firecracker-ctr /output/ctr
-
+	cd firecracker-containerd && make
 
 
 #########################################
@@ -112,6 +99,7 @@ RUN apt-get update && apt-get install --yes --no-install-recommends \
 		ca-certificates \
 		curl \
 		git \
+		iptables \
 		libdevmapper-dev \
 		libseccomp-dev
 
@@ -126,14 +114,24 @@ COPY tools/image-builder/rootfs.img /var/lib/firecracker-containerd/runtime/defa
 COPY --from=firecracker-containerd-build /output/* /usr/local/bin/
 
 RUN --mount=type=cache,from=build-base,source=/home/builder/go/pkg/mod,target=/tmp/go/pkg/mod,readonly \
-  mkdir -p ${GOPATH}/pkg/mod \
-  && cp -R /tmp/go/pkg/mod/* ${GOPATH}/pkg/mod \
-  && cp -R /tmp/go/pkg/mod/* /home/builder/go/pkg/mod \
-  && chown -R builder /home/builder/go/pkg/mod
+	mkdir -p ${GOPATH}/pkg/mod \
+	&& cp -R /tmp/go/pkg/mod/* ${GOPATH}/pkg/mod \
+	&& cp -R /tmp/go/pkg/mod/* /home/builder/go/pkg/mod \
+	&& chown -R builder /home/builder/go/pkg/mod
+
+COPY --from=firecracker-containerd-build /home/builder/firecracker-containerd /firecracker-containerd
+RUN make -C /firecracker-containerd install
+RUN chmod a+r /firecracker-containerd/go.mod /firecracker-containerd/go.sum # fix for https://github.com/golang/go/issues/31871
+RUN ln -s /usr/local/bin/firecracker-containerd /usr/local/bin/containerd
+RUN ln -s /usr/local/bin/firecracker-ctr /usr/local/bin/ctr
 
 RUN mkdir -p /var/run/firecracker-containerd \
 	&& mkdir -p ${FICD_LOG_DIR}
 
+# make sure all our dependencies, including test dependencies, are pulled into the
+# image so we don't need internet access during the test runs themselves
+RUN cd /firecracker-containerd && go get -d ./...
+
 ENTRYPOINT ["/bin/bash", "-c"]
 
 
@@ -152,9 +150,16 @@ COPY _submodules/runc/runc /usr/local/bin
 COPY tools/image-builder/rootfs.img /var/lib/firecracker-containerd/runtime/default-rootfs.img
 COPY tools/docker/firecracker-runtime.json /etc/containerd/firecracker-runtime.json
 
+# pull the images the tests need into the content store so we don't need internet
+# access during the tests themselves
 COPY tools/docker/naive-snapshotter/config.toml /etc/containerd/config.toml
-COPY tools/docker/naive-snapshotter/entrypoint.sh /entrypoint
+RUN containerd 2>/dev/null & \
+	ctr content fetch docker.io/library/alpine:3.10.1 >/dev/null
+
 RUN mkdir -p /var/lib/firecracker-containerd/naive
+RUN make -C /firecracker-containerd demo-network
+COPY tools/docker/firecracker-runtime.json /etc/containerd/firecracker-runtime.json
+COPY tools/docker/naive-snapshotter/entrypoint.sh /entrypoint
 
 ENTRYPOINT ["/entrypoint"]
 CMD ["exec /bin/bash"]
diff --git a/tools/docker/firecracker-runtime.json b/tools/docker/firecracker-runtime.json
index 3edd6acfc..110169ae3 100644
--- a/tools/docker/firecracker-runtime.json
+++ b/tools/docker/firecracker-runtime.json
@@ -7,5 +7,13 @@
   "cpu_template": "T2",
   "log_fifo": "/tmp/fc-logs.fifo",
   "log_level": "Debug",
-  "metrics_fifo": "/tmp/fc-metrics.fifo"
+  "metrics_fifo": "/tmp/fc-metrics.fifo",
+  "default_network_interfaces": [
+    {
+      "CNIConfig": {
+        "NetworkName": "fcnet",
+        "InterfaceName": "veth0"
+      }
+    }
+  ]
 }
diff --git a/tools/image-builder/files_debootstrap/etc/resolv.conf b/tools/image-builder/files_debootstrap/etc/resolv.conf
new file mode 120000
index 000000000..cfdae740b
--- /dev/null
+++ b/tools/image-builder/files_debootstrap/etc/resolv.conf
@@ -0,0 +1 @@
+/proc/net/pnp
\ No newline at end of file