diff --git a/apps/docs/content/bun/how-to/access.mdx b/apps/docs/content/bun/how-to/access.mdx
deleted file mode 100644
index a48a3f81..00000000
--- a/apps/docs/content/bun/how-to/access.mdx
+++ /dev/null
@@ -1,13 +0,0 @@
----
-title: How to access your Bun application
-description: Learn more about how you can access your Bun application on Zerops.
----
-
-import { SetVar } from '/src/components/content/var';
-import AccessContent from '/src/components/content/access.mdx';
-
-<SetVar name="serviceDisplay" value="Bun" />
-<SetVar name="servicePath" value="bun" />
-<SetVar name="defaultPort" value="3000" />
-
-<AccessContent />
\ No newline at end of file
diff --git a/apps/docs/content/bun/how-to/build-pipeline.mdx b/apps/docs/content/bun/how-to/build-pipeline.mdx
index 5d3c8d99..0c793e5a 100644
--- a/apps/docs/content/bun/how-to/build-pipeline.mdx
+++ b/apps/docs/content/bun/how-to/build-pipeline.mdx
@@ -520,7 +520,7 @@ _OPTIONAL._ Specifies one or more internal ports on which your application will
 
 Projects in Zerops represent a group of one or more services. Services can be of different types (runtime services, databases, message brokers, object storage, etc.). All services of the same project share a **dedicated private network**. To connect to a service within the same project, just use the service hostname and its internal port.
 
-For example, to connect to a Bun service with hostname = "app" and port = 3000 from another service of the same project, simply use `app:3000`. Read more about [how to access a Bun service](access).
+For example, to connect to a Bun service with hostname = "app" and port = 3000 from another service of the same project, simply use `app:3000`. Read more about [how to access a Bun service](/features/access).
 
 Each port has following attributes:
 
diff --git a/apps/docs/content/bun/overview.mdx b/apps/docs/content/bun/overview.mdx
index 57cbc9de..69e7e06c 100644
--- a/apps/docs/content/bun/overview.mdx
+++ b/apps/docs/content/bun/overview.mdx
@@ -193,7 +193,7 @@ Have you build something that others might find useful? Don't hesitate to share
     },
     {
       type: 'link',
-      href: '/references/vpn',
+      href: '/references/networking/vpn',
       label: 'Zerops VPN',
       customProps: {
         icon: Icons['globe-europe'],
diff --git a/apps/docs/content/deno/how-to/access.mdx b/apps/docs/content/deno/how-to/access.mdx
deleted file mode 100644
index 3416f757..00000000
--- a/apps/docs/content/deno/how-to/access.mdx
+++ /dev/null
@@ -1,13 +0,0 @@
----
-title: How to access your Deno application
-description: Learn more about how you can access your Deno application on Zerops.
----
-
-import { SetVar } from '/src/components/content/var';
-import AccessContent from '/src/components/content/access.mdx';
-
-<SetVar name="serviceDisplay" value="Deno" />
-<SetVar name="servicePath" value="deno" />
-<SetVar name="defaultPort" value="8000" />
-
-<AccessContent />
\ No newline at end of file
diff --git a/apps/docs/content/deno/how-to/build-pipeline.mdx b/apps/docs/content/deno/how-to/build-pipeline.mdx
index d57c1198..9a91f118 100644
--- a/apps/docs/content/deno/how-to/build-pipeline.mdx
+++ b/apps/docs/content/deno/how-to/build-pipeline.mdx
@@ -513,7 +513,7 @@ _OPTIONAL._ Specifies one or more internal ports on which your application will
 
 Projects in Zerops represent a group of one or more services. Services can be of different types (runtime services, databases, message brokers, object storage, etc.). All services of the same project share a **dedicated private network**. To connect to a service within the same project, just use the service hostname and its internal port.
 
-For example, to connect to a Deno service with hostname = "app" and port = 3000 from another service of the same project, simply use `app:3000`. Read more about [how to access a Deno service](/deno/how-to/access).
+For example, to connect to a Deno service with hostname = "app" and port = 3000 from another service of the same project, simply use `app:3000`. Read more about [how to access a Deno service](/references/networking/internal-access#basic-service-communication).
 
 Each port has following attributes:
 
diff --git a/apps/docs/content/deno/overview.mdx b/apps/docs/content/deno/overview.mdx
index 15171f90..5091e8fb 100644
--- a/apps/docs/content/deno/overview.mdx
+++ b/apps/docs/content/deno/overview.mdx
@@ -196,7 +196,7 @@ Have you build something that others might find useful? Don't hesitate to share
     },
     {
       type: 'link',
-      href: '/references/vpn',
+      href: '/references/networking/vpn',
       label: 'Zerops VPN',
       customProps: {
         icon: Icons['globe-europe'],
diff --git a/apps/docs/content/dotnet/how-to/access.mdx b/apps/docs/content/dotnet/how-to/access.mdx
deleted file mode 100644
index 8162d256..00000000
--- a/apps/docs/content/dotnet/how-to/access.mdx
+++ /dev/null
@@ -1,13 +0,0 @@
----
-title: How to access your .NET application
-description: Learn more about how you can access your .NET application on Zerops.
----
-
-import { SetVar } from '/src/components/content/var';
-import AccessContent from '/src/components/content/access.mdx';
-
-<SetVar name="serviceDisplay" value=".NET" />
-<SetVar name="servicePath" value="dotnet" />
-<SetVar name="defaultPort" value="5000" />
-
-<AccessContent />
\ No newline at end of file
diff --git a/apps/docs/content/dotnet/how-to/build-pipeline.mdx b/apps/docs/content/dotnet/how-to/build-pipeline.mdx
index dc631c02..43ff2f3e 100644
--- a/apps/docs/content/dotnet/how-to/build-pipeline.mdx
+++ b/apps/docs/content/dotnet/how-to/build-pipeline.mdx
@@ -515,7 +515,7 @@ _OPTIONAL._ Specifies one or more internal ports on which your application will
 
 Projects in Zerops represent a group of one or more services. Services can be of different types (runtime services, databases, message brokers, object storage, etc.). All services of the same project share a **dedicated private network**. To connect to a service within the same project, just use the service hostname and its internal port.
 
-For example, to connect to a .NET service with hostname = "app" and port = 5000 from another service of the same project, simply use `app:5000`. Read more about [how to access a .NET service](/dotnet/how-to/access).
+For example, to connect to a .NET service with hostname = "app" and port = 5000 from another service of the same project, simply use `app:5000`. Read more about [how to access a .NET service](/references/networking/internal-access#basic-service-communication).
 
 Each port has following attributes:
 
diff --git a/apps/docs/content/dotnet/overview.mdx b/apps/docs/content/dotnet/overview.mdx
index c03c0940..fc706102 100644
--- a/apps/docs/content/dotnet/overview.mdx
+++ b/apps/docs/content/dotnet/overview.mdx
@@ -181,7 +181,7 @@ Have you build something that others might find useful? Don't hesitate to share
     },
     {
       type: 'link',
-      href: '/references/vpn',
+      href: '/references/networking/vpn',
       label: 'Zerops VPN',
       customProps: {
         icon: Icons['globe-europe'],
diff --git a/apps/docs/content/elixir/how-to/access.mdx b/apps/docs/content/elixir/how-to/access.mdx
deleted file mode 100644
index b446c144..00000000
--- a/apps/docs/content/elixir/how-to/access.mdx
+++ /dev/null
@@ -1,13 +0,0 @@
----
-title: How to access your Elixir application
-description: Learn more about how you can access your Elixir application on Zerops.
----
-
-import { SetVar } from '/src/components/content/var';
-import AccessContent from '/src/components/content/access.mdx';
-
-<SetVar name="serviceDisplay" value="Elixir" />
-<SetVar name="servicePath" value="elixir" />
-<SetVar name="defaultPort" value="4000" />
-
-<AccessContent />
\ No newline at end of file
diff --git a/apps/docs/content/elixir/how-to/build-pipeline.mdx b/apps/docs/content/elixir/how-to/build-pipeline.mdx
index 58a0aabd..df663c11 100644
--- a/apps/docs/content/elixir/how-to/build-pipeline.mdx
+++ b/apps/docs/content/elixir/how-to/build-pipeline.mdx
@@ -516,7 +516,7 @@ _OPTIONAL._ Specifies one or more internal ports on which your application will
 
 Projects in Zerops represent a group of one or more services. Services can be of different types (runtime services, databases, message brokers, object storage, etc.). All services of the same project share a **dedicated private network**. To connect to a service within the same project, just use the service hostname and its internal port.
 
-For example, to connect to a Elixir service with hostname = "app" and port = 3000 from another service of the same project, simply use `app:3000`. Read more about [how to access a Elixir service](/elixir/how-to/access).
+For example, to connect to a Elixir service with hostname = "app" and port = 3000 from another service of the same project, simply use `app:3000`. Read more about [how to access a Elixir service](/references/networking/internal-access#basic-service-communication).
 
 Each port has following attributes:
 
diff --git a/apps/docs/content/elixir/overview.mdx b/apps/docs/content/elixir/overview.mdx
index 647ba24f..df311e43 100644
--- a/apps/docs/content/elixir/overview.mdx
+++ b/apps/docs/content/elixir/overview.mdx
@@ -202,7 +202,7 @@ Have you build something that others might find useful? Don't hesitate to share
     },
     {
       type: 'link',
-      href: '/references/vpn',
+      href: '/references/networking/vpn',
       label: 'Zerops VPN',
       customProps: {
         icon: Icons['globe-europe'],
diff --git a/apps/docs/content/features/access.mdx b/apps/docs/content/features/access.mdx
index 75348719..f8b096ab 100644
--- a/apps/docs/content/features/access.mdx
+++ b/apps/docs/content/features/access.mdx
@@ -1,222 +1,112 @@
 ---
-title: Zerops Domain & Access Configuration
-description: Configure subdomains, custom domains and IP access for your Zerops applications.
+title: Access & Networking
+description: Connect to your services internally and make them publicly accessible from the internet.
 ---
 
 import Image from '/src/components/Image';
-import GroupCards from '../../src/components/GroupCards'
-import Video from '../../src/components/Video';
-
-export const languages = [
-    { name: "Bun", link: "/java/how-to/build-pipeline#ports" },
-    { name: "Deno", link: "/go/how-to/build-pipeline#ports" },
-    { name: ".NET", link: "/dotnet/how-to/build-pipeline#ports" },
-    { name: "Elixir", link: "/php/how-to/build-pipeline#ports" },
-    { name: "Gleam", link: "/dotnet/how-to/build-pipeline#ports" },
-    { name: "Go", link: "/go/how-to/build-pipeline#ports" },
-    { name: "Java", link: "/java/how-to/build-pipeline#ports" },
-    { name: "Node.js", link: "/nodejs/how-to/build-pipeline#ports" },
-    { name: "PHP", link: "/php/how-to/build-pipeline#ports" },
-    { name: "Python", link: "/python/how-to/build-pipeline#ports" },
-    { name: "Rust", link: "/rust/how-to/build-pipeline#ports" },
-]
-
-Zerops provides three ways to make your application accessible from the internet:
-- [Zerops subdomain](#public-access-through-zerops-subdomain) - ideal for testing and development
-- [Custom domain](#public-access-through-your-domain) - recommended for production deployments
-- [Direct port access](#opening-public-ports) - for non-HTTP protocols and specialized use cases
-
-Each method serves different needs and comes with its own configuration options.
+
+Zerops provides multiple ways to access your services, whether you need internal communication between services, secure access from your development machine, or public access from the internet.
 
 :::note
-By default, your runtime service is not publicly accessible until you configure one of these methods.
+By default, your services are not publicly accessible until you configure external access. Internal communication between services within the same project works automatically.
 :::
 
-## Public Access Through Zerops Subdomain
+## How Zerops Networking Works
 
-For development and testing purposes, Zerops offers a quick way to make your application accessible through a `.zerops.app` subdomain. This option requires minimal configuration and includes automatic SSL certificate management.
+Every Zerops project includes a **shared networking infrastructure** that handles all access methods:
 
-### Configuration Steps
+**Private Project Network:**
+- All services within a project share a dedicated private network
+- Services communicate directly using hostnames and internal ports
+- Traffic stays isolated within your project
 
-1. Navigate to your service detail page in Zerops GUI
-2. Select **Public access & internal ports** from the left menu
-3. Toggle the **Zerops subdomain access** switch
+**Public Access Infrastructure:**
+- **Core (L3) Balancer** manages IP addresses and direct port access
+- **L7 HTTP Balancer** handles domain routing and SSL termination
+  - Can be extensively configured for advanced routing, performance optimization, and custom behaviors
+  - See the [L7 Balancer Configuration Guide](/references/networking/l7-balancer-config) for detailed options
+- Both are shared across all services in your project
 
-<p align="center">
-  <Image
-    lightImage="/img/gui/public-access.webp"
-    darkImage="/img/gui/public-access.webp"
-    alt="Public Access"
-    style={{ width: '90%', height: 'auto' }}
-  />
-</p>
+**Secure External Access:**
+- **Built-in VPN** provides secure tunnel access to your project's private network
+- Useful for development, debugging, and administration
 
-Once enabled, Zerops assigns a unique subdomain for your application. If you've defined multiple [internal ports](/zerops-yaml/specification#ports-) with HTTP support in your `zerops.yaml`, each port receives its own unique `.zerops.app` subdomain.
+## Internal Access
 
-<GroupCards heading="Configure internal ports for your Runtime" items={languages} />
+:::tip Complete Internal Access Setup
+See the [Internal access reference guide](/references/networking/internal-access).
+:::
 
-### Technical Details
+Services within the same project can communicate directly using hostnames and internal ports. No additional configuration required.
 
-When using Zerops subdomains:
-- Access your application using the `https://` protocol (Zerops automatically manages SSL certificates)
-- Traffic flows through a central HTTP balancer that:
-  - Terminates SSL connections
-  - Forwards requests to your application via HTTP
-  - Handles all security certificates
+**Example:** Connect to your `api` service on port 3000:
+```
+http://api:3000
+```
 
-:::warning Production Limitations
-- The central HTTPS balancer is shared across all Zerops projects, which creates a scalability bottleneck
-- Maximum upload size is limited to 50MB
-- Not recommended for production traffic
-:::
+**Key points:**
+- Use service hostname as the address
+- Use HTTP (not HTTPS) for internal communication
+- Access internal ports defined in your service configuration
+- Communication is automatically isolated from other projects
 
-## Public Access Through Your Domain
-
-When your application is ready for production or you need to test with your actual domain, configure custom domain access. This method provides better performance, scalability, and full control over your domain settings.
-
-<p align="center">
-  <Image
-    lightImage="/img/gui/public-access-domain.webp"
-    darkImage="/img/gui/public-access-domain.webp"
-    alt="Public Access"
-    style={{ width: '65%', height: 'auto' }}
-  />
-</p>
-
-### IP Address Configuration
-
-Before setting up domain access, you'll need public IP addresses. Zerops offers the following IP options:
-
-#### IPv4 Options
-
-##### Dedicated IPv4 Address ($3/30 days)
-- Dedicated to your project and shared across all project services
-- One IPv4 address per project limit
-- Protects against blacklisting risks associated with shared IPs
-- Subscription automatically renews every 30 days *(cannot be purchased with promo credit)*
-    - Fee is non-refundable but address can be reused in another project until subscription ends
-- **Recommended for production workloads**
-
-##### Shared IPv4 Address (Free)
-- Available at no cost
-- Shared across all Zerops users and their projects
-- Limitations:
-  - Restricted number of open connections
-  - Shorter connection timeouts
-- **Not recommended for production use**
-
-#### IPv6 Address (Free)
-- Dedicated to your project and shared across all project services
-- One IPv6 address per project limit
-- Automatically activated with first domain setup
-- Available for all projects at no additional cost
-
-:::tip
-Since IPv6 support is not universal, using both IPv4 and IPv6 is recommended for maximum accessibility.
-:::
+### Environment Variables
 
-### Configuring HTTP Routing
+Zerops automatically creates environment variables to help with internal connections between services.
 
-To set up domain access:
+## VPN Access
+:::tip Complete VPN Setup
+See the [VPN reference guide](/references/networking/vpn).
+:::
 
-1. Go to your service detail in Zerops GUI and select **Public access & internal ports**
-2. Click **Setup first domain access**
-3. Configure your domain settings:
-   - Enter domain names (e.g., `mydomain.com`, `app.mydomain.com`)
-   - Add multiple domains if needed (useful for multi-language sites)
-   - Choose SSL certificate management
-4. Define routing rules:
-   - Source: The public path (the part of URL after your domain)
-   - Destination: Choose which application and internal port receives the traffic
-   - Add multiple routing configurations as needed
+Connect securely to your project's internal network from your local machine:
 
-All settings can be modified later as your needs change.
+```bash
+# Connect to your project
+zcli vpn up <project-id>
 
-<Video
-  width="80%"
-  autoplay="true"
-  loop="loop"
-  muted="muted"
-  preload="none"
-  src="/vids/routes.webm"
-  plays-inline="true"
-/>
+# Access services using internal hostnames
+curl http://api:3000/health
 
-### DNS Configuration
+# Disconnect when done
+zcli vpn down
+```
 
-After setting up domain access in Zerops, you'll need to configure your DNS records with your domain registrar.
+## Public Access
 
-:::tip DNS Provider Guides
-- **Cloudflare users**: Follow our [Cloudflare DNS Configuration Guide](/features/cloudflare) for step-by-step Cloudflare-specific instructions
-- **Other providers**: Use the [general DNS and Proxy Configuration Guide](/features/dns) for universal DNS setup instructions
+:::tip Complete Public Access Setup
+See the [Public access reference guide](/references/networking/public-access).
 :::
 
-### HTTPS Configuration
+Make your services accessible from the internet using one of three methods:
 
-When using Let's Encrypt certificates (recommended):
+### Zerops Subdomain
+**Best for:** Development and testing
 
-#### Certificate Management
-- Zerops handles all certificate installation and renewal
-- Certificates are free of charge
-- No manual certificate management required
+- Quick setup with automatic `.zerops.app` subdomains
+- Each service gets its own unique subdomain
+- Automatic SSL certificate management
+- Shared infrastructure (has limitations for production use)
 
-#### Traffic Flow
-1. Traffic arrives at your public IPv4/IPv6 addresses
-2. Requests route through your project's dedicated HTTPS balancer
-3. SSL termination occurs at the balancer level
-4. Internal traffic uses HTTP protocol for optimal performance
+### Custom Domain
+**Best for:** Production deployments
 
-#### Balancer Architecture
-- Deployed in two containers for redundancy
-- Scales vertically based on traffic demands
-- Cannot be directly modified
-- Included free of charge
+- Use your own domain names
+- Better performance with dedicated balancer
+- Full control over SSL and routing
+- Requires DNS configuration
 
-## Opening Public Ports
+### Direct Port Access
+**Best for:** Non-HTTP protocols and specialized use cases
 
-For applications requiring direct port access or non-HTTP protocols, Zerops provides flexible port configuration options.
+- Direct access to specific ports on your services
+- Supports any protocol (TCP/UDP)
+- Optional firewall configuration
+- Uses your project's IP addresses
 
-:::important
-Currently, direct public port access is only available for runtime services and PostgreSQL databases.
-:::
+## Next Steps
 
-<p align="center">
-  <Image
-    src="/img/gui/ipv6-public-port.webp"
-    alt="Public Access Port"
-    style={{ width: '90%', height: 'auto' }}
-  />
-</p>
-
-### Port Configuration
-
-1. Navigate to service detail page in Zerops GUI
-   - For runtime services select **Subdomain & domain & IP access**
-   - For PostgreSQL select **Direct access through IP address**
-2. Configure your port settings:
-   - Either **Setup first access through IPv6** or activate **Unique IPv4 add-on** (if needed)
-   - Choose any port from 10-65435 (except 80 and 443)
-   - Select destination service and internal port
-   - Each public port can be mapped to any internal service port
-   - Multiple public ports can point to the same internal port if needed
-   - Port configurations can be set independently for IPv4 and IPv6
-
-### Firewall Configuration
-
-Optionally secure your ports with firewall rules:
-
-1. Enable firewall for specific ports
-2. Choose policy type:
-   - **Blacklist**: Block specific IPs/ranges
-   - **Whitelist**: Allow only specific IPs/ranges
-3. Configure IP rules:
-   - Single IP format affects only the specific IP
-   - IP range format affects all IPs in that CIDR range
-
-<p align="center">
- <Image
-   src="/img/gui/enable-firewall.webp"
-   alt="Enable Firewall"
-   style={{ width: '90%', height: 'auto' }}
- />
-</p>
\ No newline at end of file
+- **Internal access setup:** [Internal Access Reference Guide](/references/networking/internal-access)
+- **Public access configuration:** [Public Access Reference Guide](/references/networking/public-access)
+- **VPN setup and troubleshooting:** [VPN Reference Guide](/references/networking/vpn)
+- **Advanced routing and SSL:** [L7 Balancer Configuration Guide](/references/networking/l7-balancer-config)
\ No newline at end of file
diff --git a/apps/docs/content/features/cdn.mdx b/apps/docs/content/features/cdn.mdx
index 99107b38..7f38d4b8 100644
--- a/apps/docs/content/features/cdn.mdx
+++ b/apps/docs/content/features/cdn.mdx
@@ -94,9 +94,10 @@ Access the storage CDN URL via the `storageCdnUrl` **project** environment varia
 Ideal for caching and delivering static website assets like HTML, CSS, JavaScript, and images served from your custom domains.
 
 **Setup process:**
-1. Configure domain access for your service
-2. Ensure your domains are DNS-verified and have active SSL certificates
-3. Enable CDN for the domain group
+1. Configure domain access for your service through the L7 HTTP Balancer section
+2. Access domain settings via the **three dots menu** or **gear icon** next to your domain entry
+3. In the "Project Domain Access Modification" dialog, enable the **"Enable CDN for static files"** toggle
+4. Optionally enable "Automatically install SSL Certificates" if not already configured
 
 **Accessing content:**
 ```txt
diff --git a/apps/docs/content/frameworks/laravel/introduction.mdx b/apps/docs/content/frameworks/laravel/introduction.mdx
index c9c5a353..1302e68d 100644
--- a/apps/docs/content/frameworks/laravel/introduction.mdx
+++ b/apps/docs/content/frameworks/laravel/introduction.mdx
@@ -267,7 +267,7 @@ Once the deployment completes, let's verify everything works:
 5. Click the generated URL (e.g., `https://app-xxx.prg1.zerops.app`) to view your application
 
 :::note
-The Zerops subdomain is perfect for testing and development, but for production, you should [set up your own domain](/features/access#public-access-through-your-domain) under **Public Access through Your Domains**.
+The Zerops subdomain is perfect for testing and development, but for production, you should [set up your own domain](/references/networking/public-access#custom-domain-access) under **Public Access through Your Domains**.
 :::
 
 ### Testing Database Connectivity
@@ -328,7 +328,7 @@ Now you can use your favorite database management tool or run artisan commands w
 
 Now that your Laravel application is running on Zerops, consider:
 
-1. Setting up a [custom domain](/features/access#public-access-through-your-domain)
+1. Setting up a [custom domain](/references/networking/public-access#custom-domain-access)
 2. Implementing basic CI/CD pipelines with [GitHub](/references/github-integration) or [GitLab](/references/gitlab-integration) integration
 3. Setting up [object storage](/object-storage/overview)
 
diff --git a/apps/docs/content/frameworks/laravel/recipes/filament-local.mdx b/apps/docs/content/frameworks/laravel/recipes/filament-local.mdx
index bda7d1f1..34d14bf7 100644
--- a/apps/docs/content/frameworks/laravel/recipes/filament-local.mdx
+++ b/apps/docs/content/frameworks/laravel/recipes/filament-local.mdx
@@ -50,7 +50,7 @@ Zerops provides a built-in VPN feature through its CLI tool, enabling seamless l
 
 ### Prerequisites
 - Install the [Zerops CLI](/references/cli#get-started) and log in with [personal access token](/references/cli#personal-access-tokens)
-- Install [Wireguard](/references/vpn) on your system
+- Install [Wireguard](/references/networking/vpn) on your system
 
 ### Setup Steps
 
diff --git a/apps/docs/content/frameworks/laravel/recipes/jetstream-local.mdx b/apps/docs/content/frameworks/laravel/recipes/jetstream-local.mdx
index 32ba65c5..d060e8c6 100644
--- a/apps/docs/content/frameworks/laravel/recipes/jetstream-local.mdx
+++ b/apps/docs/content/frameworks/laravel/recipes/jetstream-local.mdx
@@ -50,7 +50,7 @@ Zerops provides a built-in VPN feature through its CLI tool, enabling seamless l
 
 ### Prerequisites
 - Install the [Zerops CLI](/references/cli#get-started) and log in with [personal access token](/references/cli#personal-access-tokens)
-- Install [Wireguard](/references/vpn) on your system
+- Install [Wireguard](/references/networking/vpn) on your system
 
 ### Setup Steps
 
diff --git a/apps/docs/content/frameworks/laravel/recipes/minimal-local.mdx b/apps/docs/content/frameworks/laravel/recipes/minimal-local.mdx
index ffa79aa8..8cb5861b 100644
--- a/apps/docs/content/frameworks/laravel/recipes/minimal-local.mdx
+++ b/apps/docs/content/frameworks/laravel/recipes/minimal-local.mdx
@@ -45,7 +45,7 @@ Zerops provides a built-in VPN feature through its CLI tool, enabling seamless l
 
 ### Prerequisites
 - Install the [Zerops CLI](/references/cli#get-started) and log in with [personal access token](/references/cli#personal-access-tokens)
-- Install [Wireguard](/references/vpn) on your system
+- Install [Wireguard](/references/networking/vpn) on your system
 
 ### Setup Steps
 
diff --git a/apps/docs/content/frameworks/laravel/recipes/twill-local.mdx b/apps/docs/content/frameworks/laravel/recipes/twill-local.mdx
index 80ceed2c..ee5fd55e 100644
--- a/apps/docs/content/frameworks/laravel/recipes/twill-local.mdx
+++ b/apps/docs/content/frameworks/laravel/recipes/twill-local.mdx
@@ -50,7 +50,7 @@ Zerops provides a built-in VPN feature through its CLI tool, enabling seamless l
 
 ### Prerequisites
 - Install the [Zerops CLI](/references/cli#get-started) and log in with [personal access token](/references/cli#personal-access-tokens)
-- Install [Wireguard](/references/vpn) on your system
+- Install [Wireguard](/references/networking/vpn) on your system
 
 ### Setup Steps
 
diff --git a/apps/docs/content/gleam/how-to/access.mdx b/apps/docs/content/gleam/how-to/access.mdx
deleted file mode 100644
index b363f045..00000000
--- a/apps/docs/content/gleam/how-to/access.mdx
+++ /dev/null
@@ -1,13 +0,0 @@
----
-title: How to access your Gleam application
-description: Learn more about how you can access your Gleam application on Zerops.
----
-
-import { SetVar } from '/src/components/content/var';
-import AccessContent from '/src/components/content/access.mdx';
-
-<SetVar name="serviceDisplay" value="Gleam" />
-<SetVar name="servicePath" value="gleam" />
-<SetVar name="defaultPort" value="8080" />
-
-<AccessContent />
\ No newline at end of file
diff --git a/apps/docs/content/gleam/how-to/build-pipeline.mdx b/apps/docs/content/gleam/how-to/build-pipeline.mdx
index 30392b07..feb6f9cc 100644
--- a/apps/docs/content/gleam/how-to/build-pipeline.mdx
+++ b/apps/docs/content/gleam/how-to/build-pipeline.mdx
@@ -517,7 +517,7 @@ _OPTIONAL._ Specifies one or more internal ports on which your application will
 
 Projects in Zerops represent a group of one or more services. Services can be of different types (runtime services, databases, message brokers, object storage, etc.). All services of the same project share a **dedicated private network**. To connect to a service within the same project, just use the service hostname and its internal port.
 
-For example, to connect to a Gleam service with hostname = "app" and port = 3000 from another service of the same project, simply use `app:3000`. Read more about [how to access a Gleam service](/gleam/how-to/access).
+For example, to connect to a Gleam service with hostname = "app" and port = 3000 from another service of the same project, simply use `app:3000`. Read more about [how to access a Gleam service](/references/networking/internal-access#basic-service-communication).
 
 Each port has following attributes:
 
diff --git a/apps/docs/content/gleam/overview.mdx b/apps/docs/content/gleam/overview.mdx
index a2ce7fa5..02415f34 100644
--- a/apps/docs/content/gleam/overview.mdx
+++ b/apps/docs/content/gleam/overview.mdx
@@ -200,7 +200,7 @@ Have you build something that others might find useful? Don't hesitate to share
     },
     {
       type: 'link',
-      href: '/references/vpn',
+      href: '/references/networking/vpn',
       label: 'Zerops VPN',
       customProps: {
         icon: Icons['globe-europe'],
diff --git a/apps/docs/content/go/how-to/access.mdx b/apps/docs/content/go/how-to/access.mdx
deleted file mode 100644
index e78f2bba..00000000
--- a/apps/docs/content/go/how-to/access.mdx
+++ /dev/null
@@ -1,13 +0,0 @@
----
-title: How to access your Go application
-description: Learn more about how you can access your Go application on Zerops.
----
-
-import { SetVar } from '/src/components/content/var';
-import AccessContent from '/src/components/content/access.mdx';
-
-<SetVar name="serviceDisplay" value="Go" />
-<SetVar name="servicePath" value="go" />
-<SetVar name="defaultPort" value="8080" />
-
-<AccessContent />
\ No newline at end of file
diff --git a/apps/docs/content/go/how-to/build-pipeline.mdx b/apps/docs/content/go/how-to/build-pipeline.mdx
index d56afd98..368b0c40 100644
--- a/apps/docs/content/go/how-to/build-pipeline.mdx
+++ b/apps/docs/content/go/how-to/build-pipeline.mdx
@@ -509,7 +509,7 @@ _OPTIONAL._ Specifies one or more internal ports on which your application will
 
 Projects in Zerops represent a group of one or more services. Services can be of different types (runtime services, databases, message brokers, object storage, etc.). All services of the same project share a **dedicated private network**. To connect to a service within the same project, just use the service hostname and its internal port.
 
-For example, to connect to a Go service with hostname = "app" and port = 8080 from another service of the same project, simply use `app:8080`. Read more about [how to access a Go service](/go/how-to/access).
+For example, to connect to a Go service with hostname = "app" and port = 8080 from another service of the same project, simply use `app:8080`. Read more about [how to access a Go service](/references/networking/internal-access#basic-service-communication).
 
 Each port has following attributes:
 
diff --git a/apps/docs/content/go/overview.mdx b/apps/docs/content/go/overview.mdx
index 3eb0e501..c71c5ca1 100644
--- a/apps/docs/content/go/overview.mdx
+++ b/apps/docs/content/go/overview.mdx
@@ -180,7 +180,7 @@ Have you build something that others might find useful? Don't hesitate to share
     },
     {
       type: 'link',
-      href: '/references/vpn',
+      href: '/references/networking/vpn',
       label: 'Zerops VPN',
       customProps: {
         icon: Icons['globe-europe'],
diff --git a/apps/docs/content/java/how-to/access.mdx b/apps/docs/content/java/how-to/access.mdx
deleted file mode 100644
index e2dc083d..00000000
--- a/apps/docs/content/java/how-to/access.mdx
+++ /dev/null
@@ -1,13 +0,0 @@
----
-title: How to access your Java application
-description: Learn more about how you can access your Java application on Zerops.
----
-
-import { SetVar } from '/src/components/content/var';
-import AccessContent from '/src/components/content/access.mdx';
-
-<SetVar name="serviceDisplay" value="Java" />
-<SetVar name="servicePath" value="java" />
-<SetVar name="defaultPort" value="8080" />
-
-<AccessContent />
\ No newline at end of file
diff --git a/apps/docs/content/java/how-to/build-pipeline.mdx b/apps/docs/content/java/how-to/build-pipeline.mdx
index e4bee0dc..67833565 100644
--- a/apps/docs/content/java/how-to/build-pipeline.mdx
+++ b/apps/docs/content/java/how-to/build-pipeline.mdx
@@ -508,7 +508,7 @@ _OPTIONAL._ Specifies one or more internal ports on which your application will
 
 Projects in Zerops represent a group of one or more services. Services can be of different types (runtime services, databases, message brokers, object storage, etc.). All services of the same project share a **dedicated private network**. To connect to a service within the same project, just use the service hostname and its internal port.
 
-For example, to connect to a Java service with hostname = "app" and port = 8080 from another service of the same project, simply use `app:8080`. Read more about [how to access a Java service](/java/how-to/access).
+For example, to connect to a Java service with hostname = "app" and port = 8080 from another service of the same project, simply use `app:8080`. Read more about [how to access a Java service](/references/networking/internal-access#basic-service-communication).
 
 Each port has following attributes:
 
diff --git a/apps/docs/content/java/overview.mdx b/apps/docs/content/java/overview.mdx
index 885e042c..328bfa02 100644
--- a/apps/docs/content/java/overview.mdx
+++ b/apps/docs/content/java/overview.mdx
@@ -184,7 +184,7 @@ Have you build something that others might find useful? Don't hesitate to share
     },
     {
       type: 'link',
-      href: '/references/vpn',
+      href: '/references/networking/vpn',
       label: 'Zerops VPN',
       customProps: {
         icon: Icons['globe-europe'],
diff --git a/apps/docs/content/keydb/how-to/connect.mdx b/apps/docs/content/keydb/how-to/connect.mdx
index d488f738..fda0c9de 100644
--- a/apps/docs/content/keydb/how-to/connect.mdx
+++ b/apps/docs/content/keydb/how-to/connect.mdx
@@ -80,7 +80,7 @@ Due to security reasons Zerops doesn't allow exposing KeyDB service directly to
 You can securely connect to KeyDB from your local workspace via Zerops VPN. Zerops VPN client is included into zCLI, the Zerops command-line tool. To start a VPN connection to the selected Zerops project, follow these steps:
 
 1. [Install & setup zCLI](/references/cli)
-2. [Start the Zerops VPN](/references/vpn#start-vpn)
+2. [Start the Zerops VPN](/references/networking/vpn#start-vpn)
 
 ### Access KeyDB through VPN
 
@@ -92,7 +92,7 @@ Do not use SSL/TLS protocols when connecting to KeyDB over VPN. Zerops KeyDB is
 
 ### Stop VPN connection
 
-[Stop the Zerops VPN](/references/vpn#stop-vpn) in zCLI.
+[Stop the Zerops VPN](/references/networking/vpn#stop-vpn) in zCLI.
 
 ### Connect to KeyDB from another Zerops project
 
diff --git a/apps/docs/content/keydb/overview.mdx b/apps/docs/content/keydb/overview.mdx
index dbb7a4df..7861c5ff 100644
--- a/apps/docs/content/keydb/overview.mdx
+++ b/apps/docs/content/keydb/overview.mdx
@@ -90,7 +90,7 @@ While KeyDB is available on Zerops, please note that KeyDB development has not b
     },
     {
       type: 'link',
-      href: '/references/vpn',
+      href: '/references/networking/vpn',
       label: 'Zerops VPN',
       customProps: {
         icon: Icons['globe-europe'],
diff --git a/apps/docs/content/mariadb/how-to/connect.mdx b/apps/docs/content/mariadb/how-to/connect.mdx
index 6c8e5d51..1bdee455 100644
--- a/apps/docs/content/mariadb/how-to/connect.mdx
+++ b/apps/docs/content/mariadb/how-to/connect.mdx
@@ -110,7 +110,7 @@ Due to security reasons Zerops doesn't allow exposing MariaDB service directly t
 You can securely connect to MariaDB from your local workspace via Zerops VPN. Zerops VPN client is included into zCLI, the Zerops command-line tool. To start a VPN connection to the selected Zerops project, follow these steps:
 
 1. [Install & setup zCLI](/references/cli)
-2. [Start the Zerops VPN](/references/vpn#start-vpn)
+2. [Start the Zerops VPN](/references/networking/vpn#start-vpn)
 
 ### Access MariaDB through VPN
 
@@ -122,7 +122,7 @@ Do not use SSL/TLS protocols when connecting to MariaDB over VPN. Zerops MariaDB
 
 ### Stop VPN connection
 
-[Stop the Zerops VPN](/references/vpn#stop-vpn) in zCLI.
+[Stop the Zerops VPN](/references/networking/vpn#stop-vpn) in zCLI.
 
 ### Connect to MariaDB from another Zerops project
 
diff --git a/apps/docs/content/mariadb/how-to/manage.mdx b/apps/docs/content/mariadb/how-to/manage.mdx
index d56604f7..ceee3336 100644
--- a/apps/docs/content/mariadb/how-to/manage.mdx
+++ b/apps/docs/content/mariadb/how-to/manage.mdx
@@ -56,7 +56,7 @@ By default Adminer service is private and is accessible from your local workstat
 You can securely connect to MariaDB from your local workspace via Zerops VPN. Zerops VPN client is included into zCLI, the Zerops command-line tool. To start a VPN connection to the selected Zerops project, follow these steps:
 
 1. [Install & setup zCLI](/references/cli)
-2. [Start the Zerops VPN](/references/vpn)
+2. [Start the Zerops VPN](/references/networking/vpn)
 3. Type `http://adminer` into your browser
 
 :::caution
@@ -106,7 +106,7 @@ By default phpMyAdmin service is private and is accessible from your local works
 You can securely connect to MariaDB from your local workspace via Zerops VPN. Zerops VPN client is included into zCLI, the Zerops command-line tool. To start a VPN connection to the selected Zerops project, follow these steps:
 
 1. [Install & setup zCLI](/references/cli)
-2. [Start the Zerops VPN](/references/vpn)
+2. [Start the Zerops VPN](/references/networking/vpn)
 3. Type `http://phpmyadmin` into your browser
 
 :::caution
diff --git a/apps/docs/content/mariadb/overview.mdx b/apps/docs/content/mariadb/overview.mdx
index bb4c554c..f07ff9e4 100644
--- a/apps/docs/content/mariadb/overview.mdx
+++ b/apps/docs/content/mariadb/overview.mdx
@@ -142,7 +142,7 @@ Have you build something that others might find useful? Don't hesitate to share
     },
     {
       type: 'link',
-      href: '/references/vpn',
+      href: '/references/networking/vpn',
       label: 'Zerops VPN',
       customProps: {
         icon: Icons['globe-europe'],
diff --git a/apps/docs/content/meilisearch/overview.mdx b/apps/docs/content/meilisearch/overview.mdx
index 3fec0831..97c7a627 100644
--- a/apps/docs/content/meilisearch/overview.mdx
+++ b/apps/docs/content/meilisearch/overview.mdx
@@ -73,7 +73,7 @@ The service provides three pre-configured API keys, each with specific access le
 ### Access Methods
 
 #### Public HTTPS Access
-When enabled, access via [Zerops subdomain](/features/access#public-access-through-zerops-subdomain).
+When enabled, access via [Zerops subdomain](/references/networking/public-access#zerops-subdomain-access).
 
 #### Internal Project Access
 Services within the same project can reach Meilisearch directly:
diff --git a/apps/docs/content/nginx/how-to/access.mdx b/apps/docs/content/nginx/how-to/access.mdx
deleted file mode 100644
index d895da0d..00000000
--- a/apps/docs/content/nginx/how-to/access.mdx
+++ /dev/null
@@ -1,13 +0,0 @@
----
-title: How to access your Nginx application
-description: Learn more about how you can access your Nginx application on Zerops.
----
-
-import { SetVar } from '/src/components/content/var';
-import AccessContent from '/src/components/content/access.mdx';
-
-<SetVar name="serviceDisplay" value="Nginx" />
-<SetVar name="servicePath" value="nginx" />
-<SetVar name="defaultPort" value="80" />
-
-<AccessContent />
\ No newline at end of file
diff --git a/apps/docs/content/nginx/how-to/build-pipeline.mdx b/apps/docs/content/nginx/how-to/build-pipeline.mdx
index 5dca69cf..6793902b 100644
--- a/apps/docs/content/nginx/how-to/build-pipeline.mdx
+++ b/apps/docs/content/nginx/how-to/build-pipeline.mdx
@@ -209,7 +209,7 @@ If you want the web server to listen on other port(s) than `:80`, you must [cust
 
 Projects in Zerops represent a group of one or more services. Services can be of different types (runtime services, databases, message brokers, object storage, etc.). All services of the same project share a **dedicated private network**. To connect to a service within the same project, just use the service hostname and its internal port.
 
-For example, to connect to a Nginx static service with hostname = "app" and port = 80 from another service of the same project, simply use `app:80`. Read more about [how to access a Nginx static service](/nginx/how-to/access).
+For example, to connect to a Nginx static service with hostname = "app" and port = 80 from another service of the same project, simply use `app:80`. Read more about [how to access a Nginx static service](/references/networking/internal-access#basic-service-communication).
 
 :::info
 Do not use the port **:443**. All the incoming traffic is terminated on the Zerops internal balancer where the SSL certificate is installed and the request is forwarded to your Nginx static service as a **http://** on the port **:80**.
diff --git a/apps/docs/content/nginx/overview.mdx b/apps/docs/content/nginx/overview.mdx
index b06e2ae4..71bf2989 100644
--- a/apps/docs/content/nginx/overview.mdx
+++ b/apps/docs/content/nginx/overview.mdx
@@ -149,7 +149,7 @@ Have you build something that others might find useful? Don't hesitate to share
     },
     {
       type: 'link',
-      href: '/references/vpn',
+      href: '/references/networking/vpn',
       label: 'Zerops VPN',
       customProps: {
         icon: Icons['globe-europe'],
diff --git a/apps/docs/content/nodejs/how-to/access.mdx b/apps/docs/content/nodejs/how-to/access.mdx
deleted file mode 100644
index da787032..00000000
--- a/apps/docs/content/nodejs/how-to/access.mdx
+++ /dev/null
@@ -1,13 +0,0 @@
----
-title: How to access your Node.js application
-description: Learn more about how you can access your node.js application on Zerops.
----
-
-import { SetVar } from '/src/components/content/var';
-import AccessContent from '/src/components/content/access.mdx';
-
-<SetVar name="serviceDisplay" value="Node.js" />
-<SetVar name="servicePath" value="nodejs" />
-<SetVar name="defaultPort" value="3000" />
-
-<AccessContent />
\ No newline at end of file
diff --git a/apps/docs/content/nodejs/how-to/build-pipeline.mdx b/apps/docs/content/nodejs/how-to/build-pipeline.mdx
index 5c6d6396..dccd7f2b 100644
--- a/apps/docs/content/nodejs/how-to/build-pipeline.mdx
+++ b/apps/docs/content/nodejs/how-to/build-pipeline.mdx
@@ -518,7 +518,7 @@ _OPTIONAL._ Specifies one or more internal ports on which your application will
 
 Projects in Zerops represent a group of one or more services. Services can be of different types (runtime services, databases, message brokers, object storage, etc.). All services of the same project share a **dedicated private network**. To connect to a service within the same project, just use the service hostname and its internal port.
 
-For example, to connect to a Node.js service with hostname = "app" and port = 3000 from another service of the same project, simply use `app:3000`. Read more about [how to access a Node.js service](/nodejs/how-to/access).
+For example, to connect to a Node.js service with hostname = "app" and port = 3000 from another service of the same project, simply use `app:3000`. Read more about [how to access a Node.js service](/references/networking/internal-access#basic-service-communication).
 
 Each port has following attributes:
 
diff --git a/apps/docs/content/nodejs/overview.mdx b/apps/docs/content/nodejs/overview.mdx
index 4c70721c..34aff5ba 100644
--- a/apps/docs/content/nodejs/overview.mdx
+++ b/apps/docs/content/nodejs/overview.mdx
@@ -202,7 +202,7 @@ Have you build something that others might find useful? Don't hesitate to share
     },
     {
       type: 'link',
-      href: '/references/vpn',
+      href: '/references/networking/vpn',
       label: 'Zerops VPN',
       customProps: {
         icon: Icons['globe-europe'],
diff --git a/apps/docs/content/object-storage/overview.mdx b/apps/docs/content/object-storage/overview.mdx
index 1be0a2d0..717d60a3 100644
--- a/apps/docs/content/object-storage/overview.mdx
+++ b/apps/docs/content/object-storage/overview.mdx
@@ -60,7 +60,7 @@ Zerops Object storage is powered by [MinIO ↗](https://min.io/), a high-perform
     },
     {
       type: 'link',
-      href: '/references/vpn',
+      href: '/references/networking/vpn',
       label: 'Zerops VPN',
       customProps: {
         icon: Icons['globe-europe'],
diff --git a/apps/docs/content/php/how-to/access.mdx b/apps/docs/content/php/how-to/access.mdx
deleted file mode 100644
index b28b0356..00000000
--- a/apps/docs/content/php/how-to/access.mdx
+++ /dev/null
@@ -1,13 +0,0 @@
----
-title: How to access your PHP application
-description: Learn more about how you can access your PHP application on Zerops.
----
-
-import { SetVar } from '/src/components/content/var';
-import AccessContent from '/src/components/content/access.mdx';
-
-<SetVar name="serviceDisplay" value="PHP" />
-<SetVar name="servicePath" value="php" />
-<SetVar name="defaultPort" value="80" />
-
-<AccessContent />
\ No newline at end of file
diff --git a/apps/docs/content/php/how-to/build-pipeline.mdx b/apps/docs/content/php/how-to/build-pipeline.mdx
index 6b45db25..1a2880bc 100644
--- a/apps/docs/content/php/how-to/build-pipeline.mdx
+++ b/apps/docs/content/php/how-to/build-pipeline.mdx
@@ -522,7 +522,7 @@ If you want the web server to listen on other port(s) than `:80`, you must [cust
 
 Projects in Zerops represent a group of one or more services. Services can be of different types (runtime services, databases, message brokers, object storage, etc.). All services of the same project share a **dedicated private network**. To connect to a service within the same project, just use the service hostname and its internal port.
 
-For example, to connect to a PHP service with hostname = "app" and port = 80 from another service of the same project, simply use `app:80`. Read more about [how to access a PHP service](/php/how-to/access).
+For example, to connect to a PHP service with hostname = "app" and port = 80 from another service of the same project, simply use `app:80`. Read more about [how to access a PHP service](/references/networking/internal-access#basic-service-communication).
 
 :::info
 Do not use the port **:443**. All the incoming traffic is terminated on the Zerops internal balancer where the SSL certificate is installed and the request is forwarded to your PHP+Nginx / PHP+Apache service as a **http://** on the port **:80**.
diff --git a/apps/docs/content/php/overview.mdx b/apps/docs/content/php/overview.mdx
index 05da76df..79878892 100644
--- a/apps/docs/content/php/overview.mdx
+++ b/apps/docs/content/php/overview.mdx
@@ -182,7 +182,7 @@ Have you build something that others might find useful? Don't hesitate to share
     },
     {
       type: 'link',
-      href: '/references/vpn',
+      href: '/references/networking/vpn',
       label: 'Zerops VPN',
       customProps: {
         icon: Icons['globe-europe'],
diff --git a/apps/docs/content/postgresql/how-to/connect.mdx b/apps/docs/content/postgresql/how-to/connect.mdx
index 2adb5712..f01704b9 100644
--- a/apps/docs/content/postgresql/how-to/connect.mdx
+++ b/apps/docs/content/postgresql/how-to/connect.mdx
@@ -111,13 +111,13 @@ Zerops offers two methods for connecting to your PostgreSQL database from outsid
 You can securely connect to PostgreSQL from your local workstation via Zerops VPN:
 
 1. [Install & set up zCLI](/references/cli)
-2. [Start the Zerops VPN](/references/vpn#start-vpn)
+2. [Start the Zerops VPN](/references/networking/vpn#start-vpn)
 3. Use the connection details from Access Details in the PostgreSQL service detail in Zerops GUI
-4. When finished, [stop the Zerops VPN](/references/vpn#stop-vpn)
+4. When finished, [stop the Zerops VPN](/references/networking/vpn#stop-vpn)
 
 :::warning Important notes
 * Do not use SSL/TLS protocols when connecting over VPN. Security is provided by the VPN tunnel.
-* If your connection over VPN doesn't work, try adding `.zerops` suffix to the service hostname (e.g., `database1.zerops`). For additional help, check the [VPN troubleshooting page](/references/vpn/troubleshooting).
+* If your connection over VPN doesn't work, try adding `.zerops` suffix to the service hostname (e.g., `database1.zerops`). For additional help, check the [VPN troubleshooting page](/references/networking/vpn#troubleshooting).
 :::
 
 ### Method 2: Connect via Direct IP Access
@@ -129,7 +129,7 @@ Internally, port `5432` is available without SSL. Externally, connections are se
 #### Enable external access
 
 1. Navigate to your PostgreSQL service in the Zerops GUI and choose the **Public Access through IP Addresses** section
-2. Choose either IPv6 (available by default) or IPv4 (requires the [unique IPv4](/features/access#dedicated-ipv4-address-330-days) add-on)
+2. Choose either IPv6 (available by default) or IPv4 (requires the [unique IPv4](/references/networking/public-access#ipv4-configuration) add-on)
 3. Open one or more ports and point them to your PostgreSQL service (the system will direct them through pgBouncer)
    - Choose any port from 10-65435 (except 80 and 443)
    - Select destination service and internal port
diff --git a/apps/docs/content/postgresql/how-to/manage.mdx b/apps/docs/content/postgresql/how-to/manage.mdx
index c673ecbc..ba9d4df0 100644
--- a/apps/docs/content/postgresql/how-to/manage.mdx
+++ b/apps/docs/content/postgresql/how-to/manage.mdx
@@ -76,7 +76,7 @@ You can install these tools with a simple one-click import in Zerops:
 
 After installation, you can access these tools via VPN:
 
-1. [Start the Zerops VPN](/references/vpn)
+1. [Start the Zerops VPN](/references/networking/vpn)
 2. Type `http://adminerevo` or `http://phpmyadmin` in your browser
 
 :::tip
@@ -91,7 +91,7 @@ Do not use https when connecting to management tools via VPN.
 
 You can use various database management tools from your local workstation to connect to your PostgreSQL database in Zerops:
 
-1. **Establish a secure tunnel** using the [Zerops VPN](/references/vpn) to create an encrypted connection to your Zerops project
+1. **Establish a secure tunnel** using the [Zerops VPN](/references/networking/vpn) to create an encrypted connection to your Zerops project
 2. **Obtain the [connection details](/postgresql/how-to/connect#connection-details)** from Zerops GUI
     - Environment variables are not available through VPN connections
 3. Connect with your **preferred database tool**
diff --git a/apps/docs/content/postgresql/overview.mdx b/apps/docs/content/postgresql/overview.mdx
index a95b518d..7932f51a 100644
--- a/apps/docs/content/postgresql/overview.mdx
+++ b/apps/docs/content/postgresql/overview.mdx
@@ -143,7 +143,7 @@ Have you build something that others might find useful? Don't hesitate to share
     },
     {
       type: 'link',
-      href: '/references/vpn',
+      href: '/references/networking/vpn',
       label: 'Zerops VPN',
       customProps: {
         icon: Icons['globe-europe'],
diff --git a/apps/docs/content/python/how-to/access.mdx b/apps/docs/content/python/how-to/access.mdx
deleted file mode 100644
index 62a580f0..00000000
--- a/apps/docs/content/python/how-to/access.mdx
+++ /dev/null
@@ -1,13 +0,0 @@
----
-title: How to access your Python application
-description: Learn more about how you can access your Python application on Zerops.
----
-
-import { SetVar } from '/src/components/content/var';
-import AccessContent from '/src/components/content/access.mdx';
-
-<SetVar name="serviceDisplay" value="Python" />
-<SetVar name="servicePath" value="python" />
-<SetVar name="defaultPort" value="8000" />
-
-<AccessContent />
\ No newline at end of file
diff --git a/apps/docs/content/python/how-to/build-pipeline.mdx b/apps/docs/content/python/how-to/build-pipeline.mdx
index 35ae4563..bf947f19 100644
--- a/apps/docs/content/python/how-to/build-pipeline.mdx
+++ b/apps/docs/content/python/how-to/build-pipeline.mdx
@@ -467,7 +467,7 @@ _OPTIONAL._ Specifies one or more internal ports on which your application will
 
 Projects in Zerops represent a group of one or more services. Services can be of different types (runtime services, databases, message brokers, object storage, etc.). All services of the same project share a **dedicated private network**. To connect to a service within the same project, just use the service hostname and its internal port.
 
-For example, to connect to a Python service with hostname = "app" and port = 8000 from another service of the same project, simply use `app:8000`. Read more about [how to access a Python service](/python/how-to/access).
+For example, to connect to a Python service with hostname = "app" and port = 8000 from another service of the same project, simply use `app:8000`. Read more about [how to access a Python service](/references/networking/internal-access#basic-service-communication).
 
 Each port has following attributes:
 
diff --git a/apps/docs/content/python/overview.mdx b/apps/docs/content/python/overview.mdx
index 7de5e931..3f52ec30 100644
--- a/apps/docs/content/python/overview.mdx
+++ b/apps/docs/content/python/overview.mdx
@@ -181,7 +181,7 @@ Have you build something that others might find useful? Don't hesitate to share
     },
     {
       type: 'link',
-      href: '/references/vpn',
+      href: '/references/networking/vpn',
       label: 'Zerops VPN',
       customProps: {
         icon: Icons['globe-europe'],
diff --git a/apps/docs/content/references/cli/commands.mdx b/apps/docs/content/references/cli/commands.mdx
index 99d4309e..0da7bb0b 100644
--- a/apps/docs/content/references/cli/commands.mdx
+++ b/apps/docs/content/references/cli/commands.mdx
@@ -67,7 +67,7 @@ zcli vpn down
 ```
 
 :::note
-For more detailed information about Zerops VPN configuration and troubleshooting, visit the [VPN Documentation](/references/vpn).
+For more detailed information about Zerops VPN configuration and troubleshooting, visit the [VPN Documentation](/references/networking/vpn).
 :::
 
 ## Project Management
diff --git a/apps/docs/content/references/import.mdx b/apps/docs/content/references/import.mdx
index ef3a4987..bc99e772 100644
--- a/apps/docs/content/references/import.mdx
+++ b/apps/docs/content/references/import.mdx
@@ -144,47 +144,47 @@ The project configuration is used to define the project you want to import.
 
 ### Usage
 
-    <table className="w-full my-1.5">
-      <thead>
-        <tr>
-          <th className="w-fit">Field</th>
-          <th className="w-fit">Type</th>
-          <th className="w-fit">Description</th>
-        </tr>
-      </thead>
-      <tbody>
-        <tr>
-          <td className="w-fit font-semibold">project</td>
-          <td className="w-fit">object</td>
-          <td className="w-fit">_REQUIRED, if a whole project is imported_ <br/>Only one project can be defined.</td>
-        </tr>
-        <tr>
-          <td className="w-fit font-semibold">name</td>
-          <td className="w-fit">string, REQUIRED</td>
-          <td className="w-fit">The name of the new project. Duplicates are allowed.</td>
-        </tr>
-        <tr>
-          <td className="w-fit font-semibold">description</td>
-          <td className="w-fit">string</td>
-          <td className="w-fit">Description of the new project.</td>
-        </tr>
-        <tr>
-          <td className="w-fit font-semibold">corePackage</td>
-          <td className="w-fit">string</td>
-          <td className="w-fit">[Core package](/features/infrastructure#project-core-options) of the new project. <br/>Values: <b>LIGHT</b>/<b>SERIOUS</b> (default LIGHT)</td>
-        </tr>
-        <tr>
-          <td className="w-fit font-semibold">tags</td>
-          <td className="w-fit">list of strings</td>
-          <td className="w-fit">One or more string tags.<br/>Tags provide better orientation in projects.</td>
-        </tr>
-        <tr>
-          <td className="w-fit font-semibold">envVariables</td>
-          <td className="w-fit">map[string]string</td>
-          <td className="w-fit">[Project-level environment variables](/features/env-variables#project-variables) that are available to all services in the project.</td>
-        </tr>
-      </tbody>
-    </table>
+<table className="w-full my-1.5">
+  <thead>
+    <tr>
+      <th className="w-fit">Field</th>
+      <th className="w-fit">Type</th>
+      <th className="w-fit">Description</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td className="w-fit font-semibold">project</td>
+      <td className="w-fit">object</td>
+      <td className="w-fit">_REQUIRED, if a whole project is imported_ <br/>Only one project can be defined.</td>
+    </tr>
+    <tr>
+      <td className="w-fit font-semibold">name</td>
+      <td className="w-fit">string, REQUIRED</td>
+      <td className="w-fit">The name of the new project. Duplicates are allowed.</td>
+    </tr>
+    <tr>
+      <td className="w-fit font-semibold">description</td>
+      <td className="w-fit">string</td>
+      <td className="w-fit">Description of the new project.</td>
+    </tr>
+    <tr>
+      <td className="w-fit font-semibold">corePackage</td>
+      <td className="w-fit">string</td>
+      <td className="w-fit">[Core package](/features/infrastructure#project-core-options) of the new project. <br/>Values: <b>LIGHT</b>/<b>SERIOUS</b> (default LIGHT)</td>
+    </tr>
+    <tr>
+      <td className="w-fit font-semibold">tags</td>
+      <td className="w-fit">list of strings</td>
+      <td className="w-fit">One or more string tags.<br/>Tags provide better orientation in projects.</td>
+    </tr>
+    <tr>
+      <td className="w-fit font-semibold">envVariables</td>
+      <td className="w-fit">map[string]string</td>
+      <td className="w-fit">[Project-level environment variables](/features/env-variables#project-variables) that are available to all services in the project.</td>
+    </tr>
+  </tbody>
+</table>
 
 :::important
 The `corePackage` value can be upgraded later from Lightweight to Serious Core, but cannot be downgraded. Upgrades involve a brief service disruption and are partially destructive (logs/statistics are lost). Make sure to choose a suitable core package for your project. Learn more about [core upgrade process](/features/infrastructure#project-core-upgrade).
@@ -329,10 +329,7 @@ This example includes all possible configuration options for Zerops services. No
 
 ### Service Basic Configuration
 
-<Dropdown>
-  <DropdownItem title="Service Structure Parameters">
-
-    <table className="w-full my-1.5">
+<table className="w-full my-1.5">
   <thead>
     <tr>
       <th className="w-fit">Field</th>
@@ -429,10 +426,10 @@ This example includes all possible configuration options for Zerops services. No
       </td>
     </tr>
   </tbody>
-    </table>
-  </DropdownItem>
-</Dropdown>
+</table>
 
+<Dropdown>
+<DropdownItem title="Service Basic Configuration Example">
 ```yaml
 #yamlPreprocessor=on
 services:
@@ -473,6 +470,8 @@ This yaml will create a `nodejs@latest` service named `app` in `HA` (High-Availa
 - Public access enabled via Zerops subdomain
 - Priority: 1
 - Override existing service: `false`
+</DropdownItem>
+</Dropdown>
 
 The `services` object allows you to define one or more services in the same yaml file.
 
@@ -484,9 +483,6 @@ The `yamlPreprocessor` option in your project & service import YAML is required
 
 The vertical autoscaling configuration defines how the service can scale its resources vertically.
 
-<Dropdown>
-  <DropdownItem title="Vertical Autoscaling Structure Parameters">
-
 <table className="w-full my-1.5">
   <thead>
     <tr>
@@ -576,9 +572,9 @@ The vertical autoscaling configuration defines how the service can scale its res
     </tr>
   </tbody>
 </table>
-  </DropdownItem>
-</Dropdown>
 
+<Dropdown>
+<DropdownItem title="Vertical Autoscaling Configuration Example">
 ```yaml
 services:
   - hostname: app
@@ -606,6 +602,9 @@ This yaml will create a service with the hostname `app` with `php-nginx@8.4` run
 - RAM: `1-4 GB`
 - Disk Space: `1-10 GB`
 
+</DropdownItem>
+</Dropdown>
+
 ### Service Horizontal Autoscaling
 
 The horizontal autoscaling configuration is used to define the horizontal autoscaling settings for the service.
diff --git a/apps/docs/content/features/cloudflare.mdx b/apps/docs/content/references/networking/cloudflare.mdx
similarity index 94%
rename from apps/docs/content/features/cloudflare.mdx
rename to apps/docs/content/references/networking/cloudflare.mdx
index 09a56f24..147abde9 100644
--- a/apps/docs/content/features/cloudflare.mdx
+++ b/apps/docs/content/references/networking/cloudflare.mdx
@@ -1,5 +1,5 @@
 ---
-title: Cloudflare DNS Configuration for Zerops
+title: Cloudflare Configuration for Zerops
 description: Complete guide for configuring Cloudflare DNS records and proxy settings with your Zerops applications, including SSL/TLS setup and troubleshooting.
 ---
 
@@ -10,7 +10,7 @@ This guide provides step-by-step instructions for configuring Cloudflare to work
 Before starting, ensure you have:
 - A Cloudflare account
 - A registered domain name
-- Access to your Zerops project with [domain access configured](/features/access#public-access-through-your-domain)
+- Access to your Zerops project with [domain access configured](/references/networking/public-access#custom-domain-access)
 - Your Zerops IP addresses (IPv4 and/or IPv6) from the Zerops GUI
 
 ## DNS Record Configuration
@@ -70,7 +70,7 @@ AAAA    <your-domain>     <your-project-ipv6>    DNS only       Auto
 Uses Zerops' free shared IPv4.
 
 :::note Both A + AAAA Required
-Adding AAAA record is essential for shared IPv4 configuration as it serves as a [security measure](/features/dns#understand-shared-ipv4) to prevent unauthorized domain claims.
+Adding AAAA record is essential for shared IPv4 configuration as it serves as a [security measure](/references/networking/dns#understand-shared-ipv4) to prevent unauthorized domain claims.
 :::
 
 #### Dedicated IPv4
@@ -160,7 +160,7 @@ CNAME   _acme-challenge.<subdomain>.<your-domain>   <subdomain>.<your-domain>.ze
 
 ### Combining Main Domain and Wildcard Domain
 
-To use both `<your-domain>` and `*.<your-domain>`, specify both variants in your [Zerops configuration](/features/access#configuring-http-routing). Zerops automatically issues a single shared certificate for both the main domain and all its subdomains.
+To use both `<your-domain>` and `*.<your-domain>`, specify both variants in your [Zerops configuration](/references/networking/public-access#http-routing-setup). Zerops automatically issues a single shared certificate for both the main domain and all its subdomains.
 
 ## Cloudflare SSL/TLS Configuration
 
@@ -276,7 +276,7 @@ curl -6 -v https://<your-domain>
 ## Getting Help
 
 If you encounter issues not covered in this guide:
-- Check the [general DNS configuration guide](/features/dns#technical-background) for additional context
+- Check the [general DNS configuration guide](/references/networking/dns#technical-background) for additional context
 - Review your Zerops service logs for error messages
 - Verify your configuration against Cloudflare's documentation
 - Test with simple curl commands to isolate the problem
diff --git a/apps/docs/content/features/dns.mdx b/apps/docs/content/references/networking/dns.mdx
similarity index 96%
rename from apps/docs/content/features/dns.mdx
rename to apps/docs/content/references/networking/dns.mdx
index 9467743d..6d712559 100644
--- a/apps/docs/content/features/dns.mdx
+++ b/apps/docs/content/references/networking/dns.mdx
@@ -6,7 +6,7 @@ desc: A comprehensive guide for configuring DNS records and proxy settings with
 This guide will show you how to configure DNS records and proxy settings to work with your Zerops applications.
 
 :::important Cloudflare
-If you're using Cloudflare, check out our dedicated [Cloudflare DNS Configuration Guide](/features/cloudflare) for step-by-step instructions specific to Cloudflare's interface and features.
+If you're using Cloudflare, check out our dedicated [Cloudflare DNS Configuration Guide](/references/networking/cloudflare) for step-by-step instructions specific to Cloudflare's interface and features.
 :::
 
 ## DNS Configuration
@@ -153,7 +153,7 @@ CNAME   _acme-challenge.<subdomain>.<your-domain>   <subdomain>.<your-domain>.ze
 
 ### Combining Main Domain and Wildcard Domain
 
-To use both `<your-domain>` and `*.<your-domain>`, specify both variants in your [Zerops configuration](/features/access#configuring-http-routing). Zerops automatically issues a single shared certificate for both the main domain and all its subdomains.
+To use both `<your-domain>` and `*.<your-domain>`, specify both variants in your [Zerops configuration](/references/networking/public-access#http-routing-setup). Zerops automatically issues a single shared certificate for both the main domain and all its subdomains.
 
 ## Validation Steps
 
diff --git a/apps/docs/content/references/firewall.mdx b/apps/docs/content/references/networking/firewall.mdx
similarity index 100%
rename from apps/docs/content/references/firewall.mdx
rename to apps/docs/content/references/networking/firewall.mdx
diff --git a/apps/docs/content/references/networking/internal-access.mdx b/apps/docs/content/references/networking/internal-access.mdx
new file mode 100644
index 00000000..9a1116e0
--- /dev/null
+++ b/apps/docs/content/references/networking/internal-access.mdx
@@ -0,0 +1,131 @@
+---
+title: Internal Access Configuration
+description: Guide for internal service communication and accessing your project's private network within Zerops.
+---
+
+This guide covers internal communication between services and methods for accessing your project's private network. For an overview of all access methods, see the [Access & Networking guide](/features/access).
+
+## Internal Access Methods
+
+Choose the access method that fits your needs:
+
+- **[Service-to-Service Communication](#service-to-service-communication)** - Direct communication between services in the same project
+- **[Environment Variables](#environment-variables)** - Share configuration and credentials between services
+- **[External Access to Private Network](#external-access-to-private-network)** - Connect from outside the project using VPN or SSH
+
+## Service-to-Service Communication
+
+Every Zerops project includes a dedicated private network that automatically connects all services within the project.
+
+### Network Architecture
+
+**Automatic Service Discovery:**
+- All services communicate directly using service hostnames
+- No manual network configuration required
+- Traffic stays isolated within your project's private network
+
+### Basic Service Communication
+
+Connect to any service within the same project using the service hostname and internal port, e.g.:
+
+```bash
+# Connect to 'api' service on port 3000
+http://api:3000/health
+```
+
+:::note
+Do not use `https://` when communicating between runtime services in the same project. The internal communication is done over a private network and is isolated from other projects.
+:::
+
+### Internal Ports Configuration
+
+Services expose internal ports for communication within the project:
+
+- **Define ports** in your service's `zerops.yaml` [configuration](/zerops-yaml/specification#ports-)
+- **HTTP ports** are accessible for web traffic between services
+- **TCP/UDP ports** support database connections and custom protocols
+- **Multiple ports** can be exposed per service for different purposes
+
+:::tip Connect from another project
+To connect to a service from **another Zerops project**, you'll need to use [public access methods](/references/networking/public-access) since different projects don't share private networks.
+:::
+
+### Environment Variables
+
+Zerops creates default environment variables for each service to help you with connection within the same project. To avoid the need to copy the access parameters manually, use generated environment variables of the service.
+
+#### Generated Environment Variables
+
+Each service automatically receives environment variables containing connection details for other services in the project:
+
+```bash
+# Database connection variables
+DATABASE_HOST=postgres
+DATABASE_PORT=5432
+DATABASE_URL=postgresql://app_user:secure_password@postgres:5432/myapp
+```
+
+#### Prefix the environment variable key
+
+All services of the same project can reference environment variables from other services. To use an environment variable from one service in another service in the same project, you must prefix the environment variable key with the service hostname and underscore.
+
+**Example:**
+
+To access the `API_TOKEN` env variable of the `app` service, use `app_API_TOKEN` as the env variable key.
+
+:::tip Environment Variables Guide
+For complete information on environment variable types, isolation, and management, see the [Environment Variables Reference](/features/env-variables).
+:::
+
+## External Access to Private Network
+
+Access your project's private network from external locations for development and administration.
+
+### VPN Access
+
+You can securely connect to your application from your local workspace via Zerops VPN. Zerops VPN client is included into zCLI, the Zerops command-line tool.
+
+#### Start VPN connection
+
+To start a VPN connection to the selected Zerops project, follow these steps:
+
+1. [Install & setup zCLI](/references/cli)
+2. [Start the Zerops VPN](/references/networking/vpn#start-vpn)
+
+#### Access application through VPN
+
+Once the VPN session is established, you have the secured connection to the project's private network in Zerops. You can access all project services locally by using their hostname. The only difference is that no environment variables are available when connected through VPN. To connect to your application in Zerops set the hostname and internal port e.g. `http://app:3000`
+
+:::info
+Do not use `https://` when communicating over the VPN. The security is assured by the VPN. The internal communication is done over a private network and is isolated from other projects.
+:::
+
+:::tip VPN Setup
+For complete VPN setup, configuration, and troubleshooting, see the [VPN Reference Guide](/references/networking/vpn).
+:::
+
+### SSH Access
+
+Use [SSH](/references/networking/ssh) to connect to your service for debugging and system administration.
+
+```bash
+# Connect to a specific service
+ssh <service-name>
+```
+
+**Important:** SSH access is temporary and changes are not persistent across deployments.
+
+:::tip SSH Configuration
+For complete SSH documentation, access control, and advanced usage, see the [SSH Reference Guide].
+:::
+
+:::note
+When you're finished working with internal access over VPN, [stop the Zerops VPN](/references/networking/vpn#stop-vpn) in zCLI.
+:::
+
+## Next Steps
+
+- **Public access configuration:** [Public Access Reference Guide](/references/networking/public-access)
+- **Environment variables:** [Environment Variables Reference](/features/env-variables)
+- **VPN setup:** [VPN Reference Guide](/references/networking/vpn)
+- **SSH access:** [SSH Reference Guide](/references/networking/ssh)
\ No newline at end of file
diff --git a/apps/docs/content/references/networking/l7-balancer-config.mdx b/apps/docs/content/references/networking/l7-balancer-config.mdx
new file mode 100644
index 00000000..4da5ff73
--- /dev/null
+++ b/apps/docs/content/references/networking/l7-balancer-config.mdx
@@ -0,0 +1,481 @@
+---
+title: L7 Balancer Configuration & Advanced Routing
+description: Complete reference guide to Zerops L7 HTTP balancer settings, advanced routing features, and networking infrastructure.
+---
+
+import Image from '/src/components/Image';
+
+This guide provides comprehensive documentation for Zerops L7 HTTP balancer configuration and advanced routing features. For basic setup instructions, see the [Domain & Access Configuration](/features/access) guide.
+
+The L7 HTTP Balancer handles all HTTP/HTTPS traffic and provides advanced application-layer capabilities:
+
+**Functions:**
+- SSL/TLS termination with automatic certificate management
+- Domain routing and virtual host management
+- Load balancing across multiple service instances
+- Advanced routing features (redirects, access policies, rate limiting)
+- Performance optimization through caching and compression
+
+**Architecture:**
+- Deployed in two containers for high availability
+- Scales automatically based on traffic patterns
+- Integrated with Let's Encrypt for SSL certificates
+- Configurable through advanced balancer settings
+
+## L7 HTTP Balancer Configuration
+
+Access the advanced balancer configuration through your project's HTTP Balancer section → **Advanced balancer configuration**.
+
+### Connection Handling
+
+Configure how the balancer manages client connections:
+
+<table className="w-full my-1.5">
+  <thead>
+    <tr>
+      <th className="w-fit whitespace-nowrap">Setting</th>
+      <th className="w-fit whitespace-nowrap">Default</th>
+      <th className="w-fit whitespace-nowrap">Range</th>
+      <th className="w-fit whitespace-nowrap">Parameter</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td className="w-fit font-semibold whitespace-nowrap">Maximum simultaneous connections per worker</td>
+      <td className="w-fit whitespace-nowrap">4000</td>
+      <td className="w-fit whitespace-nowrap">1024-65535</td>
+      <td className="w-fit whitespace-nowrap">worker_connections</td>
+    </tr>
+    <tr>
+      <td className="w-fit font-semibold whitespace-nowrap">Accept multiple connections at once</td>
+      <td className="w-fit whitespace-nowrap">on</td>
+      <td className="w-fit whitespace-nowrap">on/off</td>
+      <td className="w-fit whitespace-nowrap">multi_accept</td>
+    </tr>
+    <tr>
+      <td className="w-fit font-semibold whitespace-nowrap">How long to keep idle connections open</td>
+      <td className="w-fit whitespace-nowrap">30s</td>
+      <td className="w-fit whitespace-nowrap">1s-300s</td>
+      <td className="w-fit whitespace-nowrap">keepalive_timeout</td>
+    </tr>
+    <tr>
+      <td className="w-fit font-semibold whitespace-nowrap">Maximum number of requests per connection</td>
+      <td className="w-fit whitespace-nowrap">100000</td>
+      <td className="w-fit whitespace-nowrap">1-1000000</td>
+      <td className="w-fit whitespace-nowrap">keepalive_requests</td>
+    </tr>
+  </tbody>
+</table>
+
+:::tip Recommendations
+- **High-traffic websites**: Increase `worker_connections` to 8000 or higher
+- **API services**: Adjust `keepalive_timeout` to 60 for longer connections
+- **WebSocket applications**: Increase `keepalive_timeout` for persistent connections
+:::
+
+### Client Request Settings
+
+Control how the balancer handles incoming requests:
+
+<table className="w-full my-1.5">
+  <thead>
+    <tr>
+      <th className="w-fit whitespace-nowrap">Setting</th>
+      <th className="w-fit whitespace-nowrap">Default</th>
+      <th className="w-fit whitespace-nowrap">Range</th>
+      <th className="w-fit whitespace-nowrap">Parameter</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td className="w-fit font-semibold whitespace-nowrap">Timeout for receiving client request header</td>
+      <td className="w-fit whitespace-nowrap">10s</td>
+      <td className="w-fit whitespace-nowrap">1s-300s</td>
+      <td className="w-fit whitespace-nowrap">client_header_timeout</td>
+    </tr>
+    <tr>
+      <td className="w-fit font-semibold whitespace-nowrap">Timeout for receiving client request body</td>
+      <td className="w-fit whitespace-nowrap">10s</td>
+      <td className="w-fit whitespace-nowrap">1s-300s</td>
+      <td className="w-fit whitespace-nowrap">client_body_timeout</td>
+    </tr>
+    <tr>
+      <td className="w-fit font-semibold whitespace-nowrap">Maximum allowed size of client request body</td>
+      <td className="w-fit whitespace-nowrap">512m</td>
+      <td className="w-fit whitespace-nowrap">1k-2048m</td>
+      <td className="w-fit whitespace-nowrap">client_max_body_size</td>
+    </tr>
+    <tr>
+      <td className="w-fit font-semibold whitespace-nowrap">Reset connections that have timed out</td>
+      <td className="w-fit whitespace-nowrap">on</td>
+      <td className="w-fit whitespace-nowrap">on/off</td>
+      <td className="w-fit whitespace-nowrap">reset_timedout_connection</td>
+    </tr>
+    <tr>
+      <td className="w-fit font-semibold whitespace-nowrap">Timeout for transmitting response to client</td>
+      <td className="w-fit whitespace-nowrap">2s</td>
+      <td className="w-fit whitespace-nowrap">1s-300s</td>
+      <td className="w-fit whitespace-nowrap">send_timeout</td>
+    </tr>
+  </tbody>
+</table>
+
+:::tip Recommendations
+- **File upload services**: Increase `client_body_timeout` and `client_max_body_size` to accommodate large files
+- **Slow clients**: Increase header and body timeouts
+- **API endpoints**: Set `client_max_body_size` according to your API payload requirements
+:::
+
+### Buffer Settings
+
+Optimize memory usage for request and response handling:
+
+<table className="w-full my-1.5">
+  <thead>
+    <tr>
+      <th className="w-fit whitespace-nowrap">Setting</th>
+      <th className="w-fit whitespace-nowrap">Default</th>
+      <th className="w-fit whitespace-nowrap">Range</th>
+      <th className="w-fit whitespace-nowrap">Parameter</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td className="w-fit font-semibold whitespace-nowrap">Size of buffer for client request header</td>
+      <td className="w-fit whitespace-nowrap">1k</td>
+      <td className="w-fit whitespace-nowrap">1k-64k</td>
+      <td className="w-fit whitespace-nowrap">client_header_buffer_size</td>
+    </tr>
+    <tr>
+      <td className="w-fit font-semibold whitespace-nowrap">Number of buffers for large client headers</td>
+      <td className="w-fit whitespace-nowrap">4</td>
+      <td className="w-fit whitespace-nowrap">1-16</td>
+      <td className="w-fit whitespace-nowrap">large_client_header_buffers_number</td>
+    </tr>
+    <tr>
+      <td className="w-fit font-semibold whitespace-nowrap">Size of buffers for large client headers</td>
+      <td className="w-fit whitespace-nowrap">8k</td>
+      <td className="w-fit whitespace-nowrap">1k-64k</td>
+      <td className="w-fit whitespace-nowrap">large_client_header_buffers_size</td>
+    </tr>
+    <tr>
+      <td className="w-fit font-semibold whitespace-nowrap">Size of buffer for client request body</td>
+      <td className="w-fit whitespace-nowrap">16k</td>
+      <td className="w-fit whitespace-nowrap">1k-1m</td>
+      <td className="w-fit whitespace-nowrap">client_body_buffer_size</td>
+    </tr>
+  </tbody>
+</table>
+
+:::tip Recommendations
+- **Large headers**: Increase header buffer sizes for applications with extensive headers
+- **File uploads**: Optimize `client_body_buffer_size` based on typical upload sizes
+- **Memory optimization**: Tune based on available memory and connection patterns
+:::
+
+### Proxy Settings
+
+Configure how the balancer communicates with backend services:
+
+<table className="w-full my-1.5">
+  <thead>
+    <tr>
+      <th className="w-fit whitespace-nowrap">Setting</th>
+      <th className="w-fit whitespace-nowrap">Parameter</th>
+      <th className="w-fit whitespace-nowrap">Default</th>
+      <th className="w-fit whitespace-nowrap">Range</th>
+      <th className="w-full">Description</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td className="w-fit font-semibold whitespace-nowrap">Enable buffering of client request body</td>
+      <td className="w-fit whitespace-nowrap">proxy_request_buffering</td>
+      <td className="w-fit whitespace-nowrap">off</td>
+      <td className="w-fit whitespace-nowrap">on/off</td>
+      <td className="w-full">Buffer client request bodies before forwarding</td>
+    </tr>
+    <tr>
+      <td className="w-fit font-semibold whitespace-nowrap">Enable buffering of responses from proxied server</td>
+      <td className="w-fit whitespace-nowrap">proxy_buffering</td>
+      <td className="w-fit whitespace-nowrap">on</td>
+      <td className="w-fit whitespace-nowrap">on/off</td>
+      <td className="w-full">Buffer responses from backend services</td>
+    </tr>
+    <tr>
+      <td className="w-fit font-semibold whitespace-nowrap">Size of the buffer used for reading the first part of the response</td>
+      <td className="w-fit whitespace-nowrap">proxy_buffer_size</td>
+      <td className="w-fit whitespace-nowrap">32k</td>
+      <td className="w-fit whitespace-nowrap">1k-256k</td>
+      <td className="w-full">Buffer size for first part of backend response</td>
+    </tr>
+    <tr>
+      <td className="w-fit font-semibold whitespace-nowrap">Number of buffers used for reading a response from the proxied server</td>
+      <td className="w-fit whitespace-nowrap">proxy_buffers_number</td>
+      <td className="w-fit whitespace-nowrap">4</td>
+      <td className="w-fit whitespace-nowrap">1-16</td>
+      <td className="w-full">Number of buffers for reading backend responses</td>
+    </tr>
+    <tr>
+      <td className="w-fit font-semibold whitespace-nowrap">Size of buffers for reading a response from the proxied server</td>
+      <td className="w-fit whitespace-nowrap">proxy_buffers_size</td>
+      <td className="w-fit whitespace-nowrap">256k</td>
+      <td className="w-fit whitespace-nowrap">1k-1m</td>
+      <td className="w-full">Size of buffers for reading backend responses</td>
+    </tr>
+    <tr>
+      <td className="w-fit font-semibold whitespace-nowrap">Size of buffers that can be busy sending response to the client</td>
+      <td className="w-fit whitespace-nowrap">proxy_busy_buffers_size</td>
+      <td className="w-fit whitespace-nowrap">256k</td>
+      <td className="w-fit whitespace-nowrap">1k-1m</td>
+      <td className="w-full">Size of buffers for sending response to client</td>
+    </tr>
+  </tbody>
+</table>
+
+:::tip Recommendations
+- **Real-time APIs**: Set `proxy_buffering` to off for lower latency
+- **Large responses**: Increase `proxy_buffer_size` for handling larger API responses
+- **Multimedia streaming**: Increase `proxy_buffers_size` and `proxy_buffers_number` for larger content
+:::
+
+### Performance Optimization
+
+Enable various performance enhancements:
+
+<table className="w-full my-1.5">
+  <thead>
+    <tr>
+      <th className="w-fit whitespace-nowrap">Setting</th>
+      <th className="w-fit whitespace-nowrap">Default</th>
+      <th className="w-fit whitespace-nowrap">Range</th>
+      <th className="w-fit whitespace-nowrap">Parameter</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td className="w-fit font-semibold whitespace-nowrap">Use sendfile() for file transfers</td>
+      <td className="w-fit whitespace-nowrap">on</td>
+      <td className="w-fit whitespace-nowrap">on/off</td>
+      <td className="w-fit whitespace-nowrap">sendfile</td>
+    </tr>
+    <tr>
+      <td className="w-fit font-semibold whitespace-nowrap">Enable TCP_NOPUSH socket option</td>
+      <td className="w-fit whitespace-nowrap">on</td>
+      <td className="w-fit whitespace-nowrap">on/off</td>
+      <td className="w-fit whitespace-nowrap">tcp_nopush</td>
+    </tr>
+    <tr>
+      <td className="w-fit font-semibold whitespace-nowrap">Enable TCP_NODELAY socket option</td>
+      <td className="w-fit whitespace-nowrap">on</td>
+      <td className="w-fit whitespace-nowrap">on/off</td>
+      <td className="w-fit whitespace-nowrap">tcp_nodelay</td>
+    </tr>
+    <tr>
+      <td className="w-fit font-semibold whitespace-nowrap">Enable gzip compression</td>
+      <td className="w-fit whitespace-nowrap">on</td>
+      <td className="w-fit whitespace-nowrap">on/off</td>
+      <td className="w-fit whitespace-nowrap">gzip</td>
+    </tr>
+    <tr>
+      <td className="w-fit font-semibold whitespace-nowrap">Rate limit for response transmission (0 = no limit)</td>
+      <td className="w-fit whitespace-nowrap">0</td>
+      <td className="w-fit whitespace-nowrap">0-1000m</td>
+      <td className="w-fit whitespace-nowrap">limit_rate</td>
+    </tr>
+  </tbody>
+</table>
+
+:::tip Recommendations
+- **File serving**: Ensure `sendfile` and `tcp_nopush` are enabled for static content
+- **Real-time applications**: Verify `tcp_nodelay` is enabled
+- **Bandwidth control**: Use `limit_rate` for traffic shaping
+- **Multimedia streaming**: Enable `sendfile` and `tcp_nopush` for optimal streaming performance
+:::
+
+### File Cache Settings
+
+Optimize file system operations:
+
+<table className="w-full my-1.5">
+  <thead>
+    <tr>
+      <th className="w-fit whitespace-nowrap">Setting</th>
+      <th className="w-fit whitespace-nowrap">Default</th>
+      <th className="w-fit whitespace-nowrap">Range</th>
+      <th className="w-fit whitespace-nowrap">Parameter</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td className="w-fit font-semibold whitespace-nowrap">Cache open file descriptors</td>
+      <td className="w-fit whitespace-nowrap">on</td>
+      <td className="w-fit whitespace-nowrap">on/off</td>
+      <td className="w-fit whitespace-nowrap">open_file_cache</td>
+    </tr>
+    <tr>
+      <td className="w-fit font-semibold whitespace-nowrap">Maximum number of elements in file cache</td>
+      <td className="w-fit whitespace-nowrap">200000</td>
+      <td className="w-fit whitespace-nowrap">1000-1000000</td>
+      <td className="w-fit whitespace-nowrap">open_file_cache_max</td>
+    </tr>
+    <tr>
+      <td className="w-fit font-semibold whitespace-nowrap">Time after which unused cache elements are removed</td>
+      <td className="w-fit whitespace-nowrap">20s</td>
+      <td className="w-fit whitespace-nowrap">1s-300s</td>
+      <td className="w-fit whitespace-nowrap">open_file_cache_inactive</td>
+    </tr>
+    <tr>
+      <td className="w-fit font-semibold whitespace-nowrap">Time interval for checking cached elements validity</td>
+      <td className="w-fit whitespace-nowrap">30s</td>
+      <td className="w-fit whitespace-nowrap">1s-300s</td>
+      <td className="w-fit whitespace-nowrap">open_file_cache_valid</td>
+    </tr>
+    <tr>
+      <td className="w-fit font-semibold whitespace-nowrap">Minimum file uses to remain in cache</td>
+      <td className="w-fit whitespace-nowrap">2</td>
+      <td className="w-fit whitespace-nowrap">1-100</td>
+      <td className="w-fit whitespace-nowrap">open_file_cache_min_uses</td>
+    </tr>
+    <tr>
+      <td className="w-fit font-semibold whitespace-nowrap">Cache file lookup errors</td>
+      <td className="w-fit whitespace-nowrap">on</td>
+      <td className="w-fit whitespace-nowrap">on/off</td>
+      <td className="w-fit whitespace-nowrap">open_file_cache_errors</td>
+    </tr>
+  </tbody>
+</table>
+
+:::tip Recommendations
+- **Static file serving**: Increase cache size and adjust timeouts
+- **Development**: Reduce validation timeout for faster file updates
+- **High I/O applications**: Optimize based on file access patterns
+:::
+
+### Security Settings
+
+Configure security-related options:
+
+<table className="w-full my-1.5">
+  <thead>
+    <tr>
+      <th className="w-fit whitespace-nowrap">Setting</th>
+      <th className="w-fit whitespace-nowrap">Default</th>
+      <th className="w-fit whitespace-nowrap">Parameter</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td className="w-fit font-semibold whitespace-nowrap">Emit nginx version in error messages and headers</td>
+      <td className="w-fit whitespace-nowrap">off</td>
+      <td className="w-fit whitespace-nowrap">server_tokens</td>
+    </tr>
+  </tbody>
+</table>
+
+**Best Practice:** Keep `server_tokens` disabled to avoid revealing server information.
+
+## Advanced Routing Features
+
+The L7 HTTP Balancer supports sophisticated routing beyond basic domain mapping.
+
+Access the advanced location configuration through your project's HTTP Balancer section → click the **gear/settings icon** next to any domain location to open the **Advanced Location Configuration** dialog.
+
+### Redirect Configuration
+
+Redirect requests to different URLs with full control:
+
+**Configuration Options:**
+- **Redirect URL**: Destination for redirected requests
+- **Redirect Code**: HTTP status code for redirection (e.g., 301, 302, 307, 308)
+- **Preserve Path**: Keep original path in redirect URL
+- **Preserve Query**: Keep original query parameters in redirect URL
+
+<p align="center">
+  <img
+    src="/img/screenshots/redirect.png"
+    alt="Redirect Configuration"
+    width="50%"
+    height="auto"
+  />
+</p>
+
+### Access Policy Configuration
+
+Implement IP-based access control. If the request fails the check, a 403 Forbidden error is returned:
+
+**Policy Types:**
+- **Default Policy**: `allow` or `deny`
+- **CIDR Blocks**: List of IP addresses/ranges that will have the opposite policy than the default
+
+**Supported Formats:**
+- IPv4 address: `192.168.1.1`
+- IPv4 range: `192.168.1.0/24`
+- IPv6 address: `2001:db8::1`
+- IPv6 range: `2001:db8::/32`
+
+<p align="center">
+  <img
+    src="/img/screenshots/access_policy.png"
+    alt="Access Policy Configuration"
+    width="50%"
+    height="auto"
+  />
+</p>
+
+### Rate Limiting Configuration
+
+Protect against abuse and ensure fair resource usage. When the rate limit is exceeded, requests are delayed (burst). If they cannot be processed in time, a 503 Service Temporarily Unavailable error is returned:
+
+**Configuration Parameters:**
+- **Rate Limit Key**: `binary_remote_addr` (per IP) or `server_name` (per domain)
+- **Rate**: Requests per second to allow
+- **Burst**: Number of requests to queue when rate exceeded
+- **Zone Name**: Memory zone for storing rate limiting state
+- **Zone Size**: Memory allocated for rate limiting data (in MB)
+
+<p align="center">
+  <img
+    src="/img/screenshots/rate_limiting.png"
+    alt="Rate Limiting Configuration"
+    width="50%"
+    height="auto"
+  />
+</p>
+
+### Basic Authentication
+
+Add HTTP Basic Authentication to protected resources:
+
+**Configuration:**
+- **Realm**: Authentication realm name
+- **Users**: Username and password combinations
+
+<p align="center">
+  <img
+    src="/img/screenshots/basic_auth.png"
+    alt="Basic Auth Configuration"
+    width="50%"
+    height="auto"
+  />
+</p>
+
+### Custom Content Responses
+
+Return custom content for specific conditions:
+
+**Configuration:**
+- **HTTP Status Code**: Any valid status code (200, 404, 503, etc.)
+- **Content**: Response body content
+- **Content Type**: MIME type (default: text/plain)
+
+<p align="center">
+  <img
+    src="/img/screenshots/custom_content.png"
+    alt="Custom Content Configuration"
+    width="50%"
+    height="auto"
+  />
+</p>
+
+*Need help? Join our [Discord community](https://discord.gg/zeropsio).*
\ No newline at end of file
diff --git a/apps/docs/content/references/networking/public-access.mdx b/apps/docs/content/references/networking/public-access.mdx
new file mode 100644
index 00000000..b85db7de
--- /dev/null
+++ b/apps/docs/content/references/networking/public-access.mdx
@@ -0,0 +1,264 @@
+---
+title: Public Access Configuration
+description: Detailed guide for configuring public internet access to your Zerops services through subdomains, custom domains, and direct port access.
+---
+
+import Image from '/src/components/Image';
+import GroupCards from '/src/components/GroupCards'
+import Video from '/src/components/Video';
+
+export const languages = [
+    { name: "Bun", link: "/java/how-to/build-pipeline#ports" },
+    { name: "Deno", link: "/go/how-to/build-pipeline#ports" },
+    { name: ".NET", link: "/dotnet/how-to/build-pipeline#ports" },
+    { name: "Elixir", link: "/php/how-to/build-pipeline#ports" },
+    { name: "Gleam", link: "/dotnet/how-to/build-pipeline#ports" },
+    { name: "Go", link: "/go/how-to/build-pipeline#ports" },
+    { name: "Java", link: "/java/how-to/build-pipeline#ports" },
+    { name: "Node.js", link: "/nodejs/how-to/build-pipeline#ports" },
+    { name: "PHP", link: "/php/how-to/build-pipeline#ports" },
+    { name: "Python", link: "/python/how-to/build-pipeline#ports" },
+    { name: "Rust", link: "/rust/how-to/build-pipeline#ports" },
+]
+
+This guide provides detailed configuration instructions for making your Zerops services publicly accessible from the internet. For an overview of all access methods, see the [Access & Networking guide](/features/access).
+
+## Public Access Methods
+
+Choose the access method that best fits your needs:
+
+- **[Zerops Subdomain Access](#zerops-subdomain-access)** - Quick setup with `.zerops.app` domains, ideal for development and testing
+- **[Custom Domain Access](#custom-domain-access)** - Production-ready access through your own domains with full SSL support
+- **[Direct Port Access](#direct-port-access)** - Direct port routing for non-HTTP protocols and specialized applications
+
+## Zerops Subdomain Access
+
+Zerops subdomains provide quick public access through `.zerops.app` addresses, ideal for development and testing environments.
+
+### Configuration
+
+1. Navigate to your service detail page in Zerops GUI
+2. Select **Subdomain & domain & IP access** from the left menu (for runtime services)
+3. Toggle the **Zerops subdomain access** switch
+
+<p align="center">
+  <Image
+    lightImage="/img/gui/public-access.webp"
+    darkImage="/img/gui/public-access.webp"
+    alt="Public Access"
+    style={{ width: '90%', height: 'auto' }}
+  />
+</p>
+
+Once enabled, Zerops assigns a unique subdomain for your application. If you've defined multiple [internal ports](/zerops-yaml/specification#ports-) with HTTP support in your `zerops.yaml`, each port receives its own unique `.zerops.app` subdomain.
+
+<GroupCards heading="Configure internal ports for your Runtime" items={languages} />
+
+### Technical Implementation
+
+When using Zerops subdomains:
+- Access your application using the `https://` protocol (Zerops automatically manages SSL certificates)
+- Traffic flows through a central HTTP balancer that:
+  - Terminates SSL connections
+  - Forwards requests to your application via HTTP
+  - Handles all security certificates
+
+### Limitations
+
+:::warning Production Considerations
+- The central HTTPS balancer is shared across all Zerops projects, which creates a scalability bottleneck
+- Maximum upload size is limited to 50MB
+- Not recommended for production traffic due to scalability bottleneck
+- Better suited for development and testing environments
+:::
+
+## Custom Domain Access
+
+Custom domain access provides production-ready public access through your own domain names, offering better performance and full control over domain settings.
+
+<p align="center">
+  <Image
+    lightImage="/img/gui/public-access-domain.webp"
+    darkImage="/img/gui/public-access-domain.webp"
+    alt="Public Access"
+    style={{ width: '65%', height: 'auto' }}
+  />
+</p>
+
+### IP Address Configuration
+
+Before setting up domain access, you need to configure public IP addresses. Zerops offers the following options:
+
+#### IPv4 Configuration
+
+**Dedicated IPv4 Address ($3/30 days)**
+- Dedicated to your project and shared across all project services
+- One IPv4 address per project limit
+- Protects against blacklisting risks associated with shared IPs
+- Subscription automatically renews every 30 days *(cannot be purchased with promo credit)*
+- Fee is non-refundable but address can be reused in another project until subscription ends
+- **Recommended for production workloads**
+
+**Shared IPv4 Address (Free)**
+- Available at no cost
+- Shared across all Zerops users and their projects
+- Limitations:
+  - For HTTP/HTTPS traffic only
+  - Restricted number of open connections
+  - Shorter connection timeouts
+- **Not recommended for production use**
+
+#### IPv6 Configuration
+
+**IPv6 Address (Free)**
+- Dedicated to your project and shared across all project services
+- One IPv6 address per project limit
+- Automatically activated with first domain setup
+- Available for all projects at no additional cost
+
+:::tip Dual Stack Recommendation
+Since IPv6 support is not universal, using both IPv4 and IPv6 is recommended for maximum accessibility.
+:::
+
+### HTTP Routing Setup
+
+To configure domain access:
+
+1. Go to your service detail page in Zerops GUI and select **Subdomain & domain & IP access** (or access from project's **Project & Services Access Overview** section → **HTTP Balancer (L7) Configuration & Public Access Through Domains**)
+   - For advanced L7 balancer settings (connection handling, buffers, performance optimization), click **Advanced balancer configuration**
+2. Click **Setup first domain access**
+3. Configure domain settings:
+   - Enter domain names (e.g., `mydomain.com`, `app.mydomain.com`)
+   - Add multiple domains if needed (useful for multi-language sites)
+   - Choose SSL certificate management
+4. Define routing rules:
+   - **Source:** The public path (the part of URL after your domain)
+   - **Destination:** Choose which application and internal port receives the traffic
+   - Add multiple routing configurations as needed
+
+:::tip Alternative Access
+Domain configuration can also be accessed from individual service pages under **Subdomain & domain & IP access**.
+:::
+
+All settings can be modified later as your needs change.
+
+<Video
+  width="80%"
+  autoplay="true"
+  loop="loop"
+  muted="muted"
+  preload="none"
+  src="/vids/routes.webm"
+  plays-inline="true"
+/>
+
+### DNS Configuration
+
+After setting up domain access in Zerops, configure your DNS records with your domain registrar:
+
+:::tip DNS Configuration Guides
+- **Cloudflare users:** Follow the [Cloudflare DNS Configuration Guide](/references/networking/cloudflare) for step-by-step Cloudflare-specific instructions
+- **Other providers:** Use the [DNS and Proxy Configuration Guide](/references/networking/dns) for universal DNS setup instructions
+:::
+
+### HTTPS & SSL Configuration
+
+When using Let's Encrypt certificates (recommended):
+
+**Certificate Management:**
+- Zerops handles all certificate installation and renewal automatically
+- Certificates are provided free of charge
+- No manual certificate management required
+
+**Traffic Flow:**
+1. Traffic arrives at your public IPv4/IPv6 addresses
+2. Requests route through your project's dedicated HTTPS balancer
+3. SSL termination occurs at the balancer level
+4. Internal traffic uses HTTP protocol for optimal performance
+
+**Balancer Architecture:**
+- Deployed in two containers for high availability
+- Scales vertically based on traffic demands
+- Cannot be directly modified by users
+- Included free of charge with custom domain setup
+
+**Load Balancing:**
+- **Round-robin load balancing** across multiple service instances
+- **Health checks** to route traffic only to healthy instances
+- **Connection pooling** for improved performance
+
+**Performance Considerations:**
+- Use dedicated IPv4 addresses instead of shared ones for high-traffic applications
+- Consider the [L7 Balancer advanced configuration options](/references/networking/l7-balancer-config) for production optimization
+
+## Direct Port Access
+
+Direct port access enables public access to specific ports on your services, supporting any protocol and specialized use cases beyond HTTP.
+
+:::important Service Compatibility
+Currently, direct public port access is only available for runtime services and PostgreSQL databases.
+:::
+
+<p align="center">
+  <Image
+    src="/img/gui/ipv6-public-port.webp"
+    alt="Public Access Port"
+    style={{ width: '90%', height: 'auto' }}
+  />
+</p>
+
+### Port Configuration
+
+1. Navigate to your service detail page in Zerops GUI:
+   - For runtime services: Select **Subdomain & domain & IP access**
+   - For PostgreSQL services: Select **Direct access through IP address**
+   - Or access from project's **Project & Services Access Overview** section → **Direct IP Accesses to Services**
+2. Configure port settings:
+   - Either **Setup first access through IPv6** or activate **Unique IPv4 add-on** (if needed)
+   - Choose any port from 10-65435 (ports 80 and 443 are reserved)
+   - Select destination service and internal port
+   - Each public port can be mapped to any internal service port
+   - Multiple public ports can point to the same internal port if needed
+   - Port configurations can be set independently for IPv4 and IPv6
+
+:::tip Service-Level Access
+For runtime services, you can also access port configuration from the service detail page under **Subdomain & domain & IP access**.
+:::
+
+### Firewall Configuration
+
+Secure your public ports with optional firewall rules:
+
+1. **Enable firewall** for specific ports
+2. **Choose policy type:**
+   - **Blacklist:** Block specific IPs/ranges (allow all others)
+   - **Whitelist:** Allow only specific IPs/ranges (block all others)
+3. **Configure IP rules:**
+   - **Single IP format:** Affects only the specific IP address
+   - **IP range format:** Affects all IPs in the specified CIDR range
+
+<p align="center">
+ <Image
+   src="/img/gui/enable-firewall.webp"
+   alt="Enable Firewall"
+   style={{ width: '90%', height: 'auto' }}
+ />
+</p>
+
+For information about Zerops' platform-wide firewall and port restrictions, see the [Firewall Reference Guide](/references/networking/firewall).
+
+### Protocol Support
+
+Direct port access supports:
+- **TCP protocols:** HTTP, HTTPS, database connections, custom TCP services
+- **UDP protocols:** DNS, gaming protocols, custom UDP services
+- **Any port-based protocol** your application requires
+
+## Next Steps
+
+- **DNS Configuration:** [DNS and Proxy Configuration Guide](/references/networking/dns) or [Cloudflare Guide](/references/networking/cloudflare)
+- **Advanced Routing:** [L7 Balancer Configuration & Advanced Routing Guide](/references/networking/l7-balancer-config)
+- **Wildcard Domains:** [Wildcard Domain Configuration](/references/networking/dns#wildcard-domain-configuration)
+- **Internal Access:** [Internal Access Configuration Guide](/references/networking/internal-access)
+
+*Need help? Join our [Discord community](https://discord.gg/zeropsio).*
\ No newline at end of file
diff --git a/apps/docs/content/references/ssh.mdx b/apps/docs/content/references/networking/ssh.mdx
similarity index 97%
rename from apps/docs/content/references/ssh.mdx
rename to apps/docs/content/references/networking/ssh.mdx
index 4ee89e92..6e8bf752 100644
--- a/apps/docs/content/references/ssh.mdx
+++ b/apps/docs/content/references/networking/ssh.mdx
@@ -33,16 +33,16 @@ For quick debugging and inspection, use the **Remote Web Terminal** available in
 - Perfect for quick debugging sessions and emergency access
 
 ### SSH via VPN (Full Access)
-For full SSH capabilities and persistent connections, connect through the [Zerops VPN](/references/vpn).
+For full SSH capabilities and persistent connections, connect through the [Zerops VPN](/references/networking/vpn).
 
 ## Setting Up SSH Access
 
 ### 1. Configure VPN Connection (For SSH Access)
 
-The [Zerops CLI (zCLI)](/references/cli) comes bundled with the [Zerops VPN](/references/vpn) client. To connect to your [Zerops project](/features/infrastructure#projects):
+The [Zerops CLI (zCLI)](/references/cli) comes bundled with the [Zerops VPN](/references/networking/vpn) client. To connect to your [Zerops project](/features/infrastructure#projects):
 
 1. [Install and configure zCLI](/references/cli)
-2. [Initialize the Zerops VPN connection](/references/vpn#start-vpn)
+2. [Initialize the Zerops VPN connection](/references/networking/vpn#start-vpn)
 
 ### 2. Establish SSH Connection via VPN
 
diff --git a/apps/docs/content/references/vpn.mdx b/apps/docs/content/references/networking/vpn.mdx
similarity index 66%
rename from apps/docs/content/references/vpn.mdx
rename to apps/docs/content/references/networking/vpn.mdx
index b7746ba2..b2ea8e46 100644
--- a/apps/docs/content/references/vpn.mdx
+++ b/apps/docs/content/references/networking/vpn.mdx
@@ -70,6 +70,50 @@ Flags:
       --help   Display help for the vpn down command
 ```
 
+## Troubleshooting
+
+#### 1. Interface Already Exists
+**Problem**: When running `zcli vpn up`, you get an error like:
+```
+ERR /opt/homebrew/bin/wg-quick up /opt/homebrew/etc/wireguard/zerops.conf: [+] Interface for zerops is utun6 wg-quick: 'zerops' already exists as 'utun6'
+```
+
+**Solution**: Reset the VPN connection by running:
+```bash
+zcli vpn down
+zcli vpn up
+```
+
+#### 2. Hostname Resolution
+**Problem**: Even with VPN successfully connected, hostname resolution fails with errors like:
+```
+could not translate host name "hostname" to address: nodename nor servname provided, or not known
+```
+
+* The issue is known to happen rarely on Windows
+
+**Solution**: Append `.zerops` to the hostname, even when VPN shows as connected:
+```bash
+# Instead of
+psql -h [hostname] -U [user]
+
+# Use
+psql -h [hostname].zerops -U [user]
+```
+
+:::tip Windows OS tip
+In the Advanced TCP/IP Settings dialog, navigate to the DNS tab and confirm that "zerops" appears in the "Append these DNS suffixes (in order)" list. If missing, add it using the Add button.
+:::
+
+#### 3. WSL2 VPN Connection
+**Problem**: VPN not running in WSL2
+
+**Solution**: This might occur because `systemd` is not running in WSL2 by default. To fix:
+1. Run `sudo -e /etc/wsl.conf`
+2. Add `system=true` to `[boot]` section
+3. Comment out the first line `LABEL=cloudimg-rootfs / ext4 defaults 0 1`
+4. In `cmd.exe/PowerShell` run `wsl --shutdown` to restart WSL2
+
 ## How do we provide better security?
 
 We are using WireGuard under the hood for VPN to establish a secure tunnel
diff --git a/apps/docs/content/references/vpn/troubleshooting.mdx b/apps/docs/content/references/vpn/troubleshooting.mdx
deleted file mode 100644
index 67469935..00000000
--- a/apps/docs/content/references/vpn/troubleshooting.mdx
+++ /dev/null
@@ -1,43 +0,0 @@
-# VPN Troubleshooting Guide
-
-## 1. Interface Already Exists
-**Problem**: When running `zcli vpn up`, you get an error like:
-```
-ERR /opt/homebrew/bin/wg-quick up /opt/homebrew/etc/wireguard/zerops.conf: [+] Interface for zerops is utun6 wg-quick: 'zerops' already exists as 'utun6'
-```
-
-**Solution**: Reset the VPN connection by running:
-```bash
-zcli vpn down
-zcli vpn up
-```
-
-## 2. Hostname Resolution
-**Problem**: Even with VPN successfully connected, hostname resolution fails with errors like:
-```
-could not translate host name "hostname" to address: nodename nor servname provided, or not known
-```
-
-* The issue is known to happen rarely on Windows
-
-**Solution**: Append `.zerops` to the hostname, even when VPN shows as connected:
-```bash
-# Instead of
-psql -h [hostname] -U [user]
-
-# Use
-psql -h [hostname].zerops -U [user]
-```
-
-:::tip Windows OS tip
-In the Advanced TCP/IP Settings dialog, navigate to the DNS tab and confirm that "zerops" appears in the "Append these DNS suffixes (in order)" list. If missing, add it using the Add button.
-:::
-
-## 3. WSL2 VPN Connection
-**Problem**: VPN not running in WSL2
-
-**Solution**: This might occur because `systemd` is not running in WSL2 by default. To fix:
-1. Run `sudo -e /etc/wsl.conf`
-2. Add `system=true` to `[boot]` section
-3. Comment out the first line `LABEL=cloudimg-rootfs / ext4 defaults 0 1`
-4. In `cmd.exe/PowerShell` run `wsl --shutdown` to restart WSL2
\ No newline at end of file
diff --git a/apps/docs/content/rust/how-to/access.mdx b/apps/docs/content/rust/how-to/access.mdx
deleted file mode 100644
index 0622dc62..00000000
--- a/apps/docs/content/rust/how-to/access.mdx
+++ /dev/null
@@ -1,13 +0,0 @@
----
-title: How to access your Rust application
-description: Learn more about how you can access your Rust application on Zerops.
----
-
-import { SetVar } from '/src/components/content/var';
-import AccessContent from '/src/components/content/access.mdx';
-
-<SetVar name="serviceDisplay" value="Rust" />
-<SetVar name="servicePath" value="rust" />
-<SetVar name="defaultPort" value="8080" />
-
-<AccessContent />
\ No newline at end of file
diff --git a/apps/docs/content/rust/how-to/build-pipeline.mdx b/apps/docs/content/rust/how-to/build-pipeline.mdx
index 85300b1f..9a6a9a2d 100644
--- a/apps/docs/content/rust/how-to/build-pipeline.mdx
+++ b/apps/docs/content/rust/how-to/build-pipeline.mdx
@@ -508,7 +508,7 @@ _OPTIONAL._ Specifies one or more internal ports on which your application will
 
 Projects in Zerops represent a group of one or more services. Services can be of different types (runtime services, databases, message brokers, object storage, etc.). All services of the same project share a **dedicated private network**. To connect to a service within the same project, just use the service hostname and its internal port.
 
-For example, to connect to a Rust service with hostname = "app" and port = 8080 from another service of the same project, simply use `app:8080`. Read more about [how to access a Rust service](/rust/how-to/access).
+For example, to connect to a Rust service with hostname = "app" and port = 8080 from another service of the same project, simply use `app:8080`. Read more about [how to access a Rust service](/references/networking/internal-access#basic-service-communication).
 
 Each port has following attributes:
 
diff --git a/apps/docs/content/rust/overview.mdx b/apps/docs/content/rust/overview.mdx
index 41334d10..28a5a464 100644
--- a/apps/docs/content/rust/overview.mdx
+++ b/apps/docs/content/rust/overview.mdx
@@ -182,7 +182,7 @@ Have you build something that others might find useful? Don't hesitate to share
     },
     {
       type: 'link',
-      href: '/references/vpn',
+      href: '/references/networking/vpn',
       label: 'Zerops VPN',
       customProps: {
         icon: Icons['globe-europe'],
diff --git a/apps/docs/content/shared-storage/how-to/manage.mdx b/apps/docs/content/shared-storage/how-to/manage.mdx
index 7c0976c3..f059edda 100644
--- a/apps/docs/content/shared-storage/how-to/manage.mdx
+++ b/apps/docs/content/shared-storage/how-to/manage.mdx
@@ -3,7 +3,7 @@ title: Manage and Access Shared Storage
 description: Learn how to manage, monitor, and troubleshoot your Shared Storage on Zerops.
 ---
 
-Zerops Shared Storage provides several web interfaces to manage, monitor, and troubleshoot your storage. These interfaces are accessible through the [Zerops VPN](/references/vpn) and offer different capabilities for managing your data and monitoring system performance.
+Zerops Shared Storage provides several web interfaces to manage, monitor, and troubleshoot your storage. These interfaces are accessible through the [Zerops VPN](/references/networking/vpn) and offer different capabilities for managing your data and monitoring system performance.
 
 ## Access Web Interfaces
 
diff --git a/apps/docs/content/shared-storage/overview.mdx b/apps/docs/content/shared-storage/overview.mdx
index 31cf5abe..38187116 100644
--- a/apps/docs/content/shared-storage/overview.mdx
+++ b/apps/docs/content/shared-storage/overview.mdx
@@ -87,7 +87,7 @@ Zerops provides a fully managed and scaled **Shared Storage** service, which can
     },
     {
       type: 'link',
-      href: '/references/vpn',
+      href: '/references/networking/vpn',
       label: 'Zerops VPN',
       customProps: {
         icon: Icons['globe-europe'],
diff --git a/apps/docs/content/typesense/overview.mdx b/apps/docs/content/typesense/overview.mdx
index 8bae342a..5cfc9c58 100644
--- a/apps/docs/content/typesense/overview.mdx
+++ b/apps/docs/content/typesense/overview.mdx
@@ -86,7 +86,7 @@ For enabling HTTPS access:
 #### Direct Node Access
 
 Allows to access individual nodes using internal DNS:
-1. **Via [Zerops VPN](/references/vpn)**
+1. **Via [Zerops VPN](/references/networking/vpn)**
 2. **Internal Project Access** - services within the same project can reach nodes directly
 
 Node addressing patterns:
diff --git a/apps/docs/sidebars.js b/apps/docs/sidebars.js
index 5a73be42..acadb1de 100644
--- a/apps/docs/sidebars.js
+++ b/apps/docs/sidebars.js
@@ -96,34 +96,13 @@ module.exports = {
       className: 'homepage-sidebar-item',
     },
     {
-      type: 'category',
-      link: {
-        type: 'doc',
-        id: 'features/access',
-      },
-      label: 'Custom Domains & IP Access',
+      type: 'doc',
+      id: 'features/access',
+      label: 'Access & Networking',
       customProps: {
         sidebar_icon: 'globe-europe',
       },
       className: 'homepage-sidebar-item',
-      items: [
-        {
-          type: 'doc',
-          id: 'features/cloudflare',
-          label: 'Cloudflare Setup',
-          customProps: {
-            exclude_from_doc_list: false,
-          },
-        },
-        {
-          type: 'doc',
-          id: 'features/dns',
-          label: 'General DNS & Proxy Setup',
-          customProps: {
-            exclude_from_doc_list: false,
-          },
-        },
-      ],
     },
     {
       type: 'doc',
@@ -567,7 +546,7 @@ module.exports = {
           label: 'zsc',
           id: 'references/zsc',
           customProps: {
-            sidebar_icon: 'window',
+            sidebar_icon: 'command-line',
           },
           className: 'homepage-sidebar-item',
         },
@@ -575,7 +554,7 @@ module.exports = {
     },
     {
       type: 'category',
-      label: 'Access & Connectivity',
+      label: 'Networking',
       collapsible: false,
       customProps: {
         sidebar_is_group_headline: true,
@@ -583,50 +562,73 @@ module.exports = {
       items: [
         {
           type: 'doc',
-          id: 'references/ssh',
-          label: 'SSH',
+          id: 'references/networking/public-access',
+          label: 'Public Access',
           customProps: {
-            sidebar_icon: 'command-line',
+            sidebar_icon: 'globe-europe',
           },
           className: 'homepage-sidebar-item',
         },
         {
-          type: 'category',
+          type: 'doc',
+          id: 'references/networking/internal-access',
+          label: 'Internal Access',
+          customProps: {
+            sidebar_icon: 'internal-access',
+          },
+          className: 'homepage-sidebar-item',
+        },
+        {
+          type: 'doc',
+          id: 'references/networking/dns',
+          label: 'DNS and Proxy',
+          customProps: {
+            sidebar_icon: 'dns',
+          },
+          className: 'homepage-sidebar-item',
+        },
+        {
+          type: 'doc',
+          id: 'references/networking/cloudflare',
+          label: 'Cloudflare',
+          customProps: {
+            sidebar_icon: 'cloudflare',
+          },
+          className: 'homepage-sidebar-item',
+        },
+        {
+          type: 'doc',
+          id: 'references/networking/vpn',
           label: 'VPN',
-          link: {
-            type: 'doc',
-            id: 'references/vpn',
+          customProps: {
+            sidebar_icon: 'vpn',
           },
+          className: 'homepage-sidebar-item',
+        },
+        {
+          type: 'doc',
+          id: 'references/networking/ssh',
+          label: 'SSH',
           customProps: {
-            sidebar_icon: 'globe-europe',
+            sidebar_icon: 'command-line-solid',
           },
           className: 'homepage-sidebar-item',
-          items: [
-            {
-              type: 'doc',
-              id: 'references/vpn/troubleshooting',
-              label: 'Troubleshooting',
-              customProps: {
-                exclude_from_doc_list: false,
-              },
-            },
-          ],
         },
         {
           type: 'doc',
-          id: 'references/firewall',
-          label: 'Firewall',
+          id: 'references/networking/l7-balancer-config',
+          label: 'L7 Balancer',
           customProps: {
-            sidebar_icon: 'firewall',
+            sidebar_icon: 'balancer',
           },
           className: 'homepage-sidebar-item',
         },
         {
           type: 'doc',
-          id: 'references/smtp',
-          label: 'SMTP',
+          id: 'references/networking/firewall',
+          label: 'Firewall',
           customProps: {
-            sidebar_icon: 'envelope',
+            sidebar_icon: 'firewall',
           },
           className: 'homepage-sidebar-item',
         },
@@ -697,6 +699,15 @@ module.exports = {
           },
           className: 'homepage-sidebar-item',
         },
+        {
+          type: 'doc',
+          id: 'references/smtp',
+          label: 'SMTP',
+          customProps: {
+            sidebar_icon: 'envelope',
+          },
+          className: 'homepage-sidebar-item',
+        },
       ]
     },
     {
@@ -915,11 +926,6 @@ module.exports = {
           id: 'nodejs/how-to/filebrowser',
           label: 'Browse container files',
         },
-        {
-          type: 'doc',
-          id: 'nodejs/how-to/access',
-          label: 'Access Node.js runtime service',
-        },
         {
           type: 'doc',
           id: 'nodejs/how-to/shared-storage',
@@ -1064,11 +1070,6 @@ module.exports = {
           id: 'php/how-to/filebrowser',
           label: 'Browse container files',
         },
-        {
-          type: 'doc',
-          id: 'php/how-to/access',
-          label: 'Access PHP runtime service',
-        },
         {
           type: 'doc',
           id: 'php/how-to/shared-storage',
@@ -1199,11 +1200,6 @@ module.exports = {
           id: 'python/how-to/filebrowser',
           label: 'Browse container files',
         },
-        {
-          type: 'doc',
-          id: 'python/how-to/access',
-          label: 'Access Python runtime service',
-        },
         {
           type: 'doc',
           id: 'python/how-to/shared-storage',
@@ -1334,11 +1330,6 @@ module.exports = {
             id: 'go/how-to/filebrowser',
             label: 'Browse container files',
           },
-          {
-            type: 'doc',
-            id: 'go/how-to/access',
-            label: 'Access Go runtime service',
-          },
           {
             type: 'doc',
             id: 'go/how-to/shared-storage',
@@ -1469,11 +1460,6 @@ module.exports = {
             id: 'rust/how-to/filebrowser',
             label: 'Browse container files',
           },
-          {
-            type: 'doc',
-            id: 'rust/how-to/access',
-            label: 'Access Rust runtime service',
-          },
           {
             type: 'doc',
             id: 'rust/how-to/shared-storage',
@@ -1604,11 +1590,6 @@ module.exports = {
             id: 'dotnet/how-to/filebrowser',
             label: 'Browse container files',
           },
-          {
-            type: 'doc',
-            id: 'dotnet/how-to/access',
-            label: 'Access .NET runtime service',
-          },
           {
             type: 'doc',
             id: 'dotnet/how-to/shared-storage',
@@ -1739,11 +1720,6 @@ module.exports = {
             id: 'java/how-to/filebrowser',
             label: 'Browse container files',
           },
-          {
-            type: 'doc',
-            id: 'java/how-to/access',
-            label: 'Access Java runtime service',
-          },
           {
             type: 'doc',
             id: 'java/how-to/shared-storage',
@@ -1874,11 +1850,6 @@ module.exports = {
             id: 'nginx/how-to/filebrowser',
             label: 'Browse container files',
           },
-          {
-            type: 'doc',
-            id: 'nginx/how-to/access',
-            label: 'Access Nginx runtime service',
-          },
           {
             type: 'doc',
             id: 'nginx/how-to/shared-storage',
@@ -2606,11 +2577,6 @@ module.exports = {
             id: 'deno/how-to/filebrowser',
             label: 'Browse container files',
           },
-          {
-            type: 'doc',
-            id: 'deno/how-to/access',
-            label: 'Access Deno runtime service',
-          },
           {
             type: 'doc',
             id: 'deno/how-to/shared-storage',
@@ -2741,11 +2707,6 @@ module.exports = {
             id: 'bun/how-to/filebrowser',
             label: 'Browse container files',
           },
-          {
-            type: 'doc',
-            id: 'bun/how-to/access',
-            label: 'Access Bun runtime service',
-          },
           {
             type: 'doc',
             id: 'bun/how-to/shared-storage',
@@ -2876,11 +2837,6 @@ module.exports = {
             id: 'gleam/how-to/filebrowser',
             label: 'Browse container files',
           },
-          {
-            type: 'doc',
-            id: 'gleam/how-to/access',
-            label: 'Access Gleam runtime service',
-          },
           {
             type: 'doc',
             id: 'gleam/how-to/shared-storage',
@@ -3011,11 +2967,6 @@ module.exports = {
             id: 'elixir/how-to/filebrowser',
             label: 'Browse container files',
           },
-          {
-            type: 'doc',
-            id: 'elixir/how-to/access',
-            label: 'Access Elixir runtime service',
-          },
           {
             type: 'doc',
             id: 'elixir/how-to/shared-storage',
diff --git a/apps/docs/src/components/content/access.mdx b/apps/docs/src/components/content/access.mdx
index ac6b6174..1f40b1a7 100644
--- a/apps/docs/src/components/content/access.mdx
+++ b/apps/docs/src/components/content/access.mdx
@@ -36,7 +36,7 @@ Read more about <VarLink name="servicePath" path="/{{VAR}}/how-to/env-variables"
 You can securely connect to your <Var name="serviceDisplay" /> application from your local workspace via Zerops VPN. Zerops VPN client is included into zCLI, the Zerops command-line tool. To start a VPN connection to the selected Zerops project, follow these steps:
 
 1. [Install & setup zCLI](/references/cli)
-2. [Start the Zerops VPN](/references/vpn#start-vpn)
+2. [Start the Zerops VPN](/references/networking/vpn#start-vpn)
 
 ### Access <Var name="serviceDisplay" /> application through VPN
 
@@ -48,18 +48,18 @@ Do not use `https://` when communicating with <Var name="serviceDisplay" /> over
 
 ### Connect via SSH
 
-Use the <a href="/references/ssh">`ssh` command</a> to connect to your service via SSH.
+Use the <a href="/references/networking/ssh">`ssh` command</a> to connect to your service via SSH.
 
 ### Stop VPN connection
 
-[Stop the Zerops VPN](/references/vpn#stop-vpn) in zCLI.
+[Stop the Zerops VPN](/references/networking/vpn#stop-vpn) in zCLI.
 
 ## Public access
 
 By default, your <Var name="serviceDisplay" /> service is not publicly accessible. Zerops offers multiple ways to make your application available from the internet:
 
-- **[Zerops subdomain](/features/access#public-access-through-zerops-subdomain)** - Quick setup with `.zerops.app` subdomain, ideal for development and testing. Provides instant HTTPS access without DNS configuration.
-- **[Custom domain](/features/access#public-access-through-your-domain)** - Production-ready access through your own domain with SSL management
+- **[Zerops subdomain](/references/networking/public-access#zerops-subdomain-access)** - Quick setup with `.zerops.app` subdomain, ideal for development and testing. Provides instant HTTPS access without DNS configuration.
+- **[Custom domain](/references/networking/public-access#custom-domain-access)** - Production-ready access through your own domain with SSL management
 - **[Direct port access](/features/access#opening-public-ports)** - For non-HTTP protocols and specialized use cases
 
 For detailed configuration steps and technical considerations, see the complete [Domain & Access Configuration guide](/features/access).
\ No newline at end of file
diff --git a/apps/docs/src/components/content/file-browser.mdx b/apps/docs/src/components/content/file-browser.mdx
index 913d2e88..5f66402e 100644
--- a/apps/docs/src/components/content/file-browser.mdx
+++ b/apps/docs/src/components/content/file-browser.mdx
@@ -18,4 +18,4 @@ If your service is in the <VarLink name="servicePath" path="/{{VAR}}/how-to/crea
 ## zCLI & SSH
 
 You can also connect to the container via SSH with the Zerops CLI and browse its files.
-How to [connect to your service via SSH](/references/ssh).
\ No newline at end of file
+How to [connect to your service via SSH](/references/networking/ssh).
\ No newline at end of file
diff --git a/apps/docs/src/theme/Icon/Balancer/index.tsx b/apps/docs/src/theme/Icon/Balancer/index.tsx
new file mode 100644
index 00000000..d592e130
--- /dev/null
+++ b/apps/docs/src/theme/Icon/Balancer/index.tsx
@@ -0,0 +1,27 @@
+import { IconProps } from '@medusajs/icons/dist/types';
+import clsx from 'clsx';
+import React from 'react';
+
+const IconBalancer = (props: IconProps) => {
+  return (
+    <svg
+      width={props.width || 20}
+      height={props.height || 20}
+      viewBox="0 0 48 48"
+      fill="currentColor"
+      xmlns="http://www.w3.org/2000/svg"
+      {...props}
+      className={clsx('text-ui-fg-subtle', props.className)}>
+  <g id="Layer_2" data-name="Layer 2">
+    <g id="invisible_box" data-name="invisible box">
+      <rect width="48" height="48" fill="none"/>
+    </g>
+    <g id="icons_Q2" data-name="icons Q2">
+      <path d="M44,32H42V24a2,2,0,0,0-2-2H26V20h0V16h2a2,2,0,0,0,2-2V6a2,2,0,0,0-2-2H20a2,2,0,0,0-2,2v8a2,2,0,0,0,2,2h2v6H8a2,2,0,0,0-2,2v8H4a2,2,0,0,0-2,2v8a2,2,0,0,0,2,2h8a2,2,0,0,0,2-2V34a2,2,0,0,0-2-2H10V26H22v6H20a2,2,0,0,0-2,2v8a2,2,0,0,0,2,2h8a2,2,0,0,0,2-2V34a2,2,0,0,0-2-2H26V26H38v6H36a2,2,0,0,0-2,2v8a2,2,0,0,0,2,2h8a2,2,0,0,0,2-2V34A2,2,0,0,0,44,32ZM10,40H6V36h4ZM22,8h4v4H22Zm4,32H22V36h4Zm16,0H38V36h4Z"/>
+    </g>
+  </g>
+</svg>
+);
+};
+
+export default IconBalancer;
diff --git a/apps/docs/src/theme/Icon/Cloudflare/index.tsx b/apps/docs/src/theme/Icon/Cloudflare/index.tsx
new file mode 100644
index 00000000..1a4edf89
--- /dev/null
+++ b/apps/docs/src/theme/Icon/Cloudflare/index.tsx
@@ -0,0 +1,20 @@
+import { IconProps } from '@medusajs/icons/dist/types';
+import clsx from 'clsx';
+import React from 'react';
+
+const IconCloudflare = (props: IconProps) => {
+  return (
+    <svg
+      width={props.width || 20}
+      height={props.height || 20}
+      viewBox="0 0 32 32"
+      fill="currentColor"
+      xmlns="http://www.w3.org/2000/svg"
+      {...props}
+      className={clsx('text-ui-fg-subtle', props.className)}>
+    <path d="M25.079 15.102c-0.015-0-0.032-0.001-0.049-0.001-0.087 0-0.174 0.005-0.258 0.016l0.010-0.001c-0.074 0.004-0.136 0.054-0.158 0.121l-0 0.001-0.422 1.468c-0.068 0.187-0.108 0.402-0.108 0.627 0 0.378 0.112 0.731 0.305 1.026l-0.004-0.007c0.309 0.397 0.786 0.649 1.323 0.649 0.002 0 0.004 0 0.005 0h-0l2.304 0.142c0.001-0 0.003-0 0.004-0 0.067 0 0.127 0.035 0.161 0.087l0 0.001c0.022 0.037 0.035 0.082 0.035 0.129 0 0.023-0.003 0.046-0.009 0.068l0-0.002c-0.040 0.107-0.138 0.184-0.254 0.194l-0.001 0-2.401 0.14c-1.447 0.159-2.644 1.089-3.18 2.366l-0.010 0.026-0.176 0.448c-0.006 0.015-0.010 0.032-0.010 0.050 0 0.070 0.057 0.127 0.127 0.127 0.002 0 0.004-0 0.006-0h8.244c0.001 0 0.002 0 0.002 0 0.099 0 0.182-0.066 0.208-0.156l0-0.002c0.138-0.479 0.218-1.030 0.22-1.599v-0.001c-0.009-3.262-2.653-5.903-5.916-5.907h-0zM21.634 22.054c0.068-0.186 0.107-0.401 0.107-0.625 0-0.379-0.112-0.731-0.306-1.026l0.004 0.007c-0.308-0.397-0.785-0.65-1.322-0.65-0.002 0-0.003 0-0.005 0h0l-10.821-0.14c-0.001 0-0.002 0-0.003 0-0.068 0-0.128-0.035-0.163-0.088l-0-0.001c-0.022-0.036-0.036-0.080-0.036-0.127 0-0.024 0.003-0.047 0.010-0.069l-0 0.002c0.040-0.107 0.137-0.184 0.253-0.195l0.001-0 10.917-0.14c1.447-0.16 2.643-1.090 3.182-2.366l0.010-0.026 0.624-1.626c0.017-0.039 0.027-0.085 0.027-0.133 0-0.027-0.003-0.054-0.009-0.079l0 0.002c-0.735-3.203-3.561-5.555-6.936-5.555-3.109 0-5.751 1.996-6.717 4.776l-0.015 0.050c-0.528-0.399-1.195-0.64-1.919-0.64-1.651 0-3.010 1.252-3.179 2.859l-0.001 0.014c-0.010 0.097-0.016 0.21-0.016 0.324 0 0.281 0.035 0.555 0.1 0.816l-0.005-0.023c-2.452 0.071-4.413 2.076-4.413 4.539 0 0.002 0 0.004 0 0.006v-0c0.002 0.234 0.018 0.463 0.047 0.687l-0.003-0.028c0.017 0.104 0.104 0.182 0.211 0.184h19.971c0.12-0.003 0.22-0.083 0.253-0.192l0-0.002 0.15-0.533z"></path>
+</svg>
+);
+};
+
+export default IconCloudflare;
diff --git a/apps/docs/src/theme/Icon/Dns/index.tsx b/apps/docs/src/theme/Icon/Dns/index.tsx
new file mode 100644
index 00000000..c4ac83c7
--- /dev/null
+++ b/apps/docs/src/theme/Icon/Dns/index.tsx
@@ -0,0 +1,19 @@
+import { IconProps } from '@medusajs/icons/dist/types';
+import clsx from 'clsx';
+import React from 'react';
+
+const IconDns = (props: IconProps) => {
+  return (
+    <svg
+        width={props.width || 20}
+        height={props.height || 20}
+      viewBox="-2 -2 18 18"
+      fill="currentColor"
+      xmlns="http://www.w3.org/2000/svg"
+      {...props}
+      className={clsx('text-ui-fg-subtle', props.className)}>
+    <path d="M16 7.38A7.82 7.82 0 0 0 8 .5a7.82 7.82 0 0 0-8 6.88v1.24a7.82 7.82 0 0 0 8 6.88 7.82 7.82 0 0 0 8-6.88V7.38zm-1.25 0h-3a11.34 11.34 0 0 0-.43-2.54 7.6 7.6 0 0 0 1.75-1 6 6 0 0 1 1.65 3.54zm-9.18 0a9.69 9.69 0 0 1 .37-2.14A8.43 8.43 0 0 0 8 5.5a8.49 8.49 0 0 0 2.09-.26 10.2 10.2 0 0 1 .37 2.14zm4.92 1.24a9.59 9.59 0 0 1-.37 2.14 8.53 8.53 0 0 0-4.18 0 9.69 9.69 0 0 1-.37-2.14zm.4-5A11.82 11.82 0 0 0 10 2a6.89 6.89 0 0 1 2 1 6.57 6.57 0 0 1-1.14.66zm-2.6-1.86a10 10 0 0 1 1.38 2.3A7.63 7.63 0 0 1 8 4.25a7.56 7.56 0 0 1-1.67-.19 9.82 9.82 0 0 1 1.38-2.3h.58zm-3.15 1.9A6.57 6.57 0 0 1 4 3a6.89 6.89 0 0 1 2-1 10.38 10.38 0 0 0-.86 1.66zM3 3.83a7.6 7.6 0 0 0 1.75 1 11 11 0 0 0-.43 2.54h-3A6 6 0 0 1 3 3.83zM1.28 8.62h3a11 11 0 0 0 .43 2.54 7.6 7.6 0 0 0-1.75 1 6 6 0 0 1-1.68-3.54zm3.86 3.72A10.38 10.38 0 0 0 6 14a6.89 6.89 0 0 1-2-1 6.57 6.57 0 0 1 1.14-.66zm2.57 1.9a9.82 9.82 0 0 1-1.38-2.3 7.43 7.43 0 0 1 3.34 0 9.76 9.76 0 0 1-1.38 2.3h-.58zm3.15-1.9a6.57 6.57 0 0 1 1.19.66 7.24 7.24 0 0 1-2 1 11.48 11.48 0 0 0 .81-1.66zm2.14-.17a7.6 7.6 0 0 0-1.75-1 10.8 10.8 0 0 0 .43-2.54h3A6 6 0 0 1 13 12.17z"/>     </svg>
+  );
+};
+
+export default IconDns;
diff --git a/apps/docs/src/theme/Icon/Firewall/index.tsx b/apps/docs/src/theme/Icon/Firewall/index.tsx
index 723dfd03..b77c807e 100644
--- a/apps/docs/src/theme/Icon/Firewall/index.tsx
+++ b/apps/docs/src/theme/Icon/Firewall/index.tsx
@@ -7,18 +7,15 @@ const IconFirewall = (props: IconProps) => {
     <svg
       width={props.width || 20}
       height={props.height || 20}
-      viewBox="0 0 512 512"
+      viewBox="0 0 406 406"
       fill="currentColor"
-      version="1.1"
-      id="Layer_1"
-      xmlns="http://www.w3.org/2000/svg"
-      xmlnsXlink="http://www.w3.org/1999/xlink"
-      xmlSpace="preserve"
       {...props}
       className={clsx('text-ui-fg-subtle', props.className)}
     >
-        <path d="M473.82,40.283H38.18C17.127,40.283,0,57.411,0,78.463c0,13.495,0,341.346,0,355.074c0,21.052,17.127,38.18,38.18,38.18 H473.82c21.052,0,38.18-17.127,38.18-38.18c0-13.568,0-341.517,0-355.074C512,57.411,494.873,40.283,473.82,40.283z  M367.111,78.463h106.71v92.904h-106.71V78.463z M183.068,78.463h145.863v92.904H183.068V78.463z M38.18,78.463h106.708v92.904 H38.18V78.463z M38.18,209.547h198.73v92.905H38.18V209.547z M144.888,433.536H38.18v-92.904h106.708V433.536z M328.931,433.536 H183.068v-92.904h145.863V433.536z M473.82,433.537h-106.71v-92.904h106.71V433.537z M473.82,302.452H275.09v-92.905h198.73 V302.452z" />
-    </svg>
+    <path
+   d="m 363.606,42.4 c -2.813,-2.813 -6.629,-4.393 -10.607,-4.393 L 203.28,38.014 C 203.186,38.013 203.095,38 203,38 c -0.095,0 -0.187,0.013 -0.281,0.014 l -149.72,0.008 c -8.284,0 -14.999,6.716 -14.999,15 v 299.981 c 0,8.284 6.716,15 15,15 h 300 c 8.284,0 15,-6.716 15,-15 V 53.007 c 0,-3.979 -1.58,-7.794 -4.394,-10.607 z M 68,237.994 v -70.006 h 50 v 70.006 z m 80,0 v -69.996 h 110 v 69.996 z m 140,-70.006 h 50 v 70.006 h -50 z m 50,-30 H 218 V 68.014 L 338,68.008 Z M 188,68.015 v 69.974 H 68 V 68.021 Z M 68,267.994 h 64.923 c 0.026,0 0.051,0.004 0.077,0.004 h 55 v 70.004 H 68 Z m 150,70.008 v -70.004 h 55 c 0.026,0 0.051,-0.004 0.077,-0.004 H 338 v 70.008 z"
+   id="path863" />
+	    </svg>
   );
 };
 
diff --git a/apps/docs/src/theme/Icon/InternalAccess/index.tsx b/apps/docs/src/theme/Icon/InternalAccess/index.tsx
new file mode 100644
index 00000000..17f8efdb
--- /dev/null
+++ b/apps/docs/src/theme/Icon/InternalAccess/index.tsx
@@ -0,0 +1,20 @@
+import { IconProps } from '@medusajs/icons/dist/types';
+import clsx from 'clsx';
+import React from 'react';
+
+const IconInternalAccess = (props: IconProps) => {
+  return (
+    <svg
+      width={props.width || 20}
+      height={props.height || 20}
+      viewBox="0 0 24 24"
+      fill="currentColor"
+      {...props}
+      className={clsx('text-ui-fg-subtle', props.className)}
+    >
+    <path d="M8,6A1,1,0,1,0,7,5,1,1,0,0,0,8,6ZM21,19H14.82A3,3,0,0,0,13,17.18V15h4a3,3,0,0,0,3-3V10a3,3,0,0,0-.78-2A3,3,0,0,0,20,6V4a3,3,0,0,0-3-3H7A3,3,0,0,0,4,4V6a3,3,0,0,0,.78,2A3,3,0,0,0,4,10v2a3,3,0,0,0,3,3h4v2.18A3,3,0,0,0,9.18,19H3a1,1,0,0,0,0,2H9.18a3,3,0,0,0,5.64,0H21a1,1,0,0,0,0-2ZM6,4A1,1,0,0,1,7,3H17a1,1,0,0,1,1,1V6a1,1,0,0,1-1,1H7A1,1,0,0,1,6,6Zm1,9a1,1,0,0,1-1-1V10A1,1,0,0,1,7,9H17a1,1,0,0,1,1,1v2a1,1,0,0,1-1,1Zm5,8a1,1,0,1,1,1-1A1,1,0,0,1,12,21ZM8,10a1,1,0,1,0,1,1A1,1,0,0,0,8,10Z"/>
+	    </svg>
+  );
+};
+
+export default IconInternalAccess;
diff --git a/apps/docs/src/theme/Icon/Vpn/index.tsx b/apps/docs/src/theme/Icon/Vpn/index.tsx
new file mode 100644
index 00000000..94bd1cf6
--- /dev/null
+++ b/apps/docs/src/theme/Icon/Vpn/index.tsx
@@ -0,0 +1,40 @@
+import React from 'react';
+
+interface IconProps {
+  width?: number | string;
+  height?: number | string;
+  className?: string;
+  style?: React.CSSProperties;
+}
+
+const IconVPN: React.FC<IconProps> = ({
+  width = 20,
+  height = 20,
+  className = '',
+  style,
+  ...props
+}) => {
+  return (
+    <svg
+      width={width}
+      height={height}
+      viewBox="0 0 16 16"
+      fill="currentColor"
+      xmlns="http://www.w3.org/2000/svg"
+      className={`icon-vpn ${className}`}
+      style={style}
+      {...props}
+    >
+      <path
+        d="M 7.917969 1 C 6.300781 1 5 2.300781 5 3.917969 L 5 5 C 4.4375 5.007812 3.992188 5.46875 4 6.03125 L 4 9.96875 C 4 10.539062 4.460938 11 5.03125 11 L 7 11 L 7 12.875 L 9 12.875 L 9 11 L 10.96875 11 C 11.539062 11 12 10.539062 12 9.96875 L 12 6.03125 C 12.007812 5.46875 11.5625 5.007812 11 5 L 11 3.917969 C 11 2.300781 9.699219 1 8.082031 1 Z M 8 3 C 8.554688 3 9 3.445312 9 4 L 9 5 L 7 5 L 7 4 C 7 3.445312 7.445312 3 8 3 Z M 8 3"
+        fill="currentColor"
+      />
+      <path
+        d="M 7.996094 15.949219 C 7.292969 15.949219 6.644531 15.578125 6.28125 14.976562 L 2.996094 14.976562 C 2.445312 14.976562 1.996094 14.527344 1.996094 13.976562 C 1.996094 13.425781 2.445312 12.976562 2.996094 12.976562 L 6.246094 12.976562 C 6.597656 12.335938 7.265625 11.941406 7.996094 11.9375 C 8.726562 11.941406 9.398438 12.335938 9.75 12.976562 L 13.007812 12.976562 C 13.5625 12.976562 14.007812 13.425781 14.007812 13.976562 C 14.007812 14.527344 13.5625 14.976562 13.007812 14.976562 L 9.714844 14.976562 C 9.351562 15.578125 8.699219 15.949219 7.996094 15.949219 Z M 7.996094 14.949219 C 8.550781 14.949219 9.003906 14.5 9.003906 13.945312 C 9.003906 13.386719 8.550781 12.9375 7.996094 12.9375 C 7.441406 12.9375 6.992188 13.386719 6.992188 13.945312 C 6.992188 14.5 7.441406 14.949219 7.996094 14.949219 Z M 7.996094 14.949219"
+        fill="currentColor"
+      />
+    </svg>
+  );
+};
+
+export default IconVPN;
\ No newline at end of file
diff --git a/apps/docs/src/theme/Icon/index.tsx b/apps/docs/src/theme/Icon/index.tsx
index e5b81879..8da62f16 100644
--- a/apps/docs/src/theme/Icon/index.tsx
+++ b/apps/docs/src/theme/Icon/index.tsx
@@ -158,6 +158,11 @@ import IconDocker from './Docker';
 import IconCurlyBraces from './CurlyBraces';
 import IconCdn from './Cdn';
 import IconClickhouse from './Clickhouse';
+import IconCloudflare from './Cloudflare';
+import IconVPN from './Vpn';
+import IconBalancer from './Balancer';
+import IconDns from './Dns';
+import IconInternalAccess from './InternalAccess';
 
 export default {
   'academic-cap-solid': AcademicCapSolid,
@@ -320,4 +325,9 @@ export default {
   'curly-braces': IconCurlyBraces,
   cdn: IconCdn,
   clickhouse: IconClickhouse,
+  cloudflare: IconCloudflare,
+  vpn: IconVPN,
+  balancer: IconBalancer,
+  dns: IconDns,
+  'internal-access': IconInternalAccess,
 };
diff --git a/apps/docs/static/img/globe.svg b/apps/docs/static/img/globe.svg
new file mode 100644
index 00000000..739f9feb
--- /dev/null
+++ b/apps/docs/static/img/globe.svg
@@ -0,0 +1 @@
+<svg class="img-fluid" xmlns="http://www.w3.org/2000/svg" style="transform:matrix(.85683,0,0,.85683,14,-3);transform-origin:50% 50%;cursor:move;max-height:363.94px;transition:none" width="512" height="512" viewBox="67.992 250.316 4983.418 4619.287"><g style="transform:none" fill="#B7C5FD"><path d="M1859 4851c-214-84-335-328-369-746-5-66-10-128-10-137 0-14 14-7 60 29 48 37 60 52 60 74 0 39 26 162 51 239 55 169 153 295 276 352 61 29 77 33 158 33 102 0 195-20 195-41 0-24 29-15 36 10 3 14 14 32 25 42 19 17 28 71 10 60-5-3-51 14-102 38-52 24-115 49-141 55-71 17-195 13-249-8"/><path d="M2533 4570c-29-36-31-70-4-63 12 3 37-13 77-51s53-55 42-56c-10 0-18-5-18-10 0-6 43-59 96-118 85-95 231-281 277-353l17-25-143-97c-79-52-202-139-273-193-71-53-134-98-140-101-6-2-85 20-175 50s-188 60-216 68c-45 11-53 16-53 36s-5 23-40 23c-32 0-40-4-40-18 0-10-7-28-16-40-8-12-14-36-12-54 3-30 5-32 93-55 112-29 348-103 344-107-2-2-46-38-98-81s-130-111-173-150l-78-72-102-7c-243-17-633-69-842-112-114-23-121-23-130-7-9 15-12 12-23-22-13-38-13-38-8-6 5 31-1 41-53 100-157 177-218 312-193 426 30 132 173 204 434 220 129 8 176 3 157-20-9-11-1-15 47-20 107-12 265-35 337-50 39-8 90-15 114-15h42v107l-87 21c-105 25-306 62-341 62-14 0-33-7-43-15-14-14-29-14-100-5-46 5-149 10-229 10-238-1-375-36-460-119-72-69-86-136-50-241 44-131 170-295 347-454 35-31 61-56 59-56s-50-14-107-31c-85-25-108-28-123-19-18 11-19 9-12-36 7-58 21-75 38-51 7 9 57 33 111 52 77 27 97 32 97 20 0-22 31-19 155 15 101 28 330 73 500 99 68 11 311 41 328 41 4 0-77-84-180-187-260-259-471-499-642-728-69-93-81-114-76-137 9-37 3-37-154 17-271 93-444 205-508 329-33 65-34 145-3 206 28 56 107 140 131 140 25 0 25 32-1 55-11 10-22 26-25 36-4 11-15 19-27 19-11 0-18-5-15-12 2-8-24-30-60-51-147-88-236-203-235-303 2-184 274-371 724-495 62-17 117-35 121-39 5-4-13-41-41-81-103-153-208-350-263-494-63-164-77-330-35-421 70-150 270-174 583-68 57 20 111 33 119 30 20-8 18 20-7 71-20 42-34 53-41 33-8-22-134-45-253-45-110 0-125 2-170 25-62 32-110 105-119 183-14 107 28 273 114 452 71 148 167 302 191 308 12 3 18 3 15 0-5-5 18-33 28-33 3 0 6 14 6 30 0 17 5 30 10 30 6 0 10 7 10 15s5 15 10 15c6 0 10 5 10 11s6 17 13 24c29 34 37 45 37 55 0 6 7 13 15 16 8 4 15 11 15 16 0 6 9 20 19 32 11 11 69 82 130 156 60 75 160 192 222 260 118 131 471 484 526 527 31 24 37 25 270 32 423 12 964-13 1036-50 21-10 53-19 72-19h35v60c0 57 1 60 24 60 71 0 74 39 11 175-10 22-24 54-31 70-40 96-142 300-199 401-52 92-64 119-53 126 68 49 398 185 517 215 11 3 11 6 1 18-7 9-10 18-7 22 4 3 57 8 119 10 99 5 120 2 170-17 66-24 118-78 136-139 14-46 15-150 2-206-7-31-6-46 6-65 9-15 3-11-15 10-30 34-30 34-31 10 0-34 67-130 91-130 25 0 24 4-7 48-24 34-24 35-2 9l25-28 35 93c95 248 89 418-17 506-97 79-269 78-517-5-95-31-112-34-137-23-28 11-40 7-173-58-79-39-175-89-214-111l-72-41-76 113c-42 62-114 161-161 220-77 96-88 107-117 107s-44 13-116 90c-46 49-80 94-77 100 15 24-32 6-52-20m666-970c106-191 201-387 201-415 0-14 4-25 10-25 8 0 40-61 40-76 0-12-38 2-131 47-180 89-514 234-686 300-26 10-26 10 43 61 87 63 289 200 363 244l56 34 17-23c9-12 48-78 87-147m-546-306c146-58 420-176 415-178-2-1-194 1-428 4l-425 5 135 112c74 62 141 113 148 113s77-25 155-56"/><path d="M1545 3989c-71-57-77-64-55-67 16-3 30 3 41 17 10 12 21 21 26 21 20 1 75 57 72 75-3 15-18 7-84-46m2120-958c-26-5-30-11-33-44-2-22-8-37-16-37-7 0-28-7-45-16-30-15-32-20-28-53 3-20 35-123 72-229 111-323 206-735 236-1024l13-128h118l-5 73c-16 246-118 696-238 1059-27 82-49 151-49 154 0 8 49-23 231-142 215-140 350-246 496-388 66-64 74-69 86-53 12 17 14 16 38-10 14-15 38-45 53-65l28-37-71-35c-77-39-96-44-87-21q4.5 15-12 15c-30 0-67-139-42-155 6-3 10 0 10 7 0 8 8 14 18 15 9 1 64 20 121 42 58 22 107 38 111 36 14-9 34-101 33-150-1-120-92-203-263-238-110-23-179-27-173-10 3 8-2 13-15 13-24 0-72-70-72-105 0-16 4-24 11-20 5 4 85 8 177 9 248 4 378 41 460 130 45 49 57 88 50 170-4 50-47 153-95 230-14 22-15 30-5 33 31 11 138 90 182 134 92 92 113 178 70 287-25 63-44 78-55 43-10-33-73-80-115-87s-51-18-24-28c13-5 15-14 9-44-11-61-41-114-98-170l-54-53-87 87c-78 77-86 90-81 114s1 32-28 54c-19 14-41 26-49 26-9 0-18 9-21 20-3 12-14 20-26 20s-21 6-21 14c0 21-208 176-237 176-22 0-93 46-93 60 0 6-7 10-15 10s-15 5-15 10c0 6-7 10-15 10s-15 5-15 10c0 6-9 10-20 10s-23 7-26 15c-4 8-15 15-25 15-11 0-22 7-25 15-4 8-15 15-25 15-11 0-22 7-25 15-4 8-15 15-25 15-11 0-22 7-25 15-4 8-15 15-25 15s-27 8-38 19c-10 10-31 21-46 25s-25 9-22 12c8 8 337-61 479-100 70-19 178-56 240-81 122-48 148-54 148-30 0 14 4 13 33-1 63-33 147-95 147-109 0-26 29-16 65 23 31 33 50 82 25 67-5-3-40 10-77 28-37 19-97 45-132 58-49 19-66 30-73 51-8 22-22 31-74 48-119 40-279 81-344 90-36 4-130 20-210 34-147 27-172 28-225 17m195-1841c0-50 7-59 26-40 16 16-4-128-32-238-62-246-199-412-373-452-154-36-367 39-553 194-41 35-84 66-94 69-18 4-18 5-1 6 33 2 7 21-29 21-24 0-34-5-34-15 0-8 8-16 18-17 9 0-3-4-28-7l-45-6 100-100c147-148 296-256 430-312 127-53 277-57 378-10 202 93 317 369 342 820 4 64 11 117 16 117s9 5 9 10c0 6-28 10-65 10h-65zm-2250-106c0-3 10-15 23-25 22-20 22-20 0-7-19 11-34 6-122-36-55-26-105-45-110-41-14 8-14-16 1-65 12-37 38-56 38-27 0 7 21 23 48 36 100 49 182 102 176 114-5 8-3 8 7 0 19-18 29-16 29 6s-40 51-70 51c-11 0-20-3-20-6"/></g><g style="transform:none" fill="#6BB5FB"><path d="M1975 4101c-71-8-105-24-105-52 0-11-16-35-35-53-19-19-35-43-35-55 0-27-37-101-51-101-10 0-53-89-65-135-5-19-2-25 10-25 9 0 16-5 16-11s8-9 18-7c12 4 17-2 19-20 1-23-1-24-42-18-54 9-58 3-116-143-51-128-67-148-128-157-41-6-54-15-116-79-38-41-84-80-101-89-26-12-33-23-38-56-3-22-9-57-12-79-5-36-4-39 23-44 15-3 33-1 40 5 7 5 21 7 32 3 10-3 22-1 26 5 4 7 19 9 35 5 17-4 31-2 35 5s18 9 30 6c13-3 27-1 31 5s20 8 39 5c20-4 36-2 40 5 5 6 20 8 40 5 20-4 36-2 40 5 5 7 20 8 42 4 21-4 40-2 49 6 8 7 27 9 50 5 22-5 41-3 50 5 9 7 30 9 60 4q45-6 60 6c9 7 30 9 57 6 42-6 45-4 105 51l61 57-11 69c-10 58-16 72-43 93-30 24-31 26-21 73 6 31 6 63 0 87-8 34-14 39-54 51-25 8-51 16-59 18-11 3-11 7-1 19 11 13 8 15-15 15-16 0-37-8-47-17-24-21-63-9-91 29-17 23-19 32-9 52 6 14 23 33 38 42 25 17 28 17 56 1 16-9 36-17 44-17 9 0 14-11 14-35s5-35 15-35c8 0 15 7 15 15s5 15 10 15c6 0 10-7 10-15s7-15 15-15c11 0 15 11 15 36 0 28-5 37-21 41-20 6-21 11-15 66 3 33 6 68 6 77s12 22 26 29c23 10 25 16 23 62-3 45 0 53 27 74 16 13 39 24 52 25 18 0 22 6 22 34 0 46-23 51-165 37m1442-348c-4-3-7-21-7-40 0-18-14-75-31-127l-30-93 41-86c23-47 39-91 35-97-3-5-1-10 5-10s9-4 6-9 1-12 10-15c10-4 14-14 11-26-3-11-1-20 5-20 5 0 6-4 3-10-3-5-1-10 5-10s9-4 6-9 1-12 10-15c10-4 14-14 11-26-3-11-1-20 5-20 5 0 7-4 4-9-4-5-1-11 6-13 7-3 5-7-6-11-13-5-21 3-37 38-11 25-25 45-31 45-5 0-8 6-5 14 3 7-5 35-18 62-17 35-24 43-24 27-1-12 6-28 14-37 17-17 20-36 5-36-13 0-37-60-45-114l-7-45 41-7c39-6 41-9 41-40 0-19-2-34-5-34-2 0-22 9-44 21-22 11-50 19-63 17-20-3-23-10-26-52-2-27 2-61 8-77 15-35-1-69-32-69-12 0-33-11-48-25l-25-24-70 18c-39 10-80 23-92 29-12 7-43 12-69 12-45 0-51-3-110-62-46-47-65-75-74-108-7-24-23-67-37-94-23-45-25-57-18-116 9-84 9-105 1-165-7-45-4-58 33-132 26-55 56-97 90-129 38-36 51-55 51-76 0-40 22-88 59-130 30-35 31-37 11-43-36-12-42-39-35-161 7-101 10-116 28-126 20-11 116-6 150 7 34 14 17-24-23-51-36-24-40-31-40-69 0-40 2-42 50-65 28-13 62-39 76-57s31-33 38-33c8 0 26-16 40-35 15-20 40-38 58-43 28-7 33-14 43-57 18-79 30-95 72-95h35l-4 65-4 65h42c22 0 62-3 88-6l46-7v-53c0-68 13-70 101-11 95 63 145 115 153 159 6 35 4 41-30 70-70 62-76 119-17 180 26 27 26 31 7 126-5 27-3 32 13 32 18 0 18 4 6 103-6 56-12 105-12 110-2 12-58 8-70-6-6-8-14-28-17-45l-6-30-30 34c-23 26-38 34-63 34-35 0-34 1-71-95l-12-30-11 41c-15 57-40 77-91 72-37-3-40-2-40 22 0 15 6 33 13 42 13 17 96 78 106 78 4 0 12-13 18-30 9-25 17-30 45-30 18 0 53 11 78 24s64 29 88 35c36 10 41 15 37 34-72 332-136 566-213 782l-49 135 26 13c23 11 29 11 39 0 7-7 22-13 33-13s18-4 15-9c-6-9 36-31 60-31 8 0 12-5 9-10-4-6 7-13 24-16 17-4 28-10 25-15s8-12 25-15c17-4 28-10 25-15s8-12 25-15c17-4 28-10 25-15s8-12 25-15c17-4 28-10 25-15s4-9 16-9 18-4 15-10 4-10 16-10 19-3 16-7c-10-9 92-75 108-70 7 3 17 1 23-5s15-7 21-4c21 13 11 97-23 204-6 19-4 22 19 22 19 0 26 4 23 17-4 20-70 39-331 91-103 21-188 42-188 48 0 14 64 25 72 12 4-6 19-8 33-6 14 3 26 1 26-5 0-5 14-7 30-5 17 3 30 0 30-5s14-7 30-5c17 3 30 0 30-5s11-7 25-5c14 3 25 1 25-5 0-5 11-7 25-5 13 3 26 1 28-5 1-5 16-7 35-2 29 6 32 10 32 46 0 26-9 53-25 77-14 20-25 42-25 49s-6 13-12 13c-7 0-32 36-56 79-88 160-240 339-411 487-58 50-81 64-106 64-17 0-35-3-38-7m186-704c30-33 35-60 12-79-8-7-15-21-15-33 0-32-68-16-103 25-48 57-49 58-35 58 7 0 24 16 38 35 30 42 60 41 103-6m-163-1323c0-8 12-17 27-21l27-6-52-48c-29-26-52-54-52-62 0-11-10-14-40-11-23 2-40 9-40 16s-20 27-45 45c-37 26-85 79-85 93 0 1 59 4 130 6 106 2 130-1 130-12M1957 2950l-92-89 76-1c79 0 149 18 181 47 18 16 24 66 12 111-5 18-13 22-46 22-36 0-47-8-131-90m-182 64c-320-36-565-80-565-101 0-8-7-27-16-41-14-24-20-27-63-24-53 4-116-25-126-59-6-17-16-22-80-34-41-8-56-29-62-87-4-45-2-60 11-73 9-9 16-24 16-34 0-28 21-41 67-41h43v110h40c43 0 53 11 64 71 13 74 69 82 124 18 37-43 59-48 138-28 34 9 48 9 57 0 19-19 95-14 106 7s103 54 126 46c16-7 302 251 304 274 1 15-24 14-184-4"/><path d="M3614 2858c-4-6-2-14 4-16 7-2 10-8 6-13-3-5 0-9 6-9 7 0 10-7 6-15-3-8-1-15 5-15s9-7 5-15c-3-8-1-15 4-15s7-7 4-15c-4-8-1-15 5-15s8-7 5-15c-4-8-1-15 6-15 6 0 8-4 5-10-3-5-1-10 5-10 7 0 10-7 6-15-3-8-1-15 5-15s9-7 5-15c-3-8-1-15 5-15s9-7 5-15c-3-8-1-15 5-15s9-7 5-15c-3-8-1-15 5-15s8-9 4-20c-4-12-2-20 5-20s10-7 6-15c-3-8-1-15 5-15s9-7 5-15c-3-8-1-15 5-15s9-7 5-15c-3-8 0-15 5-15 6 0 9-9 6-20s-1-20 5-20 8-7 4-15c-3-8 0-15 5-15 6 0 9-9 6-20s-1-20 5-20c5 0 6-9 3-20-4-12-2-20 5-20s10-7 6-15c-3-8 0-15 5-15 6 0 9-9 6-20s-1-20 5-20 8-9 5-20-1-20 5-20 7-11 4-25c-4-15-2-25 4-25 7 0 9-8 5-20s-2-20 5-20 9-8 5-20-2-20 5-20c8 0 10-9 6-25-4-14-2-25 3-25s11-9 14-20c3-14 14-20 31-20 21 0 26-5 26-24 0-13 6-29 14-36 20-16 9-40-19-40-18 0-24-7-28-32-2-18 0-36 5-39 6-4 7-20 3-38-4-21-3-31 5-31s11-10 7-29c-4-16-2-31 2-33 7-2 19-54 21-90 0-13 30-9 30 5 0 11 103 57 129 57 15 0 25 28 55 148 44 171 57 300 54 504-3 157-1 188 11 190 19 4-79 81-234 185-132 88-353 223-366 223-4 0-11-5-15-12m729-403c7-14 20-25 30-25 11 0 21-9 24-20s13-20 22-20 22-5 29-12c9-9 12-5 12 20s-5 33-25 38c-14 3-25 12-25 19 0 15-22 25-55 25-21 0-22-2-12-25m-3326-3c-10-10-17-25-17-33s-5-20-12-27c-15-15-64-16-73-2-3 6-15 10-26 10-24 0-25-25-4-146 16-90 69-295 84-321 6-11 32 18 99 109 110 147 116 172 56 238-30 33-35 45-29 68 4 15 9 48 12 75l5 47h-39c-26 0-46-6-56-18m3233-31c0-40 1-41 35-41 32 0 35-2 35-30 0-29 1-30 48-30l47 1-31 27c-17 15-54 47-83 70l-51 44zm-3070-310c0-5-11-19-25-32-13-13-25-29-25-35 0-7-7-14-15-18-8-3-15-10-15-16 0-10-8-21-37-55-7-7-13-18-13-24s-4-11-10-11c-5 0-10-6-10-14s-7-17-16-20c-8-3-12-10-9-16 3-5 2-10-4-10-15 0 98-216 165-318 202-302 496-545 823-678 58-24 118-44 132-44 38 0 139 47 139 65 0 10 10 15 34 15 18 0 48 3 65 6 27 6 31 10 31 40s-5 36-60 66c-50 28-60 37-60 61 0 15-9 36-20 47s-20 29-20 39c0 11-13 29-30 41-23 17-30 29-30 56 0 24-5 37-17 41-10 3-25 12-33 19s-42 20-75 29-88 32-123 51c-34 19-76 34-92 34-47 0-76 56-89 171-6 51-16 99-23 106-8 7-42 16-77 19-63 7-63 7-81 50-16 36-26 45-59 55-23 7-41 16-41 21 0 4-22 8-50 8-38 0-50 4-50 15s12 15 45 15h45v44c0 42-3 46-44 70-30 17-59 26-89 26-40 0-48 4-83 45-38 44-54 54-54 36m3030-526c0-8-4-15-10-15-5 0-10-7-10-15s-4-15-10-15c-5 0-10-16-10-35s3-35 8-35c7 0 37 40 77 103l17 27h-31c-21 0-31-5-31-15"/></g><path d="M1953 4119c-33-16-43-27-43-45 0-17-6-24-20-24-16 0-20-7-20-35 0-26 3-33 15-29 15 6 19 17 16 41-2 14 33 35 43 26 3-3 6-1 6 5s6 9 13 7c7-3 32-2 57 3 25 4 56 5 70 1l25-7-27-1c-45-2-43-21 1-21h41v40c0 29-5 42-19 50-33 17-113 12-158-11m1607-78c-72-26-75-29-83-67-4-21-19-67-32-101-16-39-25-81-25-117 0-56 13-82 23-45l6 21 33-23c18-13 84-73 147-134 124-120 245-274 313-396 24-43 49-79 56-79 6 0 12-7 12-15s7-15 15-15 15 9 15 21c0 11 9 66 21 122 34 164 16 246-73 328l-52 48 3 75c2 63-1 78-17 94-11 11-25 21-31 23-7 3-19 35-27 72-9 37-19 67-24 67-4 0-10 11-14 23-9 39-100 117-135 117-16 0-35 2-43 4-7 3-47-7-88-23m495-1031c4-7 2-15-4-19-22-14 13-42 57-47 39-3 42-2 42 20 0 30-15 42-64 51-30 6-37 5-31-5m52-138c-11-2-16-9-13-18 3-8 17-57 31-110 21-74 24-98 15-109-18-22 28-37 128-43l82-5v37c0 38-67 193-91 212-22 16-89 33-106 27-8-3-18-2-22 3-3 6-14 8-24 6m-3004-19c-7-2-13-13-13-24 0-12 5-16 15-13 18 7 20-7 3-24-9-9-7-12 10-12 12 0 22-4 22-10 0-5 14-10 31-10 32 0 59 19 59 41 0 10-3 10-12 1-7-7-18-12-26-12-10 0-5 9 12 27 25 25 26 28 9 34-21 9-92 10-110 2m1987-77c0-9 7-16 15-16s15-4 15-9 14-9 30-9c26 1 30 5 28 22s-11 22-45 24-43 0-43-12m1180-251c0-2 56-50 125-105l125-100v32c0 42-39 91-95 118-25 12-45 26-45 31s-7 9-15 9-15 5-15 10c0 6-18 10-40 10s-40-2-40-5m-82-217c5-201-9-333-54-510-31-125-40-148-59-148-17 0-20-25-4-35 6-5-3-20-25-40-43-39-49-89-15-136 12-17 23-48 26-70s9-38 14-37c4 2 35 39 68 83s65 85 71 92c5 7 10 17 10 23 0 5 5 10 10 10 6 0 10 6 10 14s4 16 8 18c19 8 126 216 172 334 32 82 53 156 76 259l13 60-62 63c-34 34-69 62-79 62s-18 6-18 13c0 19-33 47-53 47-9 0-17 7-17 14 0 18-60 66-82 66-13 0-14-26-10-182m-3248 63c0-27 47-37 71-15 29 26 23 34-26 34-37 0-45-3-45-19m380-500c0-7-11-16-25-21-32-12-34-35-2-26 12 3 30 6 40 6 13 0 17 6 15 22-3 22-28 39-28 19m2523-636c20-18 25-28 18-37-65-79-100-128-91-128 6 0 36 19 66 42 42 33 54 49 54 70 0 18 5 28 15 28 22 0 19 27-4 40-11 5-35 10-53 10l-33-1z" style="transform:none" fill="#5C96D8"/><g style="transform:none" fill="#4466FB"><path d="M2230 4124c-30-2-78-6-107-10l-52-5 22-22 22-22-25-3c-14-2-43-18-65-36-39-33-40-34-27-70 16-45 12-53-40-66l-40-11 22-24c20-21 21-28 11-53-7-16-9-41-5-55 7-29-4-35-25-14-11 10-12 5-7-28 4-22 9-59 12-82 4-24 10-43 15-43 13 0 29 36 29 65 0 15 4 24 10 20 6-3 10-18 10-33 0-26 5-28 118-61 64-19 172-54 239-78l121-43 148 111c81 61 219 158 306 216l158 105-51 73-50 72-92 27c-184 52-465 82-657 70m-400-64c-60-15-210-70-294-109-65-30-96-53-158-117l-78-79 105-16c58-10 150-27 206-39 55-12 102-20 103-18 2 2 13 29 26 61 13 33 29 61 37 64 17 7 65 98 61 116-2 7 12 27 30 45 17 17 32 41 32 52s7 23 15 26c8 4 15 10 15 15 0 11-52 10-100-1m1780-5c-18-10-20-14-8-15 9 0 18-5 20-11 5-15 58 0 58 16 0 12-22 26-38 25-4-1-18-7-32-15m-540-71c0-15 43-74 53-74 20 1 49 28 42 39-3 6-15 11-26 11-10 0-19 7-19 15 0 9-9 15-25 15-14 0-25-3-25-6m724-74c0-11 6-20 13-20s13-7 13-15 5-15 10-15c6 0 10 16 10 35 0 30-3 35-23 35-16 0-23-6-23-20m-344-25c0-42 21-47 38-10s15 45-13 45c-22 0-25-4-25-35m-248-6-51-30 56-97c31-53 85-151 120-217s61-109 58-95c-4 15 6 62 24 115 16 50 32 122 36 160 6 66 5 71-17 84-13 8-57 36-99 62l-76 47zm-192-112c-168-105-480-323-480-336 0-3 41-21 90-39 134-49 424-174 599-258 85-41 158-74 162-74 5 0 11 12 15 28 3 15 14 51 25 80l19 52-100 198c-114 226-216 402-233 402-7 0-50-24-97-53m-1806-139c-124-169-226-387-284-611-22-84-26-107-15-103 8 3 81 20 163 37l148 32 12 38c7 21 12 50 12 64 0 18 9 29 33 41 17 8 64 48 102 89 62 64 75 73 116 79 60 9 77 29 123 145 21 52 48 115 61 140 14 24 23 46 22 47-9 9-381 64-435 64-6 0-33-28-58-62m2696 7c0-8-4-15-9-15s-7-9-4-20c9-35 33-24 33 15 0 19-4 35-10 35-5 0-10-7-10-15m-1886-96c-3-5 1-25 10-43 16-34 13-91-5-102-22-13-7-52 30-82 34-28 39-37 46-89 4-32 9-62 12-66 2-4 35 19 71 51 37 32 108 93 159 134l92 76-67 25c-37 13-123 41-192 61-69 21-130 39-137 41s-15 0-19-6m349-236c-65-53-150-124-188-158l-71-61 345 4c197 3 438-1 564-7 120-7 221-10 224-7 11 11-359 175-612 272-77 30-140 54-142 54-1 0-55-44-120-97m-65-253c-114-3-210-9-213-12-3-2 2-20 11-38 12-23 14-38 7-49-16-27-85-55-148-59-56-4-64-8-122-58-129-113-622-662-655-730-8-17-4-27 23-57 50-56 74-70 99-55 17 11 27 9 66-12 45-25 63-45 50-57-3-4-12-1-18 5-7 7-22 12-34 12-17 0-26-10-38-46-9-26-13-50-10-55s30-9 60-9 54-4 54-8c0-5 18-14 41-21 33-10 43-19 59-55 18-43 18-43 81-50 35-3 69-12 77-19 7-7 17-55 23-106 13-115 42-171 89-171 16 0 58-15 92-34 35-19 90-42 123-51s67-22 75-29 23-16 33-19c12-4 17-17 17-41 0-27 7-39 30-56 16-12 30-30 30-41 0-10 8-27 19-38 18-18 17-19-7-33-24-15-24-15 54-57 44-24 83-46 87-51 16-15-73-22-124-10-59 14-73 8-30-15 17-8 31-18 31-20 0-11-114-55-141-55-129 0 181-89 401-116 395-47 812 43 1155 250 45 27 55 37 42 42s-17 19-17 58v52l-67 12c-41 7-90 9-123 4-60-8-57-1-45-92 6-42 5-44-10-25-18 23-36 82-29 99 6 16-13 31-48 40-15 3-39 22-54 41-14 19-32 35-40 35-7 0-24 15-38 33s-48 44-76 57c-27 13-50 29-50 35 0 7 18 24 40 39 39 25 46 41 41 91-3 34-16 37-81 20-88-23-115-11-105 45 4 23 2 53-6 73-25 70 17 117 105 117 31 0 37-5 65-55 19-33 51-69 80-91 43-32 48-40 39-57-10-19-8-19 36-13 39 6 47 4 58-13 19-31 34-26 56 22 11 23 41 59 66 80 35 29 46 45 46 67 0 24-5 30-31 35-28 6-30 8-15 23 14 14 17 14 36-3 11-10 25-35 30-57 7-24 17-38 27-38 9 0-9-24-45-57-48-45-63-66-68-96-6-38-6-39 22-35 24 2 29 8 32 35 3 33 22 52 81 85 27 15 31 23 31 57 0 22 10 60 23 85l23 46 29-30 29-30-23-24c-30-32-19-48 33-46 79 3 76 6 76-57 0-32 5-65 10-73 6-10 4-20-7-32-15-17-14-18 16-18 18 0 46 7 62 16 28 14 33 14 75-6 24-12 44-26 44-31s14-9 31-9h30l-20 29c-12 16-21 32-21 35 0 4 16 22 35 42 40 40 55 81 34 95-17 11-47 7-114-18-49-18-50-19-47-56 3-35 2-37-27-37-30 0-31 2-31 43 0 52-5 59-58 86-41 21-43 24-36 54 12 56 24 79 44 84 23 6 24 21 6 113l-13 65-38-2c-22-2-66-16-100-32-55-27-61-28-72-14-7 9-13 29-13 45s-5 28-13 28c-7 0-48-23-90-51-79-52-84-59-89-134l-3-40-93-8c-87-8-95-7-150 18-36 17-70 25-94 23-30-2-44 4-68 27-37 36-70 102-70 141 0 23-12 41-51 78-34 32-63 73-88 126-36 74-37 80-28 129 8 37 7 67-2 114-12 62-12 67 12 113 14 27 30 69 37 93 13 49 108 157 146 167 12 3 35-1 52-10 16-8 49-18 73-22s56-13 71-20c39-20 53-18 91 16 19 17 44 30 56 30 13 0 26 11 37 32 16 30 16 36-1 85-15 43-16 58-6 79 6 15 10 28 9 29-12 11-758 50-828 43-8-1-108-4-222-8m1755-45c7-14 19-25 28-25 8 0 20-5 27-12 9-9 12-5 12 19 0 32-14 43-55 43-21 0-22-2-12-25m-3013-116c-85-22-156-41-157-43-2-1-6-37-10-80l-6-78 39 17c21 10 46 19 54 20 8 2 27 6 42 9 15 4 29 15 33 25 7 22 56 54 99 65 21 5 31 3 40-10 11-15 15-13 39 16q27 31.5 27 66c0 44-4 44-200-7m718-40-5-29 24 22c28 26 28 24 4 31-15 4-20-2-23-24"/><path d="M1102 2787c-12-13-25-38-28-57-12-61-19-69-64-63l-40 6v-62c0-43-4-61-13-61-18 0-37 21-37 41 0 22-26 49-47 49-14 0-15-17-11-130 4-109 8-133 24-151 14-16 25-19 49-14 16 4 39 8 51 9 29 3 44 15 44 35s37 58 46 48c3-3-2-26-11-51-22-56-15-88 31-138 36-40 41-57 23-90-6-12-7-24-2-29s38 27 80 78c95 118 241 283 390 440l122 130-49 2c-60 2-139-24-162-52-15-19-19-20-41-8-16 9-44 12-76 9-45-5-51-3-51 14 0 11-4 16-10 13-5-3-10-15-10-26 0-10-4-19-9-19-14 0-71 69-71 85 0 12-4 13-19 3-15-9-25-9-46 0-35 16-38 16-63-11m3182-87c0-11 5-20 10-20s7-3 3-6c-6-6 23-44 35-44 9 0 11 52 2 74-9 24-50 21-50-4m-149-69c-3-5 9-21 27-35 32-25 33-25 36-5 2 11 1 27-2 35-6 16-52 19-61 5m-57-108c-14-27-40-91-56-143-85-267-97-310-91-310 12 0 107 165 114 199 4 18 23 68 43 110 28 58 37 89 37 130 0 30-5 56-11 58s-22-18-36-44m207-13c3-5 13-10 21-10s12-4 9-10c-3-5-1-10 4-10 19 0 26-3 36-15 6-7 20-16 33-20 19-5 22-3 22 19 0 16-7 27-20 31-11 3-20 11-20 16s-21 9-46 9c-27 0-43-4-39-10m15-375c0-8-5-15-12-15-6 0-9-3-5-6 3-3-3-16-14-28l-20-21 27-3c15-2 31 2 35 10 12 18 11 78-1 78-5 0-10-7-10-15m-46-111c3-9 6-18 6-20s9 1 20 8c27 17 25 28-6 28-20 0-25-4-20-16m-342-42c-24-2-32-7-28-18 3-8 11-43 17-79 9-52 15-65 29-65 11 0 22-4 25-10 11-18 21-11 38 25 22 46 21 58-3 80-11 10-20 28-20 40 0 26-12 32-58 27"/></g><path d="M2510 4389c-387-44-745-203-1037-461-45-40-82-78-83-85 0-6 51 14 113 46 113 58 247 111 346 137 29 7 75 27 101 44 60 39 103 47 133 27 20-13 43-14 143-7 212 14 465-14 659-75 91-28 105-30 105-13s-124 177-230 296c-103 115-86 109-250 91m255 0c4-5 46-59 94-119s124-162 168-227c50-75 87-119 99-120 10-1 80 32 154 73 75 41 180 94 234 118l98 45-83 42c-190 95-405 159-618 184-150 18-154 18-146 4m915-309c-19-5-51-15-70-23l-34-15 58-7c48-6 66-14 99-44 55-50 85-100 102-173 8-35 20-65 26-67s20-12 31-23c20-20 21-40 2-120-5-24 1-35 48-80 103-100 118-148 88-290-33-157-25-188 69-265 39-31 69-45 124-58 39-10 121-33 180-52 60-19 110-33 113-31 2 2-6 48-17 101-56 278-193 565-375 788-74 91-234 244-326 312-42 31-78 57-80 56s-19-5-38-9m-280-103c-148-68-170-80-170-92 0-11 190-135 207-135 7 0 45 111 42 126 0 4 5 10 11 14 14 9 27 130 14 130-5 0-52-20-104-43m859-1219c27-51 52-103 56-115 6-20 3-23-24-23-16 0-52 5-80 12-57 13-67 9-52-21 11-20 131-111 146-111 23 0 151-101 178-139 22-33 32-40 38-29 12 22 22 247 15 330l-8 76-51 22c-84 35-237 90-252 90-10 0 0-28 34-92m196-540c-27-21-29-21-57-5-39 22-48 22-80-8-21-20-26-31-22-53 4-21-1-36-20-59-42-50-30-101 17-70 12 8 33 36 47 63 24 47 27 49 67 49 48 0 90 33 95 74 4 32-13 36-47 9m-383-615c-5-16-13-36-17-45-10-26 12-22 40 7 30 29 33 65 6 65-12 0-23-11-29-27m-224-99c-38-20-35-34 7-34 31 0 35 3 35 25 0 29-5 30-42 9" style="transform:none" fill="#415FD8"/><path d="M2403 4789c-42-8-101-54-114-86-35-92 29-200 129-219 41-8 110 17 142 51 33 35 39 137 11 182-36 57-104 86-168 72m-624-1068c-53-54-35-147 35-176 40-17 84-9 118 22 33 32 42 66 28 109-26 77-124 101-181 45m1714-620c-40-25-53-49-53-100 0-31 7-49 29-73 26-29 36-33 80-33 41 0 55 5 79 28 36 35 46 78 28 120-29 69-103 96-163 58M443 2903c-87-48-110-167-48-241 29-35 99-57 149-48 71 13 127 85 128 161 2 105-133 181-229 128m4366-195c-75-20-121-107-99-188 14-51 75-106 129-115 149-25 237 157 128 263-18 18-49 37-68 42-39 11-41 11-90-2m-953-1201c-62-36-81-69-81-137 0-66 18-99 75-137 74-51 191-9 225 81 33 85 6 158-71 196-52 26-99 25-148-3M1279 985c-15-8-34-32-43-56-16-39-16-43 1-78 24-48 84-71 133-51 57 24 90 111 58 152-39 47-99 60-149 33" style="transform:none" fill="#384E85"/></svg>
\ No newline at end of file
diff --git a/apps/docs/static/img/screenshots/access_policy.png b/apps/docs/static/img/screenshots/access_policy.png
new file mode 100644
index 00000000..8188fc51
Binary files /dev/null and b/apps/docs/static/img/screenshots/access_policy.png differ
diff --git a/apps/docs/static/img/screenshots/basic_auth.png b/apps/docs/static/img/screenshots/basic_auth.png
new file mode 100644
index 00000000..bc28c915
Binary files /dev/null and b/apps/docs/static/img/screenshots/basic_auth.png differ
diff --git a/apps/docs/static/img/screenshots/custom_content.png b/apps/docs/static/img/screenshots/custom_content.png
new file mode 100644
index 00000000..551bc086
Binary files /dev/null and b/apps/docs/static/img/screenshots/custom_content.png differ
diff --git a/apps/docs/static/img/screenshots/rate_limiting.png b/apps/docs/static/img/screenshots/rate_limiting.png
new file mode 100644
index 00000000..0bb1a035
Binary files /dev/null and b/apps/docs/static/img/screenshots/rate_limiting.png differ
diff --git a/apps/docs/static/img/screenshots/redirect.png b/apps/docs/static/img/screenshots/redirect.png
new file mode 100644
index 00000000..00e43c4e
Binary files /dev/null and b/apps/docs/static/img/screenshots/redirect.png differ
diff --git a/apps/docs/static/img/server.svg b/apps/docs/static/img/server.svg
new file mode 100644
index 00000000..6cc1d5ad
--- /dev/null
+++ b/apps/docs/static/img/server.svg
@@ -0,0 +1 @@
+<svg class="img-fluid" xmlns="http://www.w3.org/2000/svg" style="transform:matrix(.60113,0,0,.60113,0,0);transform-origin:50% 50%;cursor:move;max-height:363.94px;transition:transform 200ms ease-in-out" width="512" height="512" viewBox="470 481.759 4190 4178.241"><path d="m492 4644-22-15v-388c0-363 1-389 18-404 16-14 44-17 180-17h162v-569c0-527 1-570 17-590l18-22 695 1h695l17-48c30-83 120-167 201-187l27-7-2-417-3-416-920-5c-919-5-920-5-960-27-52-28-89-68-114-123-19-42-21-65-21-391V672l28-53c31-61 93-113 151-129 26-7 648-9 1922-8 1835 3 1885 4 1923 22 47 24 98 75 123 124 16 33 18 71 21 372 2 224-1 348-8 375-18 64-71 129-131 159l-53 26H2630v835l58 25c71 31 133 93 163 165l23 55h700l701-1 17 22c17 20 18 63 18 590v569h159c154 0 160 1 175 22 14 19 16 74 16 399v378l-26 20c-26 20-38 21-391 21-361 0-394-3-415-34-4-6-8-182-8-392 0-356 1-382 18-397 16-14 43-17 175-17h157V2770h-980v1050h158c141 0 161 2 175 18 15 17 17 59 17 400 0 369-1 383-20 402s-33 20-395 20h-376l-24-25-25-24v-373c0-322 2-377 16-396 15-21 21-22 180-22h164V2770h-189l-24 53c-34 74-79 121-149 157-115 57-246 37-342-51-37-34-62-67-77-104l-23-55h-176v1050h153c136 0 156 2 170 18 15 17 17 59 17 405v386l-22 15c-19 14-74 16-396 16h-373l-25-25-25-25 3-379c2-295 6-383 16-393 9-9 62-14 180-18l167-5 3-522 2-523H960l2 523 3 522 140 2c77 2 149 5 161 8 41 9 44 38 44 421v365l-25 24-24 25H888c-322 0-377-2-396-16m686-406 2-288H600v580l288-2 287-3zm1112 2v-290l-287 2-288 3-3 275c-1 151 0 280 3 287 3 10 69 13 290 13h285zm1120 0v-290h-580v580h580zm1120 0v-290h-580v580h580zM2633 2866c44-18 95-78 103-121 27-145-100-260-231-211-48 19-101 72-111 112-12 46 1 129 25 163 45 63 140 88 214 57m1825-1456c59-36 62-56 62-392 0-341-3-357-70-390-33-17-144-18-1891-18H703l-34 23c-59 40-59 40-57 401l3 328 39 34 39 34h1866c1854 0 1866 0 1899-20" style="transform:none" fill="#212121"/><path d="M687 4398c-28-22-32-73-8-97 20-20 31-21 206-21 172 0 186 1 205 20 24 24 26 57 4 88-15 21-20 22-203 22-134 0-192-4-204-12m1113-8c-11-11-20-31-20-45s9-34 20-45c19-19 33-20 205-20 177 0 185 1 205 22 25 28 26 62 0 88-19 19-33 20-205 20s-186-1-205-20m1117 2c-25-27-22-78 5-96 18-13 56-16 204-16h183l20 26c12 15 21 32 21 39s-9 24-21 39l-20 26h-188c-169 0-190-2-204-18m1120 0c-22-25-21-75 1-95 16-15 45-17 198-17 204 0 224 6 224 64 0 62-14 66-222 66-166 0-187-2-201-18M676 4168c-23-33-19-64 10-87 25-19 40-21 199-21s174 2 199 21c31 24 35 68 8 92-16 15-46 17-210 17-186 0-191-1-206-22m1120 0c-23-33-19-64 10-87 25-19 40-21 199-21s174 2 199 21c29 23 33 54 10 87-15 21-20 22-209 22s-194-1-209-22m1121 4c-24-26-21-67 5-92 20-19 34-20 200-20 178 0 179 0 204 26 20 19 24 31 19 52-11 49-25 52-225 52-168 0-189-2-203-18m1120 0c-25-27-22-78 5-96 18-13 55-16 198-16 200 0 220 6 220 64 0 62-14 66-222 66-166 0-187-2-201-18M1094 1276c-58-27-114-81-140-134-28-57-31-178-6-234 66-150 237-214 384-144 61 29 106 75 138 142 29 59 27 163-4 229-67 142-234 205-372 141m182-122c74-35 107-144 65-212-80-126-281-75-281 73 0 116 112 188 216 139m2590 64c-13-18-16-56-16-204 0-193 1-199 53-217 19-7 56 8 69 27 4 6 8 95 8 197 0 168-2 188-18 202-27 25-78 22-96-5m221 4c-15-16-17-45-17-204 0-171 1-186 20-203 25-22 65-22 90 0 19 17 20 32 20 205 0 168-2 189-18 203-25 22-75 21-95-1m-2171-164c-22-32-20-55 9-84l25-24 676 2c656 3 676 4 690 22 19 27 18 70-4 89-17 16-80 17-700 17h-681z" style="transform:none" fill="#66BB6A"/></svg>
\ No newline at end of file
diff --git a/apps/docs/static/img/svgviewer-output.svg b/apps/docs/static/img/svgviewer-output.svg
new file mode 100644
index 00000000..e0265185
--- /dev/null
+++ b/apps/docs/static/img/svgviewer-output.svg
@@ -0,0 +1,46 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Generator: Adobe Illustrator 18.0.0, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+
+<!-- License: CC0. Made by SVG Repo: https://www.svgrepo.com/svg/57786/bricks -->
+
+<svg
+   version="1.1"
+   id="Capa_1"
+   x="0px"
+   y="0px"
+   viewBox="0 0 405.99999 406.00298"
+   xml:space="preserve"
+   sodipodi:docname="svgviewer-output.svg"
+   width="406"
+   height="406.00299"
+   inkscape:version="1.1.2 (0a00cf5339, 2022-02-04)"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:svg="http://www.w3.org/2000/svg"><defs
+   id="defs868" /><sodipodi:namedview
+   id="namedview866"
+   pagecolor="#505050"
+   bordercolor="#eeeeee"
+   borderopacity="1"
+   inkscape:pageshadow="0"
+   inkscape:pageopacity="0"
+   inkscape:pagecheckerboard="0"
+   showgrid="false"
+   fit-margin-top="0"
+   fit-margin-left="0"
+   fit-margin-right="0"
+   fit-margin-bottom="0"
+   inkscape:zoom="2.4454397"
+   inkscape:cx="197.51049"
+   inkscape:cy="112.65868"
+   inkscape:window-width="1920"
+   inkscape:window-height="1016"
+   inkscape:window-x="0"
+   inkscape:window-y="27"
+   inkscape:window-maximized="1"
+   inkscape:current-layer="Capa_1" />
+<path
+   d="m 363.606,42.4 c -2.813,-2.813 -6.629,-4.393 -10.607,-4.393 L 203.28,38.014 C 203.186,38.013 203.095,38 203,38 c -0.095,0 -0.187,0.013 -0.281,0.014 l -149.72,0.008 c -8.284,0 -14.999,6.716 -14.999,15 v 299.981 c 0,8.284 6.716,15 15,15 h 300 c 8.284,0 15,-6.716 15,-15 V 53.007 c 0,-3.979 -1.58,-7.794 -4.394,-10.607 z M 68,237.994 v -70.006 h 50 v 70.006 z m 80,0 v -69.996 h 110 v 69.996 z m 140,-70.006 h 50 v 70.006 h -50 z m 50,-30 H 218 V 68.014 L 338,68.008 Z M 188,68.015 v 69.974 H 68 V 68.021 Z M 68,267.994 h 64.923 c 0.026,0 0.051,0.004 0.077,0.004 h 55 v 70.004 H 68 Z m 150,70.008 v -70.004 h 55 c 0.026,0 0.051,-0.004 0.077,-0.004 H 338 v 70.008 z"
+   id="path863" />
+</svg>
diff --git a/apps/docs/static/llms-full.txt b/apps/docs/static/llms-full.txt
index d825b0d1..e762b945 100644
--- a/apps/docs/static/llms-full.txt
+++ b/apps/docs/static/llms-full.txt
@@ -1,9 +1,3 @@
-----------------------------------------
-
-# Bun > How To > Access
-
-
-
 ----------------------------------------
 
 # Bun > How To > Build Pipeline
@@ -375,7 +369,7 @@ The os version is fixed and cannot be customised.
 ### ports
 _OPTIONAL._ Specifies one or more internal ports on which your application will listen.
 Projects in Zerops represent a group of one or more services. Services can be of different types (runtime services, databases, message brokers, object storage, etc.). All services of the same project share a **dedicated private network**. To connect to a service within the same project, just use the service hostname and its internal port.
-For example, to connect to a Bun service with hostname = "app" and port = 3000 from another service of the same project, simply use `app:3000`. Read more about [how to access a Bun service](access).
+For example, to connect to a Bun service with hostname = "app" and port = 3000 from another service of the same project, simply use `app:3000`. Read more about [how to access a Bun service](/features/access).
 Each port has following attributes:
 | parameter   | description                                                                                                                                                                                                                                                                                                            |
 | ----------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
@@ -1352,12 +1346,6 @@ When you exceed the resources included in your project core plan, the following
 ## Pricing Calculator
 Use our pricing calculator to estimate your monthly costs based on your specific needs:
 
-----------------------------------------
-
-# Deno > How To > Access
-
-
-
 ----------------------------------------
 
 # Deno > How To > Build Pipeline
@@ -1723,7 +1711,7 @@ The os version is fixed and cannot be customised.
 ### ports
 _OPTIONAL._ Specifies one or more internal ports on which your application will listen.
 Projects in Zerops represent a group of one or more services. Services can be of different types (runtime services, databases, message brokers, object storage, etc.). All services of the same project share a **dedicated private network**. To connect to a service within the same project, just use the service hostname and its internal port.
-For example, to connect to a Deno service with hostname = "app" and port = 3000 from another service of the same project, simply use `app:3000`. Read more about [how to access a Deno service](/deno/how-to/access).
+For example, to connect to a Deno service with hostname = "app" and port = 3000 from another service of the same project, simply use `app:3000`. Read more about [how to access a Deno service](/references/networking/internal-access#basic-service-communication).
 Each port has following attributes:
 | parameter   | description                                                                                                                                                                                                                                                                                                            |
 | ----------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
@@ -2673,12 +2661,6 @@ Docker services on Zerops have specific scaling characteristics that differ from
 - Implement proper health checks for reliable scaling
 - Use horizontal scaling when possible to avoid VM restarts
 
-----------------------------------------
-
-# Dotnet > How To > Access
-
-
-
 ----------------------------------------
 
 # Dotnet > How To > Build Pipeline
@@ -3044,7 +3026,7 @@ The os version is fixed and cannot be customised.
 ### ports
 _OPTIONAL._ Specifies one or more internal ports on which your application will listen.
 Projects in Zerops represent a group of one or more services. Services can be of different types (runtime services, databases, message brokers, object storage, etc.). All services of the same project share a **dedicated private network**. To connect to a service within the same project, just use the service hostname and its internal port.
-For example, to connect to a .NET service with hostname = "app" and port = 5000 from another service of the same project, simply use `app:5000`. Read more about [how to access a .NET service](/dotnet/how-to/access).
+For example, to connect to a .NET service with hostname = "app" and port = 5000 from another service of the same project, simply use `app:5000`. Read more about [how to access a .NET service](/references/networking/internal-access#basic-service-communication).
 Each port has following attributes:
   
       Parameter
@@ -3779,12 +3761,6 @@ services:
 - [Elasticsearch Official Documentation](https://www.elastic.co/guide/index.html)
 - [Available Elasticsearch Plugins](https://www.elastic.co/guide/en/elasticsearch/plugins/current/index.html)
 
-----------------------------------------
-
-# Elixir > How To > Access
-
-
-
 ----------------------------------------
 
 # Elixir > How To > Build Pipeline
@@ -4152,7 +4128,7 @@ The os version is fixed and cannot be customised.
 ### ports
 _OPTIONAL._ Specifies one or more internal ports on which your application will listen.
 Projects in Zerops represent a group of one or more services. Services can be of different types (runtime services, databases, message brokers, object storage, etc.). All services of the same project share a **dedicated private network**. To connect to a service within the same project, just use the service hostname and its internal port.
-For example, to connect to a Elixir service with hostname = "app" and port = 3000 from another service of the same project, simply use `app:3000`. Read more about [how to access a Elixir service](/elixir/how-to/access).
+For example, to connect to a Elixir service with hostname = "app" and port = 3000 from another service of the same project, simply use `app:3000`. Read more about [how to access a Elixir service](/references/networking/internal-access#basic-service-communication).
 Each port has following attributes:
 | parameter   | description                                                                                                                                                                                                                                                                                                            |
 | ----------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
@@ -4781,137 +4757,82 @@ Have you build something that others might find useful? Don't hesitate to share
 
 # Features > Access
 
-export const languages = [
-    { name: "Bun", link: "/java/how-to/build-pipeline#ports" },
-    { name: "Deno", link: "/go/how-to/build-pipeline#ports" },
-    { name: ".NET", link: "/dotnet/how-to/build-pipeline#ports" },
-    { name: "Elixir", link: "/php/how-to/build-pipeline#ports" },
-    { name: "Gleam", link: "/dotnet/how-to/build-pipeline#ports" },
-    { name: "Go", link: "/go/how-to/build-pipeline#ports" },
-    { name: "Java", link: "/java/how-to/build-pipeline#ports" },
-    { name: "Node.js", link: "/nodejs/how-to/build-pipeline#ports" },
-    { name: "PHP", link: "/php/how-to/build-pipeline#ports" },
-    { name: "Python", link: "/python/how-to/build-pipeline#ports" },
-    { name: "Rust", link: "/rust/how-to/build-pipeline#ports" },
-]
-Zerops provides three ways to make your application accessible from the internet:
-- [Zerops subdomain](#public-access-through-zerops-subdomain) - ideal for testing and development
-- [Custom domain](#public-access-through-your-domain) - recommended for production deployments
-- [Direct port access](#opening-public-ports) - for non-HTTP protocols and specialized use cases
-Each method serves different needs and comes with its own configuration options.
+Zerops provides multiple ways to access your services, whether you need internal communication between services, secure access from your development machine, or public access from the internet.
 :::note
-By default, your runtime service is not publicly accessible until you configure one of these methods.
-:::
-## Public Access Through Zerops Subdomain
-For development and testing purposes, Zerops offers a quick way to make your application accessible through a `.zerops.app` subdomain. This option requires minimal configuration and includes automatic SSL certificate management.
-### Configuration Steps
-1. Navigate to your service detail page in Zerops GUI
-2. Select **Public access & internal ports** from the left menu
-3. Toggle the **Zerops subdomain access** switch
-  
-Once enabled, Zerops assigns a unique subdomain for your application. If you've defined multiple [internal ports](/zerops-yaml/specification#ports-) with HTTP support in your `zerops.yaml`, each port receives its own unique `.zerops.app` subdomain.
-### Technical Details
-When using Zerops subdomains:
-- Access your application using the `https://` protocol (Zerops automatically manages SSL certificates)
-- Traffic flows through a central HTTP balancer that:
-  - Terminates SSL connections
-  - Forwards requests to your application via HTTP
-  - Handles all security certificates
-:::warning Production Limitations
-- The central HTTPS balancer is shared across all Zerops projects, which creates a scalability bottleneck
-- Maximum upload size is limited to 50MB
-- Not recommended for production traffic
-:::
-## Public Access Through Your Domain
-When your application is ready for production or you need to test with your actual domain, configure custom domain access. This method provides better performance, scalability, and full control over your domain settings.
-  
-### IP Address Configuration
-Before setting up domain access, you'll need public IP addresses. Zerops offers the following IP options:
-#### IPv4 Options
-##### Dedicated IPv4 Address ($3/30 days)
-- Dedicated to your project and shared across all project services
-- One IPv4 address per project limit
-- Protects against blacklisting risks associated with shared IPs
-- Subscription automatically renews every 30 days *(cannot be purchased with promo credit)*
-    - Fee is non-refundable but address can be reused in another project until subscription ends
-- **Recommended for production workloads**
-##### Shared IPv4 Address (Free)
-- Available at no cost
-- Shared across all Zerops users and their projects
-- Limitations:
-  - Restricted number of open connections
-  - Shorter connection timeouts
-- **Not recommended for production use**
-#### IPv6 Address (Free)
-- Dedicated to your project and shared across all project services
-- One IPv6 address per project limit
-- Automatically activated with first domain setup
-- Available for all projects at no additional cost
-:::tip
-Since IPv6 support is not universal, using both IPv4 and IPv6 is recommended for maximum accessibility.
-:::
-### Configuring HTTP Routing
-To set up domain access:
-1. Go to your service detail in Zerops GUI and select **Public access & internal ports**
-2. Click **Setup first domain access**
-3. Configure your domain settings:
-   - Enter domain names (e.g., `mydomain.com`, `app.mydomain.com`)
-   - Add multiple domains if needed (useful for multi-language sites)
-   - Choose SSL certificate management
-4. Define routing rules:
-   - Source: The public path (the part of URL after your domain)
-   - Destination: Choose which application and internal port receives the traffic
-   - Add multiple routing configurations as needed
-All settings can be modified later as your needs change.
-### DNS Configuration
-After setting up domain access in Zerops, you'll need to configure your DNS records with your domain registrar.
-:::tip DNS Provider Guides
-- **Cloudflare users**: Follow our [Cloudflare DNS Configuration Guide](/features/cloudflare) for step-by-step Cloudflare-specific instructions
-- **Other providers**: Use the [general DNS and Proxy Configuration Guide](/features/dns) for universal DNS setup instructions
-:::
-### HTTPS Configuration
-When using Let's Encrypt certificates (recommended):
-#### Certificate Management
-- Zerops handles all certificate installation and renewal
-- Certificates are free of charge
-- No manual certificate management required
-#### Traffic Flow
-1. Traffic arrives at your public IPv4/IPv6 addresses
-2. Requests route through your project's dedicated HTTPS balancer
-3. SSL termination occurs at the balancer level
-4. Internal traffic uses HTTP protocol for optimal performance
-#### Balancer Architecture
-- Deployed in two containers for redundancy
-- Scales vertically based on traffic demands
-- Cannot be directly modified
-- Included free of charge
-## Opening Public Ports
-For applications requiring direct port access or non-HTTP protocols, Zerops provides flexible port configuration options.
-:::important
-Currently, direct public port access is only available for runtime services and PostgreSQL databases.
+By default, your services are not publicly accessible until you configure external access. Internal communication between services within the same project works automatically.
+:::
+## How Zerops Networking Works
+Every Zerops project includes a **shared networking infrastructure** that handles all access methods:
+**Private Project Network:**
+- All services within a project share a dedicated private network
+- Services communicate directly using hostnames and internal ports
+- Traffic stays isolated within your project
+**Public Access Infrastructure:**
+- **Core (L3) Balancer** manages IP addresses and direct port access
+- **L7 HTTP Balancer** handles domain routing and SSL termination
+  - Can be extensively configured for advanced routing, performance optimization, and custom behaviors
+  - See the [L7 Balancer Configuration Guide](/references/networking/l7-balancer-config) for detailed options
+- Both are shared across all services in your project
+**Secure External Access:**
+- **Built-in VPN** provides secure tunnel access to your project's private network
+- Useful for development, debugging, and administration
+## Internal Access
+:::tip Complete Internal Access Setup
+See the [Internal access reference guide](/references/networking/internal-access).
+:::
+Services within the same project can communicate directly using hostnames and internal ports. No additional configuration required.
+**Example:** Connect to your `api` service on port 3000:
+```
+http://api:3000
+```
+**Key points:**
+- Use service hostname as the address
+- Use HTTP (not HTTPS) for internal communication
+- Access internal ports defined in your service configuration
+- Communication is automatically isolated from other projects
+### Environment Variables
+Zerops automatically creates environment variables to help with internal connections between services.
+## VPN Access
+:::tip Complete VPN Setup
+See the [VPN reference guide](/references/networking/vpn).
 :::
-  
-### Port Configuration
-1. Navigate to service detail page in Zerops GUI
-   - For runtime services select **Subdomain & domain & IP access**
-   - For PostgreSQL select **Direct access through IP address**
-2. Configure your port settings:
-   - Either **Setup first access through IPv6** or activate **Unique IPv4 add-on** (if needed)
-   - Choose any port from 10-65435 (except 80 and 443)
-   - Select destination service and internal port
-   - Each public port can be mapped to any internal service port
-   - Multiple public ports can point to the same internal port if needed
-   - Port configurations can be set independently for IPv4 and IPv6
-### Firewall Configuration
-Optionally secure your ports with firewall rules:
-1. Enable firewall for specific ports
-2. Choose policy type:
-   - **Blacklist**: Block specific IPs/ranges
-   - **Whitelist**: Allow only specific IPs/ranges
-3. Configure IP rules:
-   - Single IP format affects only the specific IP
-   - IP range format affects all IPs in that CIDR range
- 
+Connect securely to your project's internal network from your local machine:
+```bash
+# Connect to your project
+zcli vpn up 
+# Access services using internal hostnames
+curl http://api:3000/health
+# Disconnect when done
+zcli vpn down
+```
+## Public Access
+:::tip Complete Public Access Setup
+See the [Public access reference guide](/references/networking/public-access).
+:::
+Make your services accessible from the internet using one of three methods:
+### Zerops Subdomain
+**Best for:** Development and testing
+- Quick setup with automatic `.zerops.app` subdomains
+- Each service gets its own unique subdomain
+- Automatic SSL certificate management
+- Shared infrastructure (has limitations for production use)
+### Custom Domain
+**Best for:** Production deployments
+- Use your own domain names
+- Better performance with dedicated balancer
+- Full control over SSL and routing
+- Requires DNS configuration
+### Direct Port Access
+**Best for:** Non-HTTP protocols and specialized use cases
+- Direct access to specific ports on your services
+- Supports any protocol (TCP/UDP)
+- Optional firewall configuration
+- Uses your project's IP addresses
+## Next Steps
+- **Internal access setup:** [Internal Access Reference Guide](/references/networking/internal-access)
+- **Public access configuration:** [Public Access Reference Guide](/references/networking/public-access)
+- **VPN setup and troubleshooting:** [VPN Reference Guide](/references/networking/vpn)
+- **Advanced routing and SSL:** [L7 Balancer Configuration Guide](/references/networking/l7-balancer-config)
 
 ----------------------------------------
 
@@ -5355,9 +5276,10 @@ Access the storage CDN URL via the `storageCdnUrl` **project** environment varia
 ### Static Mode
 Ideal for caching and delivering static website assets like HTML, CSS, JavaScript, and images served from your custom domains.
 **Setup process:**
-1. Configure domain access for your service
-2. Ensure your domains are DNS-verified and have active SSL certificates
-3. Enable CDN for the domain group
+1. Configure domain access for your service through the L7 HTTP Balancer section
+2. Access domain settings via the **three dots menu** or **gear icon** next to your domain entry
+3. In the "Project Domain Access Modification" dialog, enable the **"Enable CDN for static files"** toggle
+4. Optionally enable "Automatically install SSL Certificates" if not already configured
 **Accessing content:**
 ```txt
 https://static.cdn.zerops.app/your-domain.com/path/to/file
@@ -5508,1838 +5430,1459 @@ Remember that only publicly accessible objects will be cached by the CDN. Privat
 
 ----------------------------------------
 
-# Features > Cloudflare
+# Features > Container Vs Vm
 
-This guide provides step-by-step instructions for configuring Cloudflare to work with your Zerops applications, covering DNS records, proxy settings, SSL/TLS configuration, and common troubleshooting scenarios.
-## Prerequisites
-Before starting, ensure you have:
-- A Cloudflare account
-- A registered domain name
-- Access to your Zerops project with [domain access configured](/features/access#public-access-through-your-domain)
-- Your Zerops IP addresses (IPv4 and/or IPv6) from the Zerops GUI
-## DNS Record Configuration
-Configure your DNS records in Cloudflare using one of these approaches based on your needs:
-### With Cloudflare Proxy
-#### IPv6 only
-```bash
-Type    Name              Content                Proxy status   TTL
-AAAA             Proxied        Auto
-```
-Cloudflare handles IPv4 to IPv6 translation, making your service accessible to both IPv4 and IPv6 users. Uses Zerops' free dedicated IPv6 address.
-:::note
-Do not add a proxied A record with shared IPv4 when using this setup, as it would prevent proper IPv4 traffic routing.
+Ever wondered why container technologies like Docker took over the development world so quickly? Let's break down the real differences between traditional VMs and containers - and why you might want to use one over the other.
+## Key Distinctions
+**Containers** are like lightweight packages that contain just your app and what it needs to run, sharing resources with your main system.
+**Virtual Machines** are like having a whole computer inside your computer. Complete with its own operating system, memory, and everything else.
+### Why Developers Love Containers
+#### They're Fast
+- Start up in seconds (not minutes)
+- Take up way less space
+- You can run many more of them on the same hardware
+#### They're Consistent
+- Works on your machine? Will work on everyone's machine
+- No more "but it works locally" problems
+- Same environment from development to production
+#### They're Simple
+- Easy to share with your team
+- Quick to update and modify
+- Less configuration headaches
+### When VMs Still Make Sense
+Sometimes you actually want a full computer-within-a-computer:
+- You need to run a completely different operating system
+- You're dealing with legacy applications that need specific system configurations
+- You require maximum isolation for security reasons
+### Real-World Comparison
+Think of it like this:
+- **Containers** are like apartments in a well-managed building (shared infrastructure, efficient, but with some limitations)
+- **VMs** are like having your own house (complete control, but with more overhead)
+## Containers and VMs in Zerops
+### Why Zerops Uses Both
+At Zerops, we use **containers** as our primary runtime environment - they're fast, efficient, and perfect for most modern development workflows. We've optimized our container infrastructure to handle nearly every type of application you might need to run.
+However, we also provide **VMs** when you need them, particularly for Docker-based workloads where the additional isolation is essential. Docker containers are a special case - on Zerops, they actually need to run inside VMs for proper security and isolation. While it's technically possible to run Docker in containers using privileged mode, this creates security vulnerabilities.
+### When to Use What
+  
+    Go with Containers when:
+  
+        Building modern web applications
+      
+        Working with microservices
+      
+        Need quick deployment and vertical scaling
+      
+        Want efficient resource usage
+      
+    Consider VMs when:
+  
+        Running legacy applications
+      
+        Need complete OS isolation
+      
+        Require specific hardware access
+      
+        Need to run Docker containers
+      
+### Resource Allocation
+Both containers and VMs in Zerops can have guaranteed resources:
+- Specific CPU cores
+- Dedicated memory
+- Controlled disk space
+The difference isn't in resource guarantee capabilities, but rather in how these resources are managed and isolated.
+## The Bottom Line
+For most modern development work, containers are the way to go. They're faster, more efficient, and easier to work with. VMs still have their place, but unless you have a specific reason to use them, containers will usually make your life easier.
+*Remember: The goal is to spend less time managing infrastructure and more time building great applications. Choose the tool that lets you do that most effectively.*
+:::tip Pro Tip
+Not sure which to choose? Start with containers. You can always switch to VMs if you discover you need them for specific use cases.
 :::
-#### Dedicated IPv4
-```bash
-Type    Name              Content                Proxy status   TTL
-A              Proxied        Auto
-# Optional
-AAAA             Proxied        Auto
-```
-Uses your dedicated IPv4 address with Cloudflare's proxy features.
-:::tip
-Adding the AAAA record allows visitors with IPv6 support to connect directly via IPv6.
+
+----------------------------------------
+
+# Features > Debug Mode
+
+This document describes the debug mode configuration capabilities for service stacks in Zerops, allowing developers to pause execution at specific points during build and runtime processes for debugging purposes.
+## Overview
+Debug mode introduces control over two distinct phases of deployment:
+- **Build phase** - When the `buildCommands` are executed
+- **Runtime prepare phase** - When the `prepareCommands` are executed
+For each phase, you can choose when to pause the execution:
+- **Disable** - No pausing, execution proceeds normally
+- **Before first command** - Execution stops before running any commands
+- **After last command** - Execution stops after all commands complete
+- **On command fail** - Execution stops when a command fails
+Each phase can be configured with its own debug settings without affecting the other phase.
+:::warning Important
+The entire build process, including any time spent in debug mode, has a maximum duration of 60 minutes. After this time limit is reached, the build process is automatically cancelled.
 :::
-#### Shared IPv4 *(not recommended)*
+## Configuration
+The debug mode configuration can be found in your service detail under the **Pipelines & CI/CD settings**.
+  
+## Debug Control
+When execution is paused in debug mode, you have several commands available to control the debugging process. Each command serves a specific purpose and affects the deployment process differently.
+### Debug Pause Points
+There are three key points where execution can pause during deployment:
+- ➠ **Disable** - Do not pause
+- ↪ **Before First Command** - Paused before any commands run
+- ✖ **On Command Failure** - Paused when a command fails
+- ✔ **After Last Command** - Paused after all commands complete
+### Available Commands
+#### Continuing Execution
+To proceed with the normal deployment process, use:
 ```bash
-Type    Name              Content                Proxy status  TTL
-AAAA             DNS only      Auto
-A               Proxied       Auto
+zsc debug continue
 ```
-:::tip Why Not?
-Creates inconsistent security posture by mixing direct and proxied connections. Consider using IPv6 only or dedicated IPv4 configurations instead.
-:::
-### DNS-Only Configuration (Without Cloudflare Proxy)
-If you prefer direct connections without Cloudflare's proxy features:
-#### Shared IPv4
+  
+      Pause Point
+      Behavior
+    
+      ↪ Before First Command
+      Begins running commands for the current phase until next possible pause point
+    
+      ✖ On Command Failure
+      Skips the failed command and continues deployment
+    
+      ✔ After Last Command
+      Moves to the next phase (from build to runtime prepare) or completes deployment
+    
+#### Marking Success
+To force a successful deployment status, use:
 ```bash
-Type    Name              Content                Proxy status   TTL
-A               DNS only       Auto
-AAAA             DNS only       Auto
+zsc debug success
 ```
-Uses Zerops' free shared IPv4.
-:::note Both A + AAAA Required
-Adding AAAA record is essential for shared IPv4 configuration as it serves as a [security measure](/features/dns#understand-shared-ipv4) to prevent unauthorized domain claims.
-:::
-#### Dedicated IPv4
-```bash
-Type    Name              Content                Proxy status   TTL
-A              DNS only       Auto
-# Optional
-AAAA             DNS only       Auto
-```
-Uses your dedicated IPv4 address.
-:::tip
-Adding the AAAA record allows visitors with IPv6 support to connect directly via IPv6.
+  
+      Pause Point
+      Behavior
+    
+      ↪ Before First Command
+      Ends current phase without running any commands
+    
+      ✖ On Command Failure
+      Ignores the failure and ends current phase with success
+    
+      ✔ After Last Command
+      Concludes current phase with a successful status
+    
+:::note
+Requires valid `deployFiles` to work properly (fails otherwise).
 :::
-#### IPv6 only
+#### Forcing Failure
+To terminate the deployment with a failure status, use:
 ```bash
-Type    Name              Content                Proxy status   TTL
-AAAA             DNS only       Auto
+zsc debug fail
 ```
-Uses only Zerops' free dedicated IPv6.
+  
+      Pause Point
+      Behavior
+    
+      ↪ Before First Command
+      Marks current phase as failed without running commands
+    
+      ✖ On Command Failure
+      Ends deployment with original error
+    
+      ✔ After Last Command
+      Overwrites successful execution with failed status and ends deployment
+    
+Each phase can be configured independently to pause at any of the points described above, giving you precise control over your debugging workflow. The 60-minute timeout ensures deployments don't remain blocked indefinitely.
+## Usage Examples
+### Example 1: Debugging Build Failures
+  
+      Build phase
+      ✖ On Command Failure
+    
+      Prepare runtime phase
+      ➠ Disable
+    
+This configuration allows you to:
+1. Inspect the container state after a failure
+2. Make necessary adjustments
+3. Use `zsc debug continue` to resume or `zsc debug fail` to abort
+### Example 2: Validating Runtime Setup
+  
+      Build phase
+      ➠ Disable
+    
+      Prepare runtime phase
+      ✔ After Last Command
+    
+## Best Practices
+#### Targeted Debugging
+- Enable debug mode only for the specific phase you need to investigate
+- This minimizes disruption to the deployment process
+- Helps maintain clear debugging sessions
+#### Clean Up
+- Always remember to disable debug mode after completing your debugging session
+- Set both phases to **Disable**
+- Prevents unexpected pauses in future deployments
+#### Production Consideration
+- Be cautious when using debug mode in production environments
+- Paused executions can block deployments
+- Consider using separate development services for extended debugging sessions
+#### Timeout Awareness
+- Be mindful of the 60-minute maximum debug pause time (p)lan debugging sessions accordingly)
+## Technical Considerations
+- Debug mode settings persist until explicitly changed
+- Build phase and runtime prepare phase operate independently
+- Debug commands are only available when execution is paused
+- Success signals require valid `deployFiles` to proceed
+
+----------------------------------------
+
+# Features > Env Variables
+
+Zerops manages environment variables at two scopes: service level and project level. These variables are handled automatically without requiring `.env` files.
+## Service Variables
+Variables that are specific to individual [services](/features/infrastructure#services).
+### User-Defined Variables
+You can define service-level variables in two ways:
+#### 1. Build & Runtime Variables
+These variables are defined with `envVariables` attribute in the `build` or `run` section of your [zerops.yaml](/zerops-yaml/specification) file and are accessible within their respective containers.
+```yaml title="zerops.yaml"
+...
+  build:
+    envVariables:
+      DB_NAME: db
+      DB_HOST: 127.0.0.1
+      DB_USER: db
+      DB_PASS: password
+    ...
+  run:
+    envVariables:
+      DB_NAME: db
+      DB_HOST: 127.0.0.1
+      DB_USER: db
+      DB_PASS: password
+```
+See how to [reference variables](#referencing-variables) between services and between build and runtime environments.
 :::note
-This configuration will only work for users with IPv6 connectivity.
+Your application must be redeployed when updating environmental variables in `zerops.yaml`.
 :::
-## Wildcard Domain Configuration
-Zerops supports wildcard domains (`*.`) that allow routing all subdomains to your project.
-### DNS Records for Wildcards
-Configure wildcard domains using either method:
-#### Method A: Direct Wildcard Records
-```bash
-Type   Name              Content               Proxy status       TTL
-A      *.      DNS only/Proxied   Auto
-AAAA   *.      DNS only/Proxied   Auto
-```
-#### Method B: CNAME to Main Domain
-First ensure your main domain has proper A/AAAA records, then add:
-```bash
-Type    Name              Content         Proxy status       TTL
-CNAME   *.      DNS only/Proxied   Auto
+#### 2. Secret Variables
+For storing sensitive data you don't want in your source repository. They can be updated without redeployment (though services need to be reloaded).
+Secret variables can be managed through:
+##### GUI Interface
+Navigate to service details and find **Environment variables** in the menu. You can:
+- Add individual variables using the "Add secret variable" button
+- Edit individual variables through the menu that appears on hover
+- Use the bulk editor for managing multiple variables in .env format
+    
+##### Import Configuration
+Create secret variables for a service with `envSecrets` attribute. See the complete [import.yaml structure](/references/import).
+```yaml title="import.yaml"
+services:
+  ...
+  envSecrets:
+    S3_ACCESS_KEY_ID: 'your-secret-s3-key'
+    S3_ACCESS_SECRET: 'your-s3-access-secret'
 ```
-### Certificate Validation for Wildcards
-To enable automatic SSL certificate issuance for wildcard domains:
-```bash
-Type    Name                            Content                     Proxy status   TTL
-CNAME   _acme-challenge.   .zerops.zone   DNS only       Auto
+### System-Generated Variables
+Zerops automatically generates variables based on service type.
+These variables cannot be deleted and are always listed at the bottom of the environment variables page. Some are read-only (like `hostname`), while others can be edited (like `PATH`).
+These variables can also be [referenced](#referencing-variables).
+## Project Variables
+Variables that apply across all services within a [project](/features/infrastructure#projects). These provide a way to share common configuration across services.
+They work similarly to service secret variables but at project scope - they're managed through the GUI and can be updated without redeployment (though services need to be reloaded).
+### User-Defined Variables
+You can set project-wide variables through:
+#### GUI Interface
+Access **Project environment variables** in your project detail to:
+- Add individual variables one by one
+- Edit individual variables
+- Use the bulk editor with .env format
+#### Import Configuration
+Create project variables with `envVariables` attribute. See the complete [import.yaml structure](/references/import).
+```yaml title="import.yaml"
+project:
+  ...
+  envVariables:
+    LOG_LEVEL: info
+    API_VERSION: v1
 ```
-This CNAME record allows Zerops to handle the DNS-01 challenge required for wildcard SSL certificates.
-### Higher-Level Wildcard Subdomains
-You can also set up higher-level wildcard subdomains like `*..`:
-#### Method A: Direct Configuration
-```bash
-Type   Name                          Content               Proxy status       TTL
-A      *..      DNS only/Proxied   Auto
-AAAA   *..      DNS only/Proxied   Auto
+### System-Generated Variables
+Zerops automatically generates project-level variables that can be [referenced](#referencing-variables) from services.
+## Environment Variable Isolation
+A security feature that controls the **visibility** of environment variables across services within a project.
+By default, Zerops isolates environment variables between services to enhance security and prevent unintended access to sensitive information. This isolation can be configured at both project and service levels.
+### Isolation Modes
+Zerops supports two isolation modes:
+  
+      Mode
+      Description
+    
+      service
+      Default mode. Variables are isolated to their respective services. Services can only access their own variables and must explicitly reference variables from other services.
+    
+      none
+      Legacy mode. All variables from all services are automatically shared and accessible via prefixing.
+    
+### Configuring Isolation
+#### Project-Level Isolation
+Zerops automatically creates the `envIsolation` project variable with the default value `service`. You only need to modify this if you want to disable isolation:
+```yaml title="import.yaml"
+project:
+  envIsolation: none  # Disables isolation, sharing all variables
 ```
-#### Method B: Using a CNAME Record
-```bash
-Type    Name                          Content                     Proxy status       TTL
-CNAME   *..   .   DNS only/Proxied   Auto
+This can also be set through the Project Environment Variables section in the GUI.
+#### Service-Level Override
+Individual services can override the project-level isolation setting:
+```yaml title="import.yaml"
+services:
+  - hostname: db
+    envIsolation: none  # This service's variables will be visible to all services
 ```
-or
-```bash
-Type    Name                          Content         Proxy status       TTL
-CNAME   *..      DNS only/Proxied   Auto
+:::tip
+You might set a database service to `envIsolation: none` to expose its connection details to other services, without having to manually reference them, while keeping the rest of your services isolated.
+:::
+:::note
+In import YAML, `envIsolation` can also be nested under `envVariables`/`envSecrets`. (If both are present, the nested version takes precedence).
+:::
+### Accessing Variables Across Services
+#### With Isolation Enabled (`service` mode)
+When isolation is enabled, you must explicitly create reference variables to access variables from other services:
+```yaml title="zerops.yaml"
+# In the 'app' service:
+run:
+  envVariables:
+    # Create a local reference to the 'password' variable from the 'db' service
+    DB_PASSWORD: ${db_password}
 ```
-For certificate validation with higher-level wildcards:
-```bash
-Type    Name                                        Content                                 Proxy status   TTL
-CNAME   _acme-challenge..   ..zerops.zone   DNS only       Auto
+This approach gives you complete control over which variables are shared between services.
+#### With Isolation Disabled (`none` mode)
+When isolation is disabled, variables are automatically available across all services with the service name prefix:
+```yaml
+# In any service, you can directly access:
+${db_password}  # Accesses the 'password' variable from the 'db' service
 ```
-### Combining Main Domain and Wildcard Domain
-To use both `` and `*.`, specify both variants in your [Zerops configuration](/features/access#configuring-http-routing). Zerops automatically issues a single shared certificate for both the main domain and all its subdomains.
-## Cloudflare SSL/TLS Configuration
-### Essential SSL/TLS Settings
-1. **Set Encryption Mode**
-   - Navigate to **SSL/TLS** → **Overview** in your Cloudflare dashboard
-   - Select **Full (strict)** for production or **Full** for testing
-   - **Never use Flexible mode** - this will cause redirect loops
-2. **Edge Certificates**
-   - Go to **SSL/TLS** → **Edge Certificates**
-   - Ensure **Always Use HTTPS** is enabled for production
-   - Keep **Automatic HTTPS Rewrites** enabled
-### Certificate Validation Configuration
-For proper certificate issuance, especially with Let's Encrypt:
-#### Option A: Simple Setup (Testing/Development)
-- Temporarily disable **Always Use HTTPS** during initial certificate setup
-- Re-enable after certificates are issued
-#### Option B: Production Setup
-Keep **Always Use HTTPS** enabled and create a Configuration Rule:
-1. Go to **Rules** → **Configuration Rules**
-2. Create a new rule with these settings:
-   - **Rule name:** "Allow ACME Challenge"
-   - **Field:** URI Path
-   - **Operator:** starts with
-   - **Value:** `/.well-known/acme-challenge/`
-   - **Action:** Disable **Automatic HTTPS Rewrites**
-This rule allows certificate validation to work while maintaining HTTPS enforcement for all other traffic.
-## Validation and Testing
-### DNS Resolution Testing
-```bash
-# Check IPv4 resolution
-dig A 
-# Check IPv6 resolution
-dig AAAA 
-# Check from specific DNS server
-dig @1.1.1.1 
+### Best Practices for Variable Isolation
+1. **Use Default Isolation**: Keep the default `service` isolation for enhanced security.
+2. **Explicit References**: Create explicit references only for variables that need to be shared.
+3. **Naming Conventions**: Use clear naming patterns for reference variables (e.g. `DB_PASSWORD` for a reference to `db_password`).
+4. **Service-Level Exceptions**: Use service-level isolation overrides sparingly and only for services that need to expose their variables widely.
+## Variable Restrictions
+All environment variables must follow these restrictions:
+### Key
+- Alphanumeric characters only (use `_` to separate words)
+- Must be unique within their scope
+- Case-sensitive
+### Value
+- ASCII characters only
+- No EOL characters
+## Variable Management
+### Variable Precedence
+When the same environment variable key exists in multiple places, Zerops follows these precedence rules:
+1. Service-level variables take precedence over project variables
+2. Within service-level:
+   - Build/runtime variables override secret variables
+   - Build and runtime containers are separate environments
+### Referencing Variables
+You can reference other variables using the `${variable_name}` syntax:
+#### Within Same Service
+```yaml
+envVariables:
+  id: 42069
+  hostname: app
+  name: ${id}-${hostname}  # Results in: 42069-app
 ```
-### Connectivity Testing
-```bash
-# Basic HTTPS test
-curl -vI https://
-# Test with specific subdomain (for wildcards)
-curl -vI https://api.
-# Test IPv4 specifically
-curl -4 -v https://
-# Test IPv6 specifically
-curl -6 -v https://
+#### Across Services
+How this works depends on your environment variable isolation setting:
+**With Isolation Enabled** (`service` mode - default)
+* Create an explicit reference in the destination service:
+```yaml
+# In the 'app' service
+envVariables:
+  # Creating a reference to the 'connectionString' from 'dbtest' service
+  dbConnection: ${dbtest_connectionString}
 ```
-### Cloudflare-Specific Checks
-1. **Verify proxy status** in Cloudflare DNS dashboard (orange cloud = proxied)
-2. **Check SSL/TLS mode** in SSL/TLS → Overview
-3. **Confirm certificate issuance** in SSL/TLS → Edge Certificates
-4. **Test redirect behavior** by accessing `http://` version of your domain
-## Troubleshooting Common Issues
-### SSL Certificate Problems
-**Symptom:** "Too many redirects" or SSL errors
-**Solutions:**
-- Verify SSL/TLS mode is set to **Full** or **Full (strict)**, not **Flexible**
-- Check that both Zerops and Cloudflare have valid certificates
-- Ensure **Always Use HTTPS** is properly configured
-- For new domains, refresh the Cloudflare SSL/TLS page as settings may display incorrectly initially
-**Symptom:** Certificate validation fails for wildcard domains
-**Solutions:**
-- Verify the `_acme-challenge` CNAME record is correctly configured
-- Ensure DNS propagation is complete (check with `dig` command)
-- Check that the CNAME points to `.zerops.zone`
-### DNS Resolution Issues
-**Symptom:** Domain not resolving
-**Solutions:**
-- Confirm DNS records are correctly configured in Cloudflare
-- Verify proxy status matches your intended setup
-- Check for typos in IP addresses
-- Wait for DNS propagation (typically 5-10 minutes)
-**Symptom:** IPv4 traffic not working with IPv6-only setup
-**Solutions:**
-- Ensure Cloudflare proxy is enabled (orange cloud)
-- Verify IPv6 address is correct in AAAA record
-- Confirm no conflicting A record with shared IPv4 exists
-## Security Considerations
-- Always use **Full (strict)** SSL mode for production
-- Enable **HSTS (HTTP Strict Transport Security)** in Cloudflare
-- Consider enabling **Bot Fight Mode** for additional protection
-- Use Cloudflare's **Firewall Rules** to block malicious traffic
-- Regularly monitor SSL certificate expiration dates
-## Getting Help
-If you encounter issues not covered in this guide:
-- Check the [general DNS configuration guide](/features/dns#technical-background) for additional context
-- Review your Zerops service logs for error messages
-- Verify your configuration against Cloudflare's documentation
-- Test with simple curl commands to isolate the problem
-- Contact Zerops support via [email](mailto:support@zerops.io) or reach out on [Discord](https://discord.gg/zeropsio)
+**With Isolation Disabled** (`none` mode)
+* Variables from other services are automatically injected into the container and available using the service prefix format `servicename_variablename`:
+```yaml
+# In any container, you can directly access variables from other services:
+# ${dbtest_connectionString}
+```
+#### Between Build and Runtime Environments
+Build and runtime are two distinct environments in Zerops. Each environment can have its own set of variables, and you can use the same variable names in both environments since they are separate. Due to this separation, variables defined in one are not automatically accessible in the other.
+To share variables between environments, you need to use specific prefixes:
+- Use `RUNTIME_` prefix to access runtime variables during build
+- Use `BUILD_` prefix to access build variables during runtime
+Here's an example of `zerops.yaml` file showing how to reference a runtime variable during build:
+```yaml title="zerops.yaml"
+build:
+  envVariables:
+    API_KEY: ${RUNTIME_API_KEY}  # Using runtime variable during build
+run:
+  envVariables:
+    API_KEY: "12345-abcde"      # Referenced in build with RUNTIME_ prefix
+```
+#### Project Variables
+No prefix needed when referencing project variables:
+```yaml title="import.yaml"
+project:
+  ...
+  envVariables:
+    projectName: devel
+```
+```yaml title="zerops.yaml"
+envVariables:
+  id: 42069
+  hostname: app
+  name: ${projectName}-${hostname}  # Results in: devel-app
+```
+## Environment Variable Examples
+### Variable Isolation Example
+Consider a project with three services: `api`, `db`, and `cache`:
+```yaml title="Project structure"
+project:
+  name: my-project
+services:
+  - hostname: api
+    envSecrets:
+      # Creating explicit references to needed variables
+      DB_CONNECTION: ${db_user}:${db_password}@${db_hostname}:${db_port}
+      CACHE_URL: ${cache_hostname}:${cache_port}
+  - hostname: db
+    envSecrets:
+      password: secureDbPassword
+      user: dbuser
+      port: 5432
+  - hostname: cache
+    envSecrets:
+      password: cacheServerPass
+      port: 6379
+```
+With this setup:
+- The `api` service can only access the specific `db` and `cache` variables it explicitly references
+- The `db` service cannot see any variables from `api` or `cache`
+- The `cache` service cannot see any variables from `api` or `db`
+If we changed the project's `envIsolation` to `none`, all services would be able to see all variables from all other services (prefixed with the service name).
+*Need help? Join our [Discord community](https://discord.gg/zeropsio).*
 
 ----------------------------------------
 
-# Features > Container Vs Vm
+# Features > Infrastructure
 
-Ever wondered why container technologies like Docker took over the development world so quickly? Let's break down the real differences between traditional VMs and containers - and why you might want to use one over the other.
-## Key Distinctions
-**Containers** are like lightweight packages that contain just your app and what it needs to run, sharing resources with your main system.
-**Virtual Machines** are like having a whole computer inside your computer. Complete with its own operating system, memory, and everything else.
-### Why Developers Love Containers
-#### They're Fast
-- Start up in seconds (not minutes)
-- Take up way less space
-- You can run many more of them on the same hardware
-#### They're Consistent
-- Works on your machine? Will work on everyone's machine
-- No more "but it works locally" problems
-- Same environment from development to production
-#### They're Simple
-- Easy to share with your team
-- Quick to update and modify
-- Less configuration headaches
-### When VMs Still Make Sense
-Sometimes you actually want a full computer-within-a-computer:
-- You need to run a completely different operating system
-- You're dealing with legacy applications that need specific system configurations
-- You require maximum isolation for security reasons
-### Real-World Comparison
-Think of it like this:
-- **Containers** are like apartments in a well-managed building (shared infrastructure, efficient, but with some limitations)
-- **VMs** are like having your own house (complete control, but with more overhead)
-## Containers and VMs in Zerops
-### Why Zerops Uses Both
-At Zerops, we use **containers** as our primary runtime environment - they're fast, efficient, and perfect for most modern development workflows. We've optimized our container infrastructure to handle nearly every type of application you might need to run.
-However, we also provide **VMs** when you need them, particularly for Docker-based workloads where the additional isolation is essential. Docker containers are a special case - on Zerops, they actually need to run inside VMs for proper security and isolation. While it's technically possible to run Docker in containers using privileged mode, this creates security vulnerabilities.
-### When to Use What
-  
-    Go with Containers when:
+Zerops organizes your infrastructure into three hierarchical levels: **projects**, **services**, and **containers**. This structure provides secure networking, resource isolation, and scalable application deployment.
+## Projects
+A project is the top-level entity in Zerops, functioning as a private network where services can communicate internally and share environment variables. Each project provides essential infrastructure including load balancing, routing, and container orchestration.
+### Key Project Features
+- **Private Networking**: All services within a project share a secure network
+- **Environment Variables**: Services can access shared environment variables
+- **IPv6/IPv4 Addressing**: Each project receives an IPv6 address, with optional IPv4 addressing
+- **Integrated Security**: Built-in firewall and SSL certificate management
+:::tip Project Organization
+Consider your project strategy carefully. Create separate projects for different environments (dev/staging/prod) or consolidate related applications in a single project to optimize resources and simplify networking.
+:::
+### Project Core Options
+When you create a project, it requires a functioning **core** that includes logger and statistics services, HTTP routing with automatic SSL certificate management, and IP routing with integrated firewall.
+Zerops offers two core types to match different needs and budgets:
+#### Lightweight Core
+Single-container solution perfect for development projects and smaller production workloads. Includes project controller, L3 balancer, firewall, logger, statistics, and HTTP handling in one efficient package.
+:::tip Ideal For
+Development environments, low-traffic applications, personal projects, budget-conscious teams.
+:::
+#### Serious Core
+Enterprise-grade infrastructure with separated core services across multiple containers for true redundancy and high availability.
+:::tip Ideal For
+Production applications, high-traffic websites, mission-critical business applications, teams requiring maximum uptime.
+:::
+#### Features Comparison
   
-        Building modern web applications
+      Lightweight Core
+      Serious Core
+    
+      Infrastructure
+      Single container (limited redundancy)
+      Multi-container (highly available)
+    
+      SSL Termination
       
-        Working with microservices
+      Automatic Certificate Generation
       
-        Need quick deployment and vertical scaling
+      Proxy / Load Balancer
       
-        Want efficient resource usage
+      IPv6 Address
       
-    Consider VMs when:
-  
-        Running legacy applications
-      
-        Need complete OS isolation
-      
-        Require specific hardware access
-      
-        Need to run Docker containers
-      
-### Resource Allocation
-Both containers and VMs in Zerops can have guaranteed resources:
-- Specific CPU cores
-- Dedicated memory
-- Controlled disk space
-The difference isn't in resource guarantee capabilities, but rather in how these resources are managed and isolated.
-## The Bottom Line
-For most modern development work, containers are the way to go. They're faster, more efficient, and easier to work with. VMs still have their place, but unless you have a specific reason to use them, containers will usually make your life easier.
-*Remember: The goal is to spend less time managing infrastructure and more time building great applications. Choose the tool that lets you do that most effectively.*
-:::tip Pro Tip
-Not sure which to choose? Start with containers. You can always switch to VMs if you discover you need them for specific use cases.
+      Build Time
+      15 hours
+      150 hours
+    
+      Backup Space
+      5 GB
+      25 GB
+    
+      Egress
+      100 GB
+      3 TB
+    
+      Failover Protection
+      Limited
+      Comprehensive
+    
+For detailed pricing information on both core types, visit our [pricing page](/company/pricing#project-core-plans).
+#### Project Core Upgrade
+You can upgrade from Lightweight Core to Serious Core for enhanced reliability and increased resources.
+:::warning Important
+The core upgrade is a **partially destructive process** that will temporarily disrupt your project's operations. Plan upgrades during maintenance windows.
+:::
+**What happens during upgrade:**
+- All project logs and statistics will be lost (forwarded logs/statistics are not affected)
+- Services will be network-unavailable during the process (avg. 35 seconds but can take longer)
+- $10 project core fee will be charged upon upgrade
+- Free project resources will reset to Serious Core limits
+- Project IP addresses remain unchanged
+:::important
+If you encounter issues, **contact support immediately** and try running the process again.
 :::
+## Services
+Services encapsulate your containers and provide specific functionality within a project. A project can contain unlimited services, each with its own purpose.
+**Service types include:**
+- Runtimes, Linux Containers & Docker
+- Databases, Search Engines & Messages Brokers
+- Storages
+- *System services (needed for fully functioning project core)*
+**Management options:**
+- **Fully managed**: Zerops handles scaling, routing, and repairs automatically (Databases and Storages)
+- **Partially managed**: You maintain control over certain management aspects (Runtimes)
+Services within a project communicate via internal hostnames and can share environment variables for seamless integration.
+## Containers
+Containers are the most granular level of the Zerops architecture. Each service consists of one or more containers that work together to deliver functionality.
+**Container deployment:**
+- Single containers for simple applications
+- Multiple containers for High Availability (HA) mode (e.g. fully managed MariaDB service in HA mode uses 3 containers for the database cluster and 2 for proxies)
+**Container capabilities:**
+- Use predefined images or custom configurations
+- Can be exposed publicly via Zerops subdomains, custom domains, or public ports
+- Operate within service resource constraints with automatic scaling
 
 ----------------------------------------
 
-# Features > Debug Mode
+# Features > Pipeline
 
-This document describes the debug mode configuration capabilities for service stacks in Zerops, allowing developers to pause execution at specific points during build and runtime processes for debugging purposes.
-## Overview
-Debug mode introduces control over two distinct phases of deployment:
-- **Build phase** - When the `buildCommands` are executed
-- **Runtime prepare phase** - When the `prepareCommands` are executed
-For each phase, you can choose when to pause the execution:
-- **Disable** - No pausing, execution proceeds normally
-- **Before first command** - Execution stops before running any commands
-- **After last command** - Execution stops after all commands complete
-- **On command fail** - Execution stops when a command fails
-Each phase can be configured with its own debug settings without affecting the other phase.
-:::warning Important
-The entire build process, including any time spent in debug mode, has a maximum duration of 60 minutes. After this time limit is reached, the build process is automatically cancelled.
-:::
-## Configuration
-The debug mode configuration can be found in your service detail under the **Pipelines & CI/CD settings**.
-  
-## Debug Control
-When execution is paused in debug mode, you have several commands available to control the debugging process. Each command serves a specific purpose and affects the deployment process differently.
-### Debug Pause Points
-There are three key points where execution can pause during deployment:
-- ➠ **Disable** - Do not pause
-- ↪ **Before First Command** - Paused before any commands run
-- ✖ **On Command Failure** - Paused when a command fails
-- ✔ **After Last Command** - Paused after all commands complete
-### Available Commands
-#### Continuing Execution
-To proceed with the normal deployment process, use:
-```bash
-zsc debug continue
+export const languages = [
+    { name: "Node.js", link: "/nodejs/how-to/build-pipeline" },
+    { name: "PHP", link: "/php/how-to/build-pipeline" },
+    { name: "Python", link: "/python/how-to/build-pipeline" },
+    { name: "Go", link: "/go/how-to/build-pipeline" },
+    { name: ".NET", link: "/dotnet/how-to/build-pipeline" },
+    { name: "Rust", link: "/rust/how-to/build-pipeline" },
+    { name: "Java", link: "/java/how-to/build-pipeline" },
+    { name: "Elixir", link: "/elixir/how-to/build-pipeline" },
+    { name: "Deno", link: "/deno/how-to/build-pipeline" },
+    { name: "Bun", link: "/bun/how-to/build-pipeline" },
+    { name: "Gleam", link: "/gleam/how-to/build-pipeline" },
+    { name: "Nginx", link: "/nginx/how-to/build-pipeline" }
+]
+export const customizeBuild = [
+    { name: "Node.js", link: "/nodejs/how-to/build-process#build-environment" },
+    { name: "PHP", link: "/php/how-to/build-process#build-environment" },
+    { name: "Python", link: "/python/how-to/build-process#build-environment" },
+    { name: "Go", link: "/go/how-to/build-process#build-environment" },
+    { name: ".NET", link: "/dotnet/how-to/build-process#build-environment" },
+    { name: "Rust", link: "/rust/how-to/build-process#build-environment" },
+    { name: "Java", link: "/java/how-to/build-process#build-environment" },
+    { name: "Elixir", link: "/elixir/how-to/build-process#build-environment" },
+    { name: "Deno", link: "/deno/how-to/build-process#build-environment" },
+    { name: "Bun", link: "/bun/how-to/build-process#build-environment" },
+    { name: "Gleam", link: "/gleam/how-to/build-process#build-environment" },
+    { name: "Nginx", link: "/nginx/how-to/build-process#build-environment" }
+]
+export const customizeRuntime = [
+    { name: "Node.js", link: "/nodejs/how-to/customize-runtime" },
+    { name: "PHP", link: "/php/how-to/customize-runtime" },
+    { name: "Python", link: "/python/how-to/customize-runtime" },
+    { name: "Go", link: "/go/how-to/customize-runtime" },
+    { name: ".NET", link: "/dotnet/how-to/customize-runtime" },
+    { name: "Rust", link: "/rust/how-to/customize-runtime" },
+    { name: "Java", link: "/java/how-to/customize-runtime" },
+    { name: "Elixir", link: "/elixir/how-to/customize-runtime" },
+    { name: "Deno", link: "/deno/how-to/customize-runtime" },
+    { name: "Bun", link: "/bun/how-to/customize-runtime" },
+    { name: "Gleam", link: "/gleam/how-to/customize-runtime" },
+    { name: "Nginx", link: "/nginx/how-to/customize-runtime" }
+]
+## Configure the pipeline
+Zerops provides a customizable build and runtime environment for your application. Start by adding a [zerops.yaml](/zerops-yaml/specification) file to the **root of your repository** and modify it to fit your application.
+Here is a basic example for a Node.js application:
+```yaml
+zerops:
+  - setup: api
+    build:
+      base: nodejs@20
+      buildCommands:
+        - npm i
+        - npm run build
+      deployFiles: ./dist
+      cache: node_modules
+    run:
+      base: nodejs@20
+      start: npm start
 ```
+The zerops.yaml in your repository tells Zerops how to build and deploy your application. When the build & deploy pipeline triggers for the Node.js service named `api`, Zerops will:
+1. Create a build environment with Node.js v.20 preinstalled
+2. Run build commands: `npm i`, `npm run build`
+3. Create a runtime environment with Node.js v.20 preinstalled
+4. Deploy the built artifact from the `./dist` folder to runtime containers
+5. Cache the `./node_modules` folder for faster subsequent builds
+6. Start your application using `npm start`
+Learn more about `zerops.yaml` parameters for your runtime:
+## Trigger the pipeline
   
-      Pause Point
-      Behavior
-    
-      ↪ Before First Command
-      Begins running commands for the current phase until next possible pause point
-    
-      ✖ On Command Failure
-      Skips the failed command and continues deployment
-    
-      ✔ After Last Command
-      Moves to the next phase (from build to runtime prepare) or completes deployment
-    
-#### Marking Success
-To force a successful deployment status, use:
-```bash
-zsc debug success
-```
+### Continuous deployment
+Set up automatic builds triggered by Git events. You can establish continuous deployment in two ways:
+* **New Service:** Create a new runtime service and connect it to your GitHub or GitLab repository during the service creation process.
+* **Existing Services:** Go to the service detail and choose **Pipelines & CI/CD settings** from the left menu. Click **Connect with a GitHub repository** or **Connect with a GitLab repository** to link your repository.
+Once connected, Zerops will automatically build and deploy your application with each push to the selected branch or when you create a new tag.
   
-      Pause Point
-      Behavior
+### On-demand deployment
+Trigger builds and deployments manually when needed using either the CLI or GUI.
+#### Using Zerops CLI
+- **Build and deploy:** `zcli service push` - Uploads code and triggers the full pipeline
+- **Deploy only:** `zcli service deploy` - Skips build, deploys pre-built artifacts
+See [CLI commands documentation](/references/cli/commands#service-operations) for all parameters.
+#### Using Zerops GUI
+In **Pipelines & CI/CD settings** section of your service detail:
+- **Re-deploy last pipeline** - With optional secret env variable updates
+- **Trigger new pipeline** - From git repo or with custom configuration
+#### Using import YAML
+Add `buildFromGit: ` to your service configuration for one-time build during import. See [import documentation](/references/import#service-basic-configuration).
+## Build phase
+  
+Zerops starts a temporary build container and executes these steps:
+1. **Install build environment** - Sets up the runtime and tools
+2. **Download source code** - From [GitHub ↗](https://www.github.com), [GitLab ↗](https://www.gitlab.com) or via [Zerops CLI](/references/cli)
+3. **Customize environment** - Runs optional preparation commands
+4. **Execute build commands** - Compiles and packages your application
+5. **Upload artifacts** - Stores build output in internal Zerops storage
+6. **Cache files** - Optionally [caches](/features/build-cache) selected files for faster future builds
+Zerops automatically deletes the build container after the build finishes or fails.
+### Build hardware resources
+All runtime services use the same hardware resources for build containers:
+  
+      HW resource
+      Minimum
+      Maximum
     
-      ↪ Before First Command
-      Ends current phase without running any commands
+      CPU cores
+      1
+      5
     
-      ✖ On Command Failure
-      Ignores the failure and ends current phase with success
+      RAM
+      8 GB
+      8 GB
     
-      ✔ After Last Command
-      Concludes current phase with a successful status
+      Disk
+      1 GB
+      100 GB
     
-:::note
-Requires valid `deployFiles` to work properly (fails otherwise).
+Build containers start with minimum resources and scale vertically up to maximum capacity as needed.
+:::info
+Build container resources are not charged. Build costs are covered by the standard Zerops [project fee](https://zerops.io/#pricing).
 :::
-#### Forcing Failure
-To terminate the deployment with a failure status, use:
-```bash
-zsc debug fail
-```
+### Build time limit
+The entire build pipeline has a **1 hour** time limit. After 1 hour, Zerops terminates the build pipeline and deletes the build container.
+### Customize the build environment
+All runtime services start with a default build environment based on the [build.base](/zerops-yaml/specification#base-) attribute in `zerops.yaml`. Install additional packages or tools by adding [build.prepareCommands](/zerops-yaml/specification#preparecommands-) to your configuration.
+Learn more about customizing build environments:
+## Runtime prepare phase (optional)
   
-      Pause Point
-      Behavior
-    
-      ↪ Before First Command
-      Marks current phase as failed without running commands
-    
-      ✖ On Command Failure
-      Ends deployment with original error
-    
-      ✔ After Last Command
-      Overwrites successful execution with failed status and ends deployment
-    
-Each phase can be configured independently to pause at any of the points described above, giving you precise control over your debugging workflow. The 60-minute timeout ensures deployments don't remain blocked indefinitely.
-## Usage Examples
-### Example 1: Debugging Build Failures
-  
-      Build phase
-      ✖ On Command Failure
-    
-      Prepare runtime phase
-      ➠ Disable
-    
-This configuration allows you to:
-1. Inspect the container state after a failure
-2. Make necessary adjustments
-3. Use `zsc debug continue` to resume or `zsc debug fail` to abort
-### Example 2: Validating Runtime Setup
-  
-      Build phase
-      ➠ Disable
-    
-      Prepare runtime phase
-      ✔ After Last Command
-    
-## Best Practices
-#### Targeted Debugging
-- Enable debug mode only for the specific phase you need to investigate
-- This minimizes disruption to the deployment process
-- Helps maintain clear debugging sessions
-#### Clean Up
-- Always remember to disable debug mode after completing your debugging session
-- Set both phases to **Disable**
-- Prevents unexpected pauses in future deployments
-#### Production Consideration
-- Be cautious when using debug mode in production environments
-- Paused executions can block deployments
-- Consider using separate development services for extended debugging sessions
-#### Timeout Awareness
-- Be mindful of the 60-minute maximum debug pause time (p)lan debugging sessions accordingly)
-## Technical Considerations
-- Debug mode settings persist until explicitly changed
-- Build phase and runtime prepare phase operate independently
-- Debug commands are only available when execution is paused
-- Success signals require valid `deployFiles` to proceed
-
-----------------------------------------
-
-# Features > Dns
-
-This guide will show you how to configure DNS records and proxy settings to work with your Zerops applications.
-:::important Cloudflare
-If you're using Cloudflare, check out our dedicated [Cloudflare DNS Configuration Guide](/features/cloudflare) for step-by-step instructions specific to Cloudflare's interface and features.
-:::
-## DNS Configuration
-DNS records for Zerops services can be configured in two main ways:
-* **With Proxy**: Routes traffic through proxy services, providing additional security and performance features (recommended for DDoS protection)
-* **Without Proxy (DNS Only)**: Direct connection to your Zerops service's IP address
-DNS allows you to set two records based on IP address type:
-* **A** record for **IPv4** - Zerops offers either a free **shared** IPv4 or a paid **dedicated** IPv4
-* **AAAA** record for **IPv6** - Zerops provides a free **dedicated** IPv6
-### With Proxy
-#### IPv6 only
-```bash
-Type    Name              Content                Proxy status   TTL
-AAAA             Proxied        Auto
+When your application requires additional system packages, libraries, or tools in the runtime environment, Zerops allows you to build a custom runtime image. This optional phase occurs after the build phase and before deployment.
+### When to use custom runtime images
+Build custom runtime images when you need:
+- System packages or libraries for runtime operations (e.g., `apk add imagemagick` for image processing)
+- Library dependencies for interpreted languages or dynamically linked binaries
+- System-level tools or utilities your application requires
+- Customized base operating system or additional software layers
+### Configuration
+Configure custom runtime images in your `zerops.yml` file using these fields:
+#### `run.os` + `run.base`
+Specify the operating system and base packages for your custom runtime image:
+```yaml
+run:
+  os: alpine # or ubuntu
+  base: nodejs@20 # specify your runtime and version
 ```
-:::note
-Make sure your proxy service supports IPv4 to IPv6 translation for this configuration to work for **both IPv4 and IPv6** users.
-Do not add a proxied A record with shared IPv4 - doing so would prevent the proxy from properly routing IPv4 traffic to your service.
-:::
-#### Dedicated IPv4
-```bash
-Type    Name              Content                Proxy status   TTL
-A              Proxied        Auto
-# Optional
-AAAA             Proxied        Auto
+#### `run.prepareCommands`
+Define commands that customize your runtime image. These commands run inside a fresh base container:
+```yaml
+run:
+  prepareCommands:
+    - sudo apk add --no-cache imagemagick
+    - sudo apt-get update && apt-get install -y some-package  # for Ubuntu
 ```
-:::tip
-Adding also AAAA record can be beneficial as visitors with IPv6 support will connect directly via IPv6.
-:::
-#### Shared IPv4 *(valid but NOT recommended)*
-```bash
-Type    Name              Content                Proxy status  TTL
-AAAA             DNS only      Auto
-A               Proxied       Auto
+Zerops creates the custom runtime image from this container after all commands complete successfully.
+#### `build.addToRunPrepare`
+Copy specific files from the build phase to the runtime prepare phase. This is useful when you need source files during runtime preparation:
+```yaml
+build:
+  addToRunPrepare:
+    - package.json
+    - requirements.txt
+    - config/runtime-setup.sh
 ```
-:::tip Why not?
-It does not make sense to expose your IPv6 address while proxying the shared IPv4. Use [IPv6 only](#ipv6-only) setup instead.
+These files are packed immediately after `build.buildCommands` finish and become available during the runtime prepare phase.
+### How it works
+When you trigger the first deploy with defined [run.prepareCommands](/zerops-yaml/specification#preparecommands--1), Zerops:
+1. **Creates prepare container** - Based on `run.os` and `run.base`
+2. **Copies build files** - Files specified in [build.addToRunPrepare](/zerops-yaml/specification#addtorunprepare-) (if any)
+3. **Runs prepare commands** - Executes [run.prepareCommands](/zerops-yaml/specification#preparecommands--1) in order
+4. **Creates runtime image** - Builds custom runtime image from the prepared container
+5. **Uses for deployment** - Deploys your application using this custom runtime image
+### Custom runtime image caching
+Zerops caches custom runtime images to optimize deployment times. The runtime prepare phase is skipped and cached images are reused when:
+- It is not the first deployment of your service
+- None of these `zerops.yaml` fields changed since the last deployment:
+  - `run.os` or `run.base`
+  - `run.prepareCommands`
+  - `build.addToRunPrepare`
+- File contents specified in `build.addToRunPrepare` remain unchanged
+- The custom runtime image cache hasn't been manually invalidated
+#### Manual cache invalidation
+To invalidate the custom runtime image cache, go to your service detail in the Zerops GUI, choose **Pipelines & CI/CD settings** section from the left menu, and click on the button under **Pipeline #**. Then click on the **Clear runtime prepare image** button.
+Learn more about building custom runtime images:
+:::warning
+Do not include your application code in the custom runtime image, as your built application code is deployed automatically into fresh containers.
+Shared storage mounts are also not available during the runtime prepare phase.
 :::
-### Without Proxy
-#### Shared IPv4
-```bash
-Type    Name              Content                Proxy status   TTL
-AAAA             DNS only       Auto
-A               DNS only       Auto
-```
-:::note Both A + AAAA Required
-Adding AAAA record is essential for shared IPv4 configuration as it serves as a [security measure](#understand-shared-ipv4) to prevent unauthorized domain claims.
+## Deploy phase
+  
+### Application artifacts
+After the [build phase](#build-phase) completes, Zerops stores the application artifact in internal storage and deletes the build container.
+For [manual deployments](#manual-deploy-using-zerops-cli) using Zerops CLI, the application artifact is also uploaded to internal storage.
+Zerops uses the stored artifact to deploy identical versions of your application whenever a new container starts:
+- During new application version deployments
+- When applications [scale horizontally](/features/scaling-ha#horizontal-scaling-runtime-services-linux-containers-and-docker)
+- When runtime containers fail and new containers start automatically
+### First deploy
+For initial deployments, Zerops starts one or more runtime containers based on your service [auto scaling settings](/features/scaling-ha).
+Zerops executes these steps for each new container:
+1. **Install runtime environment** - Sets up the runtime (or uses a custom runtime image if configured)
+2. **Download application artifact** - Retrieves build output from internal storage
+3. **Run initialization** - Executes optional [init commands](/zerops-yaml/specification#initcommands-)
+4. **Start application** - Launches your app using the [start command](/zerops-yaml/specification#startcommands-)
+5. **Check readiness** - Waits for [readiness check](/zerops-yaml/specification#readinesscheck-) to succeed (if configured)
+6. **Activate container** - Container becomes active and receives incoming requests
+Services with multiple containers deploy in parallel.
+:::info
+If your application needs initialization in each runtime container, add [init commands](/zerops-yaml/specification#initcommands-) to `zerops.yaml`.
 :::
-#### Dedicated IPv4
-```bash
-Type    Name              Content                Proxy status   TTL
-A              DNS only       Auto
-# Optional
-AAAA             DNS only       Auto
-```
-:::tip
-Adding also AAAA record can be beneficial as visitors with IPv6 support will connect directly via IPv6.
+:::caution
+Do not use `initCommands` for runtime environment customization. See [how to build custom runtime images](#runtime-prepare-phase-optional).
 :::
-#### IPv6 only
-```bash
-Type    Name              Content                Proxy status   TTL
-AAAA             DNS only       Auto
+### Subsequent deploys
+For applications with existing running versions, Zerops starts new containers matching the count of existing containers.
+Zerops executes the same steps as the first deployment for each new container. Your service briefly contains both new and old versions during this process.
+Old containers are then removed from the project balancer to stop receiving new requests. The processes inside old containers terminate and Zerops gradually deletes all old containers.
+### Readiness checks
+If your application is not ready to handle requests immediately after starting via the [start command](/zerops-yaml/specification#startcommands-), configure a [readiness check](/zerops-yaml/specification#readinesscheck-) in your `zerops.yaml`.
+When readiness checks are defined, Zerops:
+1. **Starts your application**
+2. **Performs readiness check**
+3. **Waits and retries** - If check fails, waits 5 seconds and repeats step 2
+4. **Activates container** - If check succeeds, marks container as active
+Runtime containers with pending readiness checks do not receive incoming requests - only active containers handle traffic.
+If readiness checks fail for 5 minutes, Zerops marks the container as failed, deletes it, creates a new container, and repeats the deployment process.
+**Readiness check types:**
+- `httpGet` - Succeeds when URL returns HTTP `2xx` status (5-second timeout, follows `3xx` redirects)
+- `exec.command` - Succeeds when command returns status code 0 (5-second timeout)
+Read the [runtime log](/nodejs/how-to/logs#runtime-log) to troubleshoot failed readiness checks.
+## Manual deploy using Zerops CLI
+  
+Start deploy-only pipelines using the [Zerops CLI](/references/cli). The `zcli service deploy` command uploads and deploys your application in Zerops. Use this when you have your own build process. For building applications in Zerops, use [continuous](#continuous-deployment) or [on-demand](#on-demand-deployment) deployment instead.
+```sh
+Usage:
+  zcli service deploy pathToFileOrDir [flags]
+Flags:
+      --archive-file-path string   If set, zCLI creates a tar.gz archive with the application code in the required path relative
+                                 to the working directory. By default, no archive is created.
+      --deploy-git-folder          Sets a custom path to the zerops.yaml file relative to the working directory. By default zCLI
+                                 looks for zerops.yaml in the working directory.
+  -h, --help                     the service deploy command.
+      --project-id string         If you have access to more than one project, you must specify the project ID for which the
+                                 command is to be executed.
+      --service-id string         If you have access to more than one service, you must specify the service ID for which the
+                                 command is to be executed.
+      --version-name string       Adds a custom version name. Automatically filled if the VERSIONNAME environment variable exists.
+      --working-dir string        Sets a custom working directory. Default working directory is the current directory. (default "./")
+      --zerops-yaml-path string    Sets a custom path to the zerops.yaml file relative to the working directory. By default zCLI
+                                 looks for zerops.yaml in the working directory.
 ```
-:::note
-This configuration will only work for users with IPv6 connectivity, which may limit your service accessibility.
+`pathToFileOrDir` defines paths to directories and/or files relative to the working directory. The working directory defaults to the current directory and can be changed using the `--working-dir` flag.
+Place `zerops.yaml` in the working directory.
+:::info
+You can modify the deploy pipeline anytime by updating the `zerops.yaml` in your working directory.
 :::
-## Wildcard Domain Configuration
-Zerops supports wildcard domains (`*.`) that allow routing all subdomains to your project.
-### DNS Configuration
-#### Method A: Direct configuration of A and AAAA records
-Configure wildcard DNS records following the same patterns described in the [DNS Configuration](#dns-configuration) section, using `*.` in the Name field:
-```bash
-Type   Name              Content               Proxy status       TTL
-A      *.      DNS only/Proxied   Auto
-AAAA   *.      DNS only/Proxied   Auto
-```
-#### Method B: Using a CNAME record
-First configure A and AAAA records for your main domain (``), then set up a CNAME record:
-```bash
-Type    Name              Content         Proxy status       TTL
-CNAME   *.      DNS only/Proxied   Auto
-```
-### Certificate Validation
-For proper HTTPS certificate functionality with wildcard domains, configure:
-```bash
-Type    Name                            Content                     Proxy status   TTL
-CNAME   _acme-challenge.   .zerops.zone   DNS only       Auto
-```
-This record enables Zerops to issue and verify a wildcard certificate for your domain.
-### Higher-Level Wildcard Subdomains
-You can also set up higher-level wildcard subdomains like `*..`:
-#### Method A: Direct configuration
-```bash
-Type   Name                          Content               Proxy status       TTL
-A      *..      DNS only/Proxied   Auto
-AAAA   *..      DNS only/Proxied   Auto
-```
-#### Method B: Using a CNAME record
-```bash
-Type    Name                          Content                     Proxy status       TTL
-CNAME   *..   .   DNS only/Proxied   Auto
-```
-or
-```bash
-Type    Name                          Content         Proxy status       TTL
-CNAME   *..      DNS only/Proxied   Auto
-```
-For certificate validation:
-```bash
-Type    Name                                        Content                                 Proxy status   TTL
-CNAME   _acme-challenge..   ..zerops.zone   DNS only       Auto
-```
-### Combining Main Domain and Wildcard Domain
-To use both `` and `*.`, specify both variants in your [Zerops configuration](/features/access#configuring-http-routing). Zerops automatically issues a single shared certificate for both the main domain and all its subdomains.
-## Validation Steps
-Test your configuration:
-```bash
-# Check DNS resolution
-dig AAAA 
-# Verify connectivity
-curl -vI https://
-# Test IPv4 access
-curl -4 -v https://
-# Test IPv6 access
-curl -6 -v https://
-```
-## Troubleshooting Guide
-1. **DNS Resolution Issues**
-   - Confirm correct record configuration
-   - Verify proxy status settings
-   - Check IPv6 address accuracy
-   - Allow time for DNS propagation (typically 5-10 minutes)
-2. **Connection Problems**
-   - Test both IPv4 and IPv6 connectivity
-   - Check proxy server status if applicable
-   - Confirm port configurations
-3. **Certificate Issues**
-   - Verify proper _acme-challenge CNAME configuration for wildcard domains
-   - Check that DNS records match the domains configured in Zerops
-   - **Provider-specific certificate problems**: Consult your DNS provider's documentation for SSL/TLS configuration requirements
-## Technical Background
-### Understanding Shared IPv4 Addresses {#understand-shared-ipv4}
-Shared IPv4 allows multiple Zerops projects to use the same IPv4 address while maintaining separate routing for each project. Here's how it works:
-1. When a visitor makes a request, it first arrives at the shared IPv4 address
-2. The system looks at the domain name in the request (using SNI - Server Name Indication)
-3. For security, it checks if this domain properly resolves to your project's IPv6 address
-4. Only if IPv6 address matches your project will the traffic be routed correctly
-This is why configuring both A (IPv4) and AAAA (IPv6) records is crucial when using shared IPv4 addresses - the IPv6 record acts as a security key that helps prevent unauthorized use of the shared IPv4 address.
-### Certificate Verification Methods
-When issuing SSL/TLS certificates, different verification methods are used depending on the certificate type:
-#### HTTP-01 vs DNS-01 Verification
-- **Regular certificates** (for a single domain like ``) are typically issued using the **HTTP-01** challenge method. This verification checks that you control the domain by placing a specific file at a specific URL.
-- **Wildcard certificates** (for domains like `*.`) must be issued using the **DNS-01** challenge method. This method requires creating specific TXT records in your DNS configuration.
-### How Zerops Handles Wildcard Certificate Verification
-Zerops simplifies the DNS-01 challenge process:
-1. You create a CNAME record (e.g., `_acme-challenge. CNAME .zerops.zone`)
-2. When a certificate needs to be issued or renewed, Zerops automatically creates the required TXT records on its `zerops.zone` domain
-3. The certificate authority verifies these TXT records through the CNAME redirection
-4. Once verified, the wildcard certificate is issued without requiring manual intervention
+## Manage builds and deployments
+### Cancel running build
+When you need to cancel an incorrect running build, use the Zerops GUI. Go to the service detail, open the running processes list, and click **Open pipeline detail**. Then click **Cancel build**.
+  
+:::caution
+Build cancellation is only available before the build pipeline finishes. Once the build completes, deployment cannot be cancelled.
+:::
+### Application versions
+Zerops keeps the 10 most recent versions of your application in internal storage.
+Access the application versions list in Zerops GUI by going to service detail and choosing the **Pipelines & CI/CD settings** section from the left menu. The active version is highlighted - click the button below to show all archived versions.
+  
+Access pipeline details from the additional menu. Pipeline details contain:
+- Pipeline configuration (`zerops.yaml`) used for the selected version
+- Build log (if available)
+- Prepare runtime log (if available)
+You can download the build artifact for selected versions or manually delete inactive versions.
+### Restore an archived version
+Restore archived versions by choosing **Activate** from the additional menu. Zerops will deploy the selected version and archive the currently active version.
+Environment variables restore to their state from the last moment when the selected version was active.
 
 ----------------------------------------
 
-# Features > Env Variables
+# Features > Scaling Ha
 
-Zerops manages environment variables at two scopes: service level and project level. These variables are handled automatically without requiring `.env` files.
-## Service Variables
-Variables that are specific to individual [services](/features/infrastructure#services).
-### User-Defined Variables
-You can define service-level variables in two ways:
-#### 1. Build & Runtime Variables
-These variables are defined with `envVariables` attribute in the `build` or `run` section of your [zerops.yaml](/zerops-yaml/specification) file and are accessible within their respective containers.
-```yaml title="zerops.yaml"
-...
-  build:
-    envVariables:
-      DB_NAME: db
-      DB_HOST: 127.0.0.1
-      DB_USER: db
-      DB_PASS: password
-    ...
-  run:
-    envVariables:
-      DB_NAME: db
-      DB_HOST: 127.0.0.1
-      DB_USER: db
-      DB_PASS: password
-```
-See how to [reference variables](#referencing-variables) between services and between build and runtime environments.
+Zerops delivers enterprise-grade infrastructure with built-in automatic scaling and high availability. This means applications and databases dynamically adjust to traffic demands—scaling up during peak loads to maintain performance and scaling down during quiet periods to reduce costs.
+Unlike traditional hosting where resources must be predicted and pre-provisioned, Zerops continuously monitors workloads and automatically allocates exactly what is needed, when it is needed. This intelligent resource management ensures optimal performance without wasted spend.
+## Key Benefits
+- **Cost Optimization**: Only pay for resources actually used
+- **Performance Reliability**: Maintain responsiveness during traffic spikes
+- **Automatic Management**: Built-in best practices with customizable settings
+- **High Availability**: Redundancy options for production environments
+## Understanding Zerops Scaling Architecture
+Zerops uses two fundamentally different approaches for optimizing infrastructure:
+#### **Resource Management (Vertical Scaling)**
+- **Applies to:** Runtime services, databases, shared storage, and Linux containers (Alpine and Ubuntu)
+- **What it does:** Adjusts CPU, RAM, and disk resources within individual containers
+- **Management:** Automated by Zerops, but customizable by users
 :::note
-Your application must be redeployed when updating environmental variables in `zerops.yaml`.
+Docker services do not support automatic vertical scaling. Resource values can be manually changed, but this triggers a VM restart.
 :::
-#### 2. Secret Variables
-For storing sensitive data you don't want in your source repository. They can be updated without redeployment (though services need to be reloaded).
-Secret variables can be managed through:
-##### GUI Interface
-Navigate to service details and find **Environment variables** in the menu. You can:
-- Add individual variables using the "Add secret variable" button
-- Edit individual variables through the menu that appears on hover
-- Use the bulk editor for managing multiple variables in .env format
-    
-##### Import Configuration
-Create secret variables for a service with `envSecrets` attribute. See the complete [import.yaml structure](/references/import).
-```yaml title="import.yaml"
-services:
-  ...
-  envSecrets:
-    S3_ACCESS_KEY_ID: 'your-secret-s3-key'
-    S3_ACCESS_SECRET: 'your-s3-access-secret'
-```
-### System-Generated Variables
-Zerops automatically generates variables based on service type.
-These variables cannot be deleted and are always listed at the bottom of the environment variables page. Some are read-only (like `hostname`), while others can be edited (like `PATH`).
-These variables can also be [referenced](#referencing-variables).
-## Project Variables
-Variables that apply across all services within a [project](/features/infrastructure#projects). These provide a way to share common configuration across services.
-They work similarly to service secret variables but at project scope - they're managed through the GUI and can be updated without redeployment (though services need to be reloaded).
-### User-Defined Variables
-You can set project-wide variables through:
-#### GUI Interface
-Access **Project environment variables** in your project detail to:
-- Add individual variables one by one
-- Edit individual variables
-- Use the bulk editor with .env format
-#### Import Configuration
-Create project variables with `envVariables` attribute. See the complete [import.yaml structure](/references/import).
-```yaml title="import.yaml"
-project:
-  ...
-  envVariables:
-    LOG_LEVEL: info
-    API_VERSION: v1
-```
-### System-Generated Variables
-Zerops automatically generates project-level variables that can be [referenced](#referencing-variables) from services.
-## Environment Variable Isolation
-A security feature that controls the **visibility** of environment variables across services within a project.
-By default, Zerops isolates environment variables between services to enhance security and prevent unintended access to sensitive information. This isolation can be configured at both project and service levels.
-### Isolation Modes
-Zerops supports two isolation modes:
+#### **Container Architecture**
+- **For Runtime Services, Linux Containers, and Docker:** Horizontal Scaling (dynamic container count)
+  - Adds or removes containers/VMs based on load
+  - Requires applications to be designed for HA operation
+  - Container/VM creation limits can be controlled
+  - Docker containers run in VMs rather than native containers
+- **For Databases & Shared Storage:** High Availability Mode (fixed container count)
+  - Single Container OR Multi-Container HA configuration
+  - Must be chosen at service creation (cannot be changed later)
+  - Managed by Zerops (no application changes needed)
+### At-a-Glance Comparison
+* ✓ = Available *(configurable, defaults vary according to service type)*
   
-      Mode
-      Description
+      Feature
+      Runtime Services & Linux Containers
+      Databases
+      Shared Storage
+      Docker
     
-      service
-      Default mode. Variables are isolated to their respective services. Services can only access their own variables and must explicitly reference variables from other services.
+      Automatic Resource Scaling
+      ✓
+      ✓
+      ✓
+      Manual (triggers VM restart)
     
-      none
-      Legacy mode. All variables from all services are automatically shared and accessible via prefixing.
+      Automatic Horizontal Scaling
+      ✓
+      Fixed # of containers
+      Fixed # of containers
+      ✓
     
-### Configuring Isolation
-#### Project-Level Isolation
-Zerops automatically creates the `envIsolation` project variable with the default value `service`. You only need to modify this if you want to disable isolation:
-```yaml title="import.yaml"
-project:
-  envIsolation: none  # Disables isolation, sharing all variables
-```
-This can also be set through the Project Environment Variables section in the GUI.
-#### Service-Level Override
-Individual services can override the project-level isolation setting:
-```yaml title="import.yaml"
-services:
-  - hostname: db
-    envIsolation: none  # This service's variables will be visible to all services
-```
+      High Availability
+      User-implemented
+      Zerops-managed HA mode
+      Zerops-managed HA mode
+      User-implemented
+    
+## When to Configure Scaling
+You can configure scaling settings at three different stages:
+- **During service creation** - Configure initial scaling parameters when creating services in the Zerops GUI. Set resource limits, CPU mode, and container counts from the start.
+- **During import** - Use YAML configuration files to define comprehensive scaling settings including `verticalAutoscaling` parameters and horizontal scaling limits. See [Import & Export YAML Configuration](/references/import) for complete syntax.
+- **After service creation** - Modify most scaling settings anytime through your service's **Automatic scaling configuration** page. Note that some parameters like deployment mode for databases and shared storage cannot be changed after creation.
+This flexibility lets you plan scaling strategies upfront or adapt them as requirements evolve.
+## Part 1: Resource Management
+Resource management in Zerops focuses on efficiently allocating and adjusting CPU, RAM, and disk resources within individual containers based on actual usage patterns.
+### CPU Options
+Two CPU allocation modes are available for any service:
+#### Shared CPU
+Shared CPU provides a physical CPU core shared with up to 10 other applications. Performance varies depending on neighbors, ranging from 1/10 to 10/10 power. This option is cost-effective for non-critical workloads, development, and testing environments.
+#### Dedicated CPU
+Dedicated CPU gives exclusive access to a full physical CPU core(s), ensuring consistent and predictable performance. This option is ideal for production environments and CPU-intensive applications.
 :::tip
-You might set a database service to `envIsolation: none` to expose its connection details to other services, without having to manually reference them, while keeping the rest of your services isolated.
+CPU mode can be changed (once per hour) as needed.
 :::
+See the [pricing](/company/pricing#resource-pricing) for the difference between CPU modes.
+### Vertical Scaling
+Vertical scaling adjusts individual resources (CPU, RAM, Disk) within existing containers. When a container needs more/less power, allocated resources are increased/decreased instead of creating a new/removing container.
+This is the preferred scaling method and is attempted first before horizontal scaling.
+These resource management capabilities apply to **runtime** services, **databases**, **shared storage**, and **Linux containers** (Alpine and Ubuntu).
 :::note
-In import YAML, `envIsolation` can also be nested under `envVariables`/`envSecrets`. (If both are present, the nested version takes precedence).
+Docker services do not support vertical scaling. Resources for Docker services are fixed at the values set manually and do not automatically adjust based on usage.
 :::
-### Accessing Variables Across Services
-#### With Isolation Enabled (`service` mode)
-When isolation is enabled, you must explicitly create reference variables to access variables from other services:
-```yaml title="zerops.yaml"
-# In the 'app' service:
-run:
-  envVariables:
-    # Create a local reference to the 'password' variable from the 'db' service
-    DB_PASSWORD: ${db_password}
-```
-This approach gives you complete control over which variables are shared between services.
-#### With Isolation Disabled (`none` mode)
-When isolation is disabled, variables are automatically available across all services with the service name prefix:
-```yaml
-# In any service, you can directly access:
-${db_password}  # Accesses the 'password' variable from the 'db' service
-```
-### Best Practices for Variable Isolation
-1. **Use Default Isolation**: Keep the default `service` isolation for enhanced security.
-2. **Explicit References**: Create explicit references only for variables that need to be shared.
-3. **Naming Conventions**: Use clear naming patterns for reference variables (e.g. `DB_PASSWORD` for a reference to `db_password`).
-4. **Service-Level Exceptions**: Use service-level isolation overrides sparingly and only for services that need to expose their variables widely.
-## Variable Restrictions
-All environment variables must follow these restrictions:
-### Key
-- Alphanumeric characters only (use `_` to separate words)
-- Must be unique within their scope
-- Case-sensitive
-### Value
-- ASCII characters only
-- No EOL characters
-## Variable Management
-### Variable Precedence
-When the same environment variable key exists in multiple places, Zerops follows these precedence rules:
-1. Service-level variables take precedence over project variables
-2. Within service-level:
-   - Build/runtime variables override secret variables
-   - Build and runtime containers are separate environments
-### Referencing Variables
-You can reference other variables using the `${variable_name}` syntax:
-#### Within Same Service
-```yaml
-envVariables:
-  id: 42069
-  hostname: app
-  name: ${id}-${hostname}  # Results in: 42069-app
-```
-#### Across Services
-How this works depends on your environment variable isolation setting:
-**With Isolation Enabled** (`service` mode - default)
-* Create an explicit reference in the destination service:
-```yaml
-# In the 'app' service
-envVariables:
-  # Creating a reference to the 'connectionString' from 'dbtest' service
-  dbConnection: ${dbtest_connectionString}
-```
-**With Isolation Disabled** (`none` mode)
-* Variables from other services are automatically injected into the container and available using the service prefix format `servicename_variablename`:
-```yaml
-# In any container, you can directly access variables from other services:
-# ${dbtest_connectionString}
-```
-#### Between Build and Runtime Environments
-Build and runtime are two distinct environments in Zerops. Each environment can have its own set of variables, and you can use the same variable names in both environments since they are separate. Due to this separation, variables defined in one are not automatically accessible in the other.
-To share variables between environments, you need to use specific prefixes:
-- Use `RUNTIME_` prefix to access runtime variables during build
-- Use `BUILD_` prefix to access build variables during runtime
-Here's an example of `zerops.yaml` file showing how to reference a runtime variable during build:
-```yaml title="zerops.yaml"
-build:
-  envVariables:
-    API_KEY: ${RUNTIME_API_KEY}  # Using runtime variable during build
-run:
-  envVariables:
-    API_KEY: "12345-abcde"      # Referenced in build with RUNTIME_ prefix
-```
-#### Project Variables
-No prefix needed when referencing project variables:
-```yaml title="import.yaml"
-project:
-  ...
-  envVariables:
-    projectName: devel
-```
-```yaml title="zerops.yaml"
-envVariables:
-  id: 42069
-  hostname: app
-  name: ${projectName}-${hostname}  # Results in: devel-app
-```
-## Environment Variable Examples
-### Variable Isolation Example
-Consider a project with three services: `api`, `db`, and `cache`:
-```yaml title="Project structure"
-project:
-  name: my-project
-services:
-  - hostname: api
-    envSecrets:
-      # Creating explicit references to needed variables
-      DB_CONNECTION: ${db_user}:${db_password}@${db_hostname}:${db_port}
-      CACHE_URL: ${cache_hostname}:${cache_port}
-  - hostname: db
-    envSecrets:
-      password: secureDbPassword
-      user: dbuser
-      port: 5432
-  - hostname: cache
-    envSecrets:
-      password: cacheServerPass
-      port: 6379
-```
-With this setup:
-- The `api` service can only access the specific `db` and `cache` variables it explicitly references
-- The `db` service cannot see any variables from `api` or `cache`
-- The `cache` service cannot see any variables from `api` or `db`
-If we changed the project's `envIsolation` to `none`, all services would be able to see all variables from all other services (prefixed with the service name).
-*Need help? Join our [Discord community](https://discord.gg/zeropsio).*
-
-----------------------------------------
-
-# Features > Infrastructure
-
-Zerops organizes your infrastructure into three hierarchical levels: **projects**, **services**, and **containers**. This structure provides secure networking, resource isolation, and scalable application deployment.
-## Projects
-A project is the top-level entity in Zerops, functioning as a private network where services can communicate internally and share environment variables. Each project provides essential infrastructure including load balancing, routing, and container orchestration.
-### Key Project Features
-- **Private Networking**: All services within a project share a secure network
-- **Environment Variables**: Services can access shared environment variables
-- **IPv6/IPv4 Addressing**: Each project receives an IPv6 address, with optional IPv4 addressing
-- **Integrated Security**: Built-in firewall and SSL certificate management
-:::tip Project Organization
-Consider your project strategy carefully. Create separate projects for different environments (dev/staging/prod) or consolidate related applications in a single project to optimize resources and simplify networking.
-:::
-### Project Core Options
-When you create a project, it requires a functioning **core** that includes logger and statistics services, HTTP routing with automatic SSL certificate management, and IP routing with integrated firewall.
-Zerops offers two core types to match different needs and budgets:
-#### Lightweight Core
-Single-container solution perfect for development projects and smaller production workloads. Includes project controller, L3 balancer, firewall, logger, statistics, and HTTP handling in one efficient package.
-:::tip Ideal For
-Development environments, low-traffic applications, personal projects, budget-conscious teams.
+### Fine-Tuning Resource Allocation
+Resource allocation can be configured through basic and advanced settings:
+#### Minimum and Maximum Resources (Basic)
+Boundaries for CPU cores, RAM, and disk space can be established.
+:::tip Resource Scaling Control
+To prevent scaling of specific resources, simply set identical minimum and maximum values for CPU, RAM, or Disk.
 :::
-#### Serious Core
-Enterprise-grade infrastructure with separated core services across multiple containers for true redundancy and high availability.
-:::tip Ideal For
-Production applications, high-traffic websites, mission-critical business applications, teams requiring maximum uptime.
+#### Start CPU Core Count (Advanced)
+How many CPU cores should be allocated when containers start to ensure reliable and fast startup:
+- Default: 2 cores
+- Applies to both dedicated and shared CPU modes
+- Higher values provide more processing power during application initialization
+- After startup, resources are automatically adjusted based on actual usage and limits
+#### RAM Scaling Thresholds (Advanced)
+RAM usage is monitored every 10 seconds to ensure optimal performance. The minimum free RAM settings serve multiple important purposes: they prevent Out of Memory (OOM) errors, provide space for kernel disk caching (which improves application performance), and maintain a buffer for sudden memory demands.
+Swap is enabled for all containers to help prevent OOM errors, but proper minimum free RAM configuration is still essential—especially for services that use large amounts of RAM or benefit from kernel disk caching. Without sufficient free memory, performance may degrade due to increased disk access.
+Two threshold types determine RAM scaling:
+1. **Minimum Free RAM (absolute value in GB)**
+   - Specifies an absolute threshold for free RAM
+   - Additional memory is triggered when available RAM falls below this fixed amount
+   - Default: 0.0625 GB (64 MB) for most services
+   - Ideal for maintaining system stability and responsiveness
+2. **Minimum Free RAM (% of Granted)**
+   - Establishes a dynamic threshold based on a percentage of total granted memory
+   - Default: 0% (disabled)
+   - The buffer scales proportionally as total memory increases
+   - Particularly useful for handling varying loads
+:::note
+Whichever setting provides more free memory is used.
 :::
-#### Features Comparison
+#### CPU Scaling Thresholds (Advanced)
+For services using [dedicated CPU](#dedicated-cpu) cores only, CPU scaling is controlled by:
+1. **Min. Free CPU Cores (%)**
+   - Scale-up is triggered when free capacity drops below a fixed fraction of a single CPU core
+   - Default: 10%
+   - Set as a percentage of a single core's capacity
+   - Example: Setting to 20% means that with one core, at least 20% of that core should remain free
+2. **Dynamic Min. Free Total Core Percent**
+   - Scale-up is triggered when total free capacity across all cores falls below a percentage of total capacity
+   - Default: 0% (disabled)
+   - Dynamically adjusts as the number of cores changes
+   - Ideal for accommodating varying load distributions
+   - Example: 20% setting ensures at least 20% of the combined capacity of all cores remains free
+### Resource Scaling Behavior
+Zerops implements an exponential growth pattern ensuring that **resources grow gradually** for minor load increases but can scale rapidly when significant additional capacity is needed. When resource usage triggers scaling, Zerops initially adds smaller increments, but as demand continues to increase, it can add larger increments to quickly meet the needs of your application.
+Below are the parameters that control this behavior across all services that support vertical scaling:
+- **Data Collection Interval:** How frequently resource usage metrics are collected
+- **Scale-Up Window Interval:** The timeframe in which high usage must persist before adding resources
+- **Scale-Down Window Interval:** The timeframe in which low usage must persist before reducing resources
+- **Scale-Up Threshold Percentile:** The usage percentile that triggers resource scaling up
+- **Scale-Down Threshold Percentile:** The usage percentile that triggers resource scaling down
+- **Minimum Step:** The smallest increment by which resources can increase during scaling
+- **Maximum Step:** The largest possible increment for resources when scaling rapidly under high load
   
-      Lightweight Core
-      Serious Core
+      Parameter
+      CPU
+      RAM
+      Disk
     
-      Infrastructure
-      Single container (limited redundancy)
-      Multi-container (highly available)
+      Data Collection Interval
+      10 seconds
+      10 seconds
+      10 seconds
     
-      SSL Termination
-      
-      Automatic Certificate Generation
-      
-      Proxy / Load Balancer
-      
-      IPv6 Address
-      
-      Build Time
-      15 hours
-      150 hours
+      Scale-Up Window Interval
+      20 seconds
+      10 seconds
+      10 seconds
     
-      Backup Space
-      5 GB
-      25 GB
+      Scale-Down Window Interval
+      60 seconds
+      120 seconds
+      300 seconds
     
-      Egress
-      100 GB
-      3 TB
+      Scale-Up Threshold Percentile
+      60
+      50
+      50
     
-      Failover Protection
-      Limited
-      Comprehensive
+      Scale-Down Threshold Percentile
+      40
+      50
+      50
     
-For detailed pricing information on both core types, visit our [pricing page](/company/pricing#project-core-plans).
-#### Project Core Upgrade
-You can upgrade from Lightweight Core to Serious Core for enhanced reliability and increased resources.
-:::warning Important
-The core upgrade is a **partially destructive process** that will temporarily disrupt your project's operations. Plan upgrades during maintenance windows.
-:::
-**What happens during upgrade:**
-- All project logs and statistics will be lost (forwarded logs/statistics are not affected)
-- Services will be network-unavailable during the process (avg. 35 seconds but can take longer)
-- $10 project core fee will be charged upon upgrade
-- Free project resources will reset to Serious Core limits
-- Project IP addresses remain unchanged
-:::important
-If you encounter issues, **contact support immediately** and try running the process again.
+      Minimum Step
+      1 (0.1 cores)
+      0.125 GB
+      0.5 GB
+    
+      Maximum Step
+      40
+      32 GB
+      128 GB
+    
+## Part 2: Container Architecture — Service-Specific Approaches
+Container architecture in Zerops defines how services are distributed across containers. Different service types use fundamentally different approaches:
+1. **Horizontal Scaling** (Runtime Services, Linux Containers, and Docker)
+2. **Deployment Modes** (Databases and Shared Storage)
+### Horizontal Scaling (Runtime Services, Linux Containers, and Docker)
+Horizontal scaling adds or removes entire containers (or VMs for Docker) as demand fluctuates.
+* When vertical scaling reaches its defined maximum, new containers/VMs are automatically added to handle additional load.
+* As demand decreases, containers/VMs are gradually removed to optimize resource usage.
+:::important HA-ready Applications
+For applications to work properly across multiple containers, they must be designed to be HA-ready.
 :::
-## Services
-Services encapsulate your containers and provide specific functionality within a project. A project can contain unlimited services, each with its own purpose.
-**Service types include:**
-- Runtimes, Linux Containers & Docker
-- Databases, Search Engines & Messages Brokers
-- Storages
-- *System services (needed for fully functioning project core)*
-**Management options:**
-- **Fully managed**: Zerops handles scaling, routing, and repairs automatically (Databases and Storages)
-- **Partially managed**: You maintain control over certain management aspects (Runtimes)
-Services within a project communicate via internal hostnames and can share environment variables for seamless integration.
-## Containers
-Containers are the most granular level of the Zerops architecture. Each service consists of one or more containers that work together to deliver functionality.
-**Container deployment:**
-- Single containers for simple applications
-- Multiple containers for High Availability (HA) mode (e.g. fully managed MariaDB service in HA mode uses 3 containers for the database cluster and 2 for proxies)
-**Container capabilities:**
-- Use predefined images or custom configurations
-- Can be exposed publicly via Zerops subdomains, custom domains, or public ports
-- Operate within service resource constraints with automatic scaling
+#### Setting Horizontal Scaling Parameters
+To configure horizontal scaling, users need to set the minimum and maximum number of containers:
+- **Minimum Containers**: The baseline number of containers that should always be running (system limit: 1)
+- **Maximum Containers**: The upper limit of containers that can be created during high demand (system limit: 10)
+:::tip Disable Horizontal Scaling
+Setting identical minimum and maximum values creates a fixed number of containers (disables automatic horizontal scaling).
+:::
+### Deployment Modes (Databases and Shared Storage)
+For databases and shared storage services, Zerops offers two deployment modes focused on reliability and data integrity.
+:::warning
+Deployment mode cannot be changed after creation.
+:::
+#### Single Container Mode
+Single Container Mode provides one container with vertical scaling only. This is suitable for development environments or non-critical data storage.
+**Characteristics:**
+- Limited redundancy
+- No automatic recovery if the container fails
+- Data since last backup (if available) may be lost if failure occurs
+- Cost-effective for non-production environments
+#### Highly Available (HA) Mode
+Highly Available (HA) Mode creates multiple containers with built-in redundancy. This mode is strongly recommended for production environments and mission-critical data.
+**Characteristics:**
+- Multiple containers distributed across different physical machines
+- Automatic failover and recovery mechanisms
+- Data redundancy and integrity protection
+- Higher reliability and availability
+- Recommended for production use
+:::important
+Database and shared storage services in HA mode have a **fixed number of containers** that cannot be increased or decreased.
+:::
+**Recovery process:**
+In HA mode, when a container or physical machine fails, recovery is handled automatically:
+1. The failed container is disconnected from the cluster
+2. A new container is created on a different physical machine
+3. Data is synchronized from remaining healthy copies
+4. The failed container is removed
+5. Service continues with minimal disruption
+### Fixed Resource Allocation (Docker Services)
+Docker services in Zerops operate differently from other service types:
+#### Docker Service Characteristics
+- **VM-Based Deployment**: Docker services run in virtual machines rather than containers
+- **Fixed Resources**: Unlike other services, Docker services do not support automatic vertical scaling
+- **User-Defined Resources**: Resources are set at creation and remain fixed until manually changed
+- **VM Count Changes**: The number of VMs can be changed, but this requires a VM restart
+- **No Automatic Scaling**: Resource levels do not automatically adjust based on usage
+**Important Considerations for Docker Services:**
+- Initial resource values should be chosen carefully, as they cannot automatically scale
+- Planning for expected peak loads is important when setting resource values
+- Runtime services or Linux containers should be considered instead if dynamic scaling is essential
+- VM restarts cause temporary service disruption when changing VM count or resources
+:::warning
+Docker services use fixed resources that do not automatically scale. Sufficient resources should be allocated at creation to handle expected workload. Additionally, disk space for Docker services can only be increased, not decreased without recreation of the service.
+:::
+## Monitoring Your Infrastructure
+Zerops provides comprehensive monitoring tools in the user interface to track both resource usage and container scaling activities:
+### Resource History Graphs
+Resource and container scaling can be visualized over time:
+- CPU utilization per container
+- RAM usage patterns
+- Disk space consumption
+- Container count changes
+These graphs help understand application resource needs, identify usage patterns, and fine-tune scaling settings for optimal performance and cost efficiency.
+## Troubleshooting
+#### Resource-Related Issues (All Service Types Except Docker)
+**Out of Memory Errors**
+* **Issue:** Application crashes with OOM errors despite resource scaling.
+* **Possible Cause:** Insufficient minimum free RAM setting.
+* **Solution:**
+    - Increase the "Minimum free RAM" setting
+    - Check for memory leaks in the application
+    - Consider setting a higher minimum RAM value
+**Excessive Resource Costs**
+* **Issue:** Resources scaling up but not scaling down efficiently.
+* **Possible Cause:** Scale-down thresholds not optimized.
+* **Solution:**
+    - Review usage patterns in monitoring graphs
+    - Adjust scale-down thresholds to be more aggressive
+    - Set appropriate resource minimums based on base requirements
+#### Runtime Service and Linux Container Issues (Horizontal Scaling)
+**Application Not Working Properly Across Multiple Containers**
+* **Issue:** Application errors or inconsistent behavior when horizontally scaled.
+* **Possible Cause:** Application not designed for distributed operation.
+* **Solution:**
+    - Ensure the application properly handles stateless operation
+    - Implement proper session management across containers
+    - Review and modify application code to support multiple instances
+#### Docker Service Issues
+**Insufficient Resources for Workload**
+* **Issue:** Docker service experiencing performance issues or crashes.
+* **Possible Cause:** Fixed resources inadequate for actual workload.
+* **Solution:**
+    - Since Docker services don't support automatic vertical scaling, a new service with higher resource allocations may be needed
+    - Consider migrating to a runtime service or Linux container if dynamic resource scaling is needed
+*Need help implementing scaling in your project? Join our [Discord community](https://discord.gg/zerops) where our team and other Zerops users can assist you!*
 
 ----------------------------------------
 
-# Features > Pipeline
+# Frameworks > Laravel
 
-export const languages = [
-    { name: "Node.js", link: "/nodejs/how-to/build-pipeline" },
-    { name: "PHP", link: "/php/how-to/build-pipeline" },
-    { name: "Python", link: "/python/how-to/build-pipeline" },
-    { name: "Go", link: "/go/how-to/build-pipeline" },
-    { name: ".NET", link: "/dotnet/how-to/build-pipeline" },
-    { name: "Rust", link: "/rust/how-to/build-pipeline" },
-    { name: "Java", link: "/java/how-to/build-pipeline" },
-    { name: "Elixir", link: "/elixir/how-to/build-pipeline" },
-    { name: "Deno", link: "/deno/how-to/build-pipeline" },
-    { name: "Bun", link: "/bun/how-to/build-pipeline" },
-    { name: "Gleam", link: "/gleam/how-to/build-pipeline" },
-    { name: "Nginx", link: "/nginx/how-to/build-pipeline" }
-]
-export const customizeBuild = [
-    { name: "Node.js", link: "/nodejs/how-to/build-process#build-environment" },
-    { name: "PHP", link: "/php/how-to/build-process#build-environment" },
-    { name: "Python", link: "/python/how-to/build-process#build-environment" },
-    { name: "Go", link: "/go/how-to/build-process#build-environment" },
-    { name: ".NET", link: "/dotnet/how-to/build-process#build-environment" },
-    { name: "Rust", link: "/rust/how-to/build-process#build-environment" },
-    { name: "Java", link: "/java/how-to/build-process#build-environment" },
-    { name: "Elixir", link: "/elixir/how-to/build-process#build-environment" },
-    { name: "Deno", link: "/deno/how-to/build-process#build-environment" },
-    { name: "Bun", link: "/bun/how-to/build-process#build-environment" },
-    { name: "Gleam", link: "/gleam/how-to/build-process#build-environment" },
-    { name: "Nginx", link: "/nginx/how-to/build-process#build-environment" }
-]
-export const customizeRuntime = [
-    { name: "Node.js", link: "/nodejs/how-to/customize-runtime" },
-    { name: "PHP", link: "/php/how-to/customize-runtime" },
-    { name: "Python", link: "/python/how-to/customize-runtime" },
-    { name: "Go", link: "/go/how-to/customize-runtime" },
-    { name: ".NET", link: "/dotnet/how-to/customize-runtime" },
-    { name: "Rust", link: "/rust/how-to/customize-runtime" },
-    { name: "Java", link: "/java/how-to/customize-runtime" },
-    { name: "Elixir", link: "/elixir/how-to/customize-runtime" },
-    { name: "Deno", link: "/deno/how-to/customize-runtime" },
-    { name: "Bun", link: "/bun/how-to/customize-runtime" },
-    { name: "Gleam", link: "/gleam/how-to/customize-runtime" },
-    { name: "Nginx", link: "/nginx/how-to/customize-runtime" }
-]
-## Configure the pipeline
-Zerops provides a customizable build and runtime environment for your application. Start by adding a [zerops.yaml](/zerops-yaml/specification) file to the **root of your repository** and modify it to fit your application.
-Here is a basic example for a Node.js application:
+# Laravel on Zerops
+> Modern Laravel development demands infrastructure that doesn't get in your way. Zerops provides the foundation that lets you focus on building great apps, not wrestling with environment configuration or resource management.
+## Why Zerops for Laravel?
+Zerops implements what we call "transparent infrastructure" - you get enterprise-grade capabilities with development-friendly ergonomics. This means:
+- **Full system access** across all environments
+- **Granular resource control** starting at 0.125GB RAM
+- **True environment parity** from local to production
+- **Zero-downtime deployments** by default
+*No artificial limitations, no framework-specific compromises - just solid infrastructure that lets Laravel do what it does best.*
+:::tip
+New Zerops accounts receive $15 in free credits for testing. After verifying your account with a $10 initial payment, you'll get an additional $50 in credits.
+:::
+## Quick Start
+Choose a recipe that matches your needs and deploy with a single click. Each recipe sets up a complete environment with all necessary services preconfigured.
+All recipes include:
+- **PHP 8.3 + Nginx**
+- **PostgreSQL 16**
+- **L3/L7 balancers**
+- **Logging & metrics**
+  
+      The most bare-bones examples of Laravel app including core services + PostgreSQL.
+      
+      A full-stack setup including Redis, Object Storage, and Mailpit.
+            
+        Admin panel optimized setup including Redis, Object Storage, and Mailpit.
+              
+        Content management focused setup including Redis, Object Storage, and Mailpit.
+              
+## Core Features
+### Infrastructure and Security
+Each project runs in its own isolated network with enterprise-level security features automatically configured.
+What makes this special is how it combines security with simplicity - this infrastructure requires zero configuration from you – it's all handled automatically when you create your project.
+### Native Service Discovery
+Services within your project communicate seamlessly using internal hostnames:
+```php title=".env"
+DB_HOST=${db_hostname}
+REDIS_HOST=${cache_hostname}
+```
+*Environment variables are automatically injected and synchronized across all containers.*
+### Intelligent Scaling
+One of Zerops' most powerful features is its intelligent autoscaling system, which:
+* Scales resources (CPU, RAM, Disk) up and down based on actual usage
+* Maintains minimum required resources to optimize costs
+* Handles both vertical and horizontal scaling automatically
+* Manages disk space dynamically (a unique feature in the industry)
+Through a simple configuration, you define resource boundaries while Zerops automatically handles the complex scaling decisions:
 ```yaml
+# Example scaling configuration
+services:
+  - hostname: app
+    minContainers: 2
+    maxContainers: 6
+    cpu:
+      min: 1
+      max: 4
+    ram:
+      min: 0.25
+      max: 4
+```
+### Zero-Downtime Deployments
+Deploy with confidence using our battle-tested pipeline:
+```yaml title="zerops.yaml"
 zerops:
-  - setup: api
+  - setup: app
     build:
-      base: nodejs@20
+      base: php@8.3
       buildCommands:
-        - npm i
-        - npm run build
-      deployFiles: ./dist
-      cache: node_modules
+        - composer install --no-dev --optimize-autoloader
+      deployFiles: ./
+      cache: vendor
     run:
-      base: nodejs@20
-      start: npm start
-```
-The zerops.yaml in your repository tells Zerops how to build and deploy your application. When the build & deploy pipeline triggers for the Node.js service named `api`, Zerops will:
-1. Create a build environment with Node.js v.20 preinstalled
-2. Run build commands: `npm i`, `npm run build`
-3. Create a runtime environment with Node.js v.20 preinstalled
-4. Deploy the built artifact from the `./dist` folder to runtime containers
-5. Cache the `./node_modules` folder for faster subsequent builds
-6. Start your application using `npm start`
-Learn more about `zerops.yaml` parameters for your runtime:
-## Trigger the pipeline
-  
-### Continuous deployment
-Set up automatic builds triggered by Git events. You can establish continuous deployment in two ways:
-* **New Service:** Create a new runtime service and connect it to your GitHub or GitLab repository during the service creation process.
-* **Existing Services:** Go to the service detail and choose **Pipelines & CI/CD settings** from the left menu. Click **Connect with a GitHub repository** or **Connect with a GitLab repository** to link your repository.
-Once connected, Zerops will automatically build and deploy your application with each push to the selected branch or when you create a new tag.
-  
-### On-demand deployment
-Trigger builds and deployments manually when needed using either the CLI or GUI.
-#### Using Zerops CLI
-- **Build and deploy:** `zcli service push` - Uploads code and triggers the full pipeline
-- **Deploy only:** `zcli service deploy` - Skips build, deploys pre-built artifacts
-See [CLI commands documentation](/references/cli/commands#service-operations) for all parameters.
-#### Using Zerops GUI
-In **Pipelines & CI/CD settings** section of your service detail:
-- **Re-deploy last pipeline** - With optional secret env variable updates
-- **Trigger new pipeline** - From git repo or with custom configuration
-#### Using import YAML
-Add `buildFromGit: ` to your service configuration for one-time build during import. See [import documentation](/references/import#service-basic-configuration).
-## Build phase
-  
-Zerops starts a temporary build container and executes these steps:
-1. **Install build environment** - Sets up the runtime and tools
-2. **Download source code** - From [GitHub ↗](https://www.github.com), [GitLab ↗](https://www.gitlab.com) or via [Zerops CLI](/references/cli)
-3. **Customize environment** - Runs optional preparation commands
-4. **Execute build commands** - Compiles and packages your application
-5. **Upload artifacts** - Stores build output in internal Zerops storage
-6. **Cache files** - Optionally [caches](/features/build-cache) selected files for faster future builds
-Zerops automatically deletes the build container after the build finishes or fails.
-### Build hardware resources
-All runtime services use the same hardware resources for build containers:
-  
-      HW resource
-      Minimum
-      Maximum
-    
-      CPU cores
-      1
-      5
-    
-      RAM
-      8 GB
-      8 GB
-    
-      Disk
-      1 GB
-      100 GB
-    
-Build containers start with minimum resources and scale vertically up to maximum capacity as needed.
-:::info
-Build container resources are not charged. Build costs are covered by the standard Zerops [project fee](https://zerops.io/#pricing).
+      base: php-nginx@8.3
+      initCommands:
+        - php artisan config:cache
+        - php artisan route:cache
+        - php artisan migrate --force --isolated
+```
+### High Availability
+Every service can run in HA mode with automatic failover.
+```yaml
+services:
+  - hostname: db
+    type: postgresql@16
+    mode: HA  # Automatic primary-replica setup
+  - hostname: cache
+    type: valkey@7.2
+    mode: HA  # Redis cluster configuration
+```
+Setting up a production-grade HA database cluster typically requires deep DevOps expertise. Zerops automates this complexity, giving you an enterprise-grade setup with a single configuration flag:
+* **Database Cluster** distributed across multiple physical servers
+* **Automatic failover** and data replication
+* **Enhanced performance** through load distribution
+* **Production-grade reliability** out of the box
+## Development Workflow
+### Team Collaboration
+Zerops enables seamless team development through:
+* **Declarative Infrastructure** - version control your entire setup
+* **Identical Environments** - every team member gets production-parity
+* **Automated Setup** - new team members are productive in minutes
+* **Transparent Configuration** - easily review and audit changes
+### Local Development
+Connect to your production-grade databases without any local setup through Zerops' VPN.
+Start with
+```
+zcli vpn up
+```
+and select your project. Get your database credentials from the service's **Access details** in your project dashboard and update your local `.env`. See PostgreSQL example below:
+```yaml
+DB_CONNECTION=pgsql
+DB_HOST=db.zerops  # References the service's hostname
+DB_PORT=5432
+DB_DATABASE=db
+DB_USERNAME=db
+DB_PASSWORD=[password from Access details]
+```
+With this configuration, you can use any database tool - no local installation needed.
+### Deployment Options
+Choose the workflow that fits your team:
+1. **GitHub/GitLab Integration**
+   - Automatic deployments on push/merge
+   - Branch-specific environments
+   - Build caching and artifacts
+2. **CLI-Driven Pipeline**
+   ```bash
+   # Deploy from your terminal
+   zcli push
+   ```
+3. **Manual Triggers**
+   - Deploy specific versions
+   - Roll back to previous states
+   - Test deployment configurations
+## Next Steps
+- [Environment Variables](/frameworks/laravel/env-variables)
+- [Database Migrations](/frameworks/laravel/migrations)
+- [Cache & Queue with Redis](/frameworks/laravel/redis)
+- [Schedule Jobs & CRON](//frameworks/laravel/cron)
+- [SMTP Configuration](/frameworks/laravel/smtp)
+- [Logs](/frameworks/laravel/logs)
+## Resources
+- [Laravel Documentation](https://laravel.com/docs)
+- [Laravel Recipe Repository](https://github.com/zeropsio/recipe-laravel-minimal)
+- [zCLI Documentation](/references/cli)
+*Need help? Join our [Discord community](https://discord.gg/zeropsio) or check out our [quickstart guide](/frameworks/laravel/introduction).*
+
+----------------------------------------
+
+# Frameworks > Laravel > Cron
+
+Zerops provides a convenient way for managing scheduled tasks through CRON jobs, configured directly in your `zerops.yaml` file. These tasks can be scheduled to run on single or multiple containers with granular timing control.
+## Basic Configuration
+Cron jobs are defined in the `run.crontab` section of your `zerops.yaml`. Each job requires two essential parameters:
+- **command**: The command to execute
+- **timing**: The CRON schedule expression
+```yaml
+run: 
+  crontab:
+    - command: "date >> /var/log/cron.log"
+      timing: "0 * * * *"
+```
+This example logs the current timestamp every hour.
+:::tip Detailed Configuration
+For comprehensive configuration options and examples, refer to our [CRON configuration guide](/zerops-yaml/cron).
 :::
-### Build time limit
-The entire build pipeline has a **1 hour** time limit. After 1 hour, Zerops terminates the build pipeline and deletes the build container.
-### Customize the build environment
-All runtime services start with a default build environment based on the [build.base](/zerops-yaml/specification#base-) attribute in `zerops.yaml`. Install additional packages or tools by adding [build.prepareCommands](/zerops-yaml/specification#preparecommands-) to your configuration.
-Learn more about customizing build environments:
-## Runtime prepare phase (optional)
-  
-When your application requires additional system packages, libraries, or tools in the runtime environment, Zerops allows you to build a custom runtime image. This optional phase occurs after the build phase and before deployment.
-### When to use custom runtime images
-Build custom runtime images when you need:
-- System packages or libraries for runtime operations (e.g., `apk add imagemagick` for image processing)
-- Library dependencies for interpreted languages or dynamically linked binaries
-- System-level tools or utilities your application requires
-- Customized base operating system or additional software layers
-### Configuration
-Configure custom runtime images in your `zerops.yml` file using these fields:
-#### `run.os` + `run.base`
-Specify the operating system and base packages for your custom runtime image:
+## Common Implementation Patterns
+### Laravel Scheduler
+To run Laravel's scheduler, configure it to execute every minute:
 ```yaml
-run:
-  os: alpine # or ubuntu
-  base: nodejs@20 # specify your runtime and version
+run: 
+  crontab:
+    - command: "php artisan schedule:run"
+      timing: "* * * * *"
+      workingDir: /var/www/html
 ```
-#### `run.prepareCommands`
-Define commands that customize your runtime image. These commands run inside a fresh base container:
+### Cleanup Tasks
+Execute maintenance tasks on all containers:
+```yaml
+run: 
+  crontab:
+    - command: "rm -rf /tmp/*"
+      timing: "0 0 * * *"
+      allContainers: true
+```
+### Multiple Jobs
+Configure multiple scheduled tasks within a single service:
 ```yaml
 run:
-  prepareCommands:
-    - sudo apk add --no-cache imagemagick
-    - sudo apt-get update && apt-get install -y some-package  # for Ubuntu
+  crontab:
+    - command: "php artisan schedule:run"
+      timing: "* * * * *"
+      workingDir: /var/www/html
+    
+    - command: "php artisan cache:clear"
+      timing: "0 0 * * *"
+      workingDir: /var/www/html
+      
+    - command: "php artisan queue:restart"
+      timing: "0 */6 * * *"
+      workingDir: /var/www/html
 ```
-Zerops creates the custom runtime image from this container after all commands complete successfully.
-#### `build.addToRunPrepare`
-Copy specific files from the build phase to the runtime prepare phase. This is useful when you need source files during runtime preparation:
+## Best Practices
+1. **Log Output**: Implement comprehensive logging for debugging and monitoring:
+   ```yaml
+   command: "php artisan schedule:run >> /var/log/scheduler.log 2>&1"
+   ```
+2. **Working Directory**: Always specify `workingDir` for Laravel commands to ensure they are executed from the correct location.
+3. **Container Selection**: Use `allContainers: true` carefully to avoid duplicate operations in a multi-container setup.
+4. **Timing Considerations**: Schedule intensive tasks during off-peak hours.
+## Monitoring
+Enable detailed scheduler [logging](/frameworks/laravel/logs) in your `.env`:
+```
+LOG_CHANNEL=daily
+```
+
+----------------------------------------
+
+# Frameworks > Laravel > Env Variables
+
+Zerops manages environment variables without requiring manual `.env` files, enabling application deployment across different environments (development, staging, production) while keeping environment-specific configurations isolated from your code.
+Read more about how [environment variables](/features/env-variables) work in Zerops.
+## Laravel Environment Variables in Zerops
+### Secret Variables
+Some Laravel variables contain sensitive information that should never be exposed as plain text. Manage these using Zerops Secret Variables by:
+* Creating and managing them through the Zerops GUI
+* Defining them in a configuration file when importing a project or service (allows [automatic generation](#automatic-generation-during-import))
+When importing a project or service, you can define secret variables directly in your import configuration:
 ```yaml
-build:
-  addToRunPrepare:
-    - package.json
-    - requirements.txt
-    - config/runtime-setup.sh
+services:
+  - hostname: app
+    type: php-nginx@8.4
+    envSecrets:
+      APP_KEY: your-secret-key
 ```
-These files are packed immediately after `build.buildCommands` finish and become available during the runtime prepare phase.
-### How it works
-When you trigger the first deploy with defined [run.prepareCommands](/zerops-yaml/specification#preparecommands--1), Zerops:
-1. **Creates prepare container** - Based on `run.os` and `run.base`
-2. **Copies build files** - Files specified in [build.addToRunPrepare](/zerops-yaml/specification#addtorunprepare-) (if any)
-3. **Runs prepare commands** - Executes [run.prepareCommands](/zerops-yaml/specification#preparecommands--1) in order
-4. **Creates runtime image** - Builds custom runtime image from the prepared container
-5. **Uses for deployment** - Deploys your application using this custom runtime image
-### Custom runtime image caching
-Zerops caches custom runtime images to optimize deployment times. The runtime prepare phase is skipped and cached images are reused when:
-- It is not the first deployment of your service
-- None of these `zerops.yaml` fields changed since the last deployment:
-  - `run.os` or `run.base`
-  - `run.prepareCommands`
-  - `build.addToRunPrepare`
-- File contents specified in `build.addToRunPrepare` remain unchanged
-- The custom runtime image cache hasn't been manually invalidated
-#### Manual cache invalidation
-To invalidate the custom runtime image cache, go to your service detail in the Zerops GUI, choose **Pipelines & CI/CD settings** section from the left menu, and click on the button under **Pipeline #**. Then click on the **Clear runtime prepare image** button.
-Learn more about building custom runtime images:
-:::warning
-Do not include your application code in the custom runtime image, as your built application code is deployed automatically into fresh containers.
-Shared storage mounts are also not available during the runtime prepare phase.
-:::
-## Deploy phase
-  
-### Application artifacts
-After the [build phase](#build-phase) completes, Zerops stores the application artifact in internal storage and deletes the build container.
-For [manual deployments](#manual-deploy-using-zerops-cli) using Zerops CLI, the application artifact is also uploaded to internal storage.
-Zerops uses the stored artifact to deploy identical versions of your application whenever a new container starts:
-- During new application version deployments
-- When applications [scale horizontally](/features/scaling-ha#horizontal-scaling-runtime-services-linux-containers-and-docker)
-- When runtime containers fail and new containers start automatically
-### First deploy
-For initial deployments, Zerops starts one or more runtime containers based on your service [auto scaling settings](/features/scaling-ha).
-Zerops executes these steps for each new container:
-1. **Install runtime environment** - Sets up the runtime (or uses a custom runtime image if configured)
-2. **Download application artifact** - Retrieves build output from internal storage
-3. **Run initialization** - Executes optional [init commands](/zerops-yaml/specification#initcommands-)
-4. **Start application** - Launches your app using the [start command](/zerops-yaml/specification#startcommands-)
-5. **Check readiness** - Waits for [readiness check](/zerops-yaml/specification#readinesscheck-) to succeed (if configured)
-6. **Activate container** - Container becomes active and receives incoming requests
-Services with multiple containers deploy in parallel.
-:::info
-If your application needs initialization in each runtime container, add [init commands](/zerops-yaml/specification#initcommands-) to `zerops.yaml`.
-:::
-:::caution
-Do not use `initCommands` for runtime environment customization. See [how to build custom runtime images](#runtime-prepare-phase-optional).
+:::tip
+Secret variables can be updated at any time without requiring application redeployment.
 :::
-### Subsequent deploys
-For applications with existing running versions, Zerops starts new containers matching the count of existing containers.
-Zerops executes the same steps as the first deployment for each new container. Your service briefly contains both new and old versions during this process.
-Old containers are then removed from the project balancer to stop receiving new requests. The processes inside old containers terminate and Zerops gradually deletes all old containers.
-### Readiness checks
-If your application is not ready to handle requests immediately after starting via the [start command](/zerops-yaml/specification#startcommands-), configure a [readiness check](/zerops-yaml/specification#readinesscheck-) in your `zerops.yaml`.
-When readiness checks are defined, Zerops:
-1. **Starts your application**
-2. **Performs readiness check**
-3. **Waits and retries** - If check fails, waits 5 seconds and repeats step 2
-4. **Activates container** - If check succeeds, marks container as active
-Runtime containers with pending readiness checks do not receive incoming requests - only active containers handle traffic.
-If readiness checks fail for 5 minutes, Zerops marks the container as failed, deletes it, creates a new container, and repeats the deployment process.
-**Readiness check types:**
-- `httpGet` - Succeeds when URL returns HTTP `2xx` status (5-second timeout, follows `3xx` redirects)
-- `exec.command` - Succeeds when command returns status code 0 (5-second timeout)
-Read the [runtime log](/nodejs/how-to/logs#runtime-log) to troubleshoot failed readiness checks.
-## Manual deploy using Zerops CLI
-  
-Start deploy-only pipelines using the [Zerops CLI](/references/cli). The `zcli service deploy` command uploads and deploys your application in Zerops. Use this when you have your own build process. For building applications in Zerops, use [continuous](#continuous-deployment) or [on-demand](#on-demand-deployment) deployment instead.
-```sh
-Usage:
-  zcli service deploy pathToFileOrDir [flags]
-Flags:
-      --archive-file-path string   If set, zCLI creates a tar.gz archive with the application code in the required path relative
-                                 to the working directory. By default, no archive is created.
-      --deploy-git-folder          Sets a custom path to the zerops.yaml file relative to the working directory. By default zCLI
-                                 looks for zerops.yaml in the working directory.
-  -h, --help                     the service deploy command.
-      --project-id string         If you have access to more than one project, you must specify the project ID for which the
-                                 command is to be executed.
-      --service-id string         If you have access to more than one service, you must specify the service ID for which the
-                                 command is to be executed.
-      --version-name string       Adds a custom version name. Automatically filled if the VERSIONNAME environment variable exists.
-      --working-dir string        Sets a custom working directory. Default working directory is the current directory. (default "./")
-      --zerops-yaml-path string    Sets a custom path to the zerops.yaml file relative to the working directory. By default zCLI
-                                 looks for zerops.yaml in the working directory.
+#### Automatic Generation During Import
+If you prefer to have certain secrets **generated automatically**, you can use the [yaml preprocessor](/references/import-yaml/pre-processor). This is optional and only available during import:
+```yaml
+#yamlPreprocessor=on
+services:
+  - hostname: app
+    type: php-nginx@8.4
+    envSecrets:
+      APP_KEY: )>
 ```
-`pathToFileOrDir` defines paths to directories and/or files relative to the working directory. The working directory defaults to the current directory and can be changed using the `--working-dir` flag.
-Place `zerops.yaml` in the working directory.
-:::info
-You can modify the deploy pipeline anytime by updating the `zerops.yaml` in your working directory.
+### Runtime Variables
+These variables, defined in `zerops.yaml`, are typically environment-specific but not sensitive.
+:::note
+Changes to runtime variables require application redeployment to take effect.
 :::
-## Manage builds and deployments
-### Cancel running build
-When you need to cancel an incorrect running build, use the Zerops GUI. Go to the service detail, open the running processes list, and click **Open pipeline detail**. Then click **Cancel build**.
-  
-:::caution
-Build cancellation is only available before the build pipeline finishes. Once the build completes, deployment cannot be cancelled.
+Below is a complete working example of `envVariables` in `zerops.yaml` (sourced from [Laravel Jetstream recipe](https://github.com/zeropsio/recipe-laravel-jetstream/blob/main/zerops.yaml)):
+```yaml title="zerops.yaml"
+run:
+  envVariables:
+    APP_LOCALE: en
+    APP_FAKER_LOCALE: en_US
+    APP_FALLBACK_LOCALE: en
+    APP_MAINTENANCE_DRIVER: file
+    APP_MAINTENANCE_STORE: database
+    APP_TIMEZONE: UTC
+    APP_URL: ${zeropsSubdomain}          # References generated variable
+    ASSET_URL: ${APP_URL}
+    VITE_APP_NAME: ${APP_NAME}
+    # PostgreSQL connection settings
+    DB_CONNECTION: pgsql
+    DB_DATABASE: db
+    DB_HOST: db                          # References database service hostname
+    DB_PASSWORD: ${db_password}          # References database password
+    DB_PORT: 5432
+    DB_USERNAME: ${db_user}              # References database user
+    # S3-compatible object storage settings
+    AWS_ACCESS_KEY_ID: ${storage_accessKeyId}
+    AWS_REGION: us-east-1
+    AWS_BUCKET: ${storage_bucketName}    # References bucket name of service 'storage'
+    AWS_ENDPOINT: ${storage_apiUrl}
+    AWS_SECRET_ACCESS_KEY: ${storage_secretAccessKey} # Safely references secret
+    AWS_URL: ${storage_apiUrl}/${storage_bucketName}
+    AWS_USE_PATH_STYLE_ENDPOINT: true
+    FILESYSTEM_DISK: s3
+    # Logging Configuration
+    LOG_CHANNEL: syslog
+    LOG_LEVEL: debug
+    LOG_STACK: single
+    # SMTP settings for email delivery
+    MAIL_FROM_ADDRESS: hello@example.com
+    MAIL_FROM_NAME: ZeropsLaravel
+    MAIL_HOST: mailpit                   # References mail service hostname
+    MAIL_MAILER: smtp
+    MAIL_PORT: 1025
+    # Redis-based caching and session management
+    BROADCAST_CONNECTION: redis
+    CACHE_PREFIX: cache
+    CACHE_STORE: redis
+    QUEUE_CONNECTION: redis
+    REDIS_CLIENT: phpredis
+    REDIS_HOST: valkey                    # References Redis service hostname
+    REDIS_PORT: 6379
+    SESSION_DRIVER: redis
+    SESSION_ENCRYPT: false
+    SESSION_LIFETIME: 120
+    SESSION_PATH: /
+    # Security Configuration
+    BCRYPT_ROUNDS: 12
+    TRUSTED_PROXIES: "*"
+```
+Let's look at variable configurations that may need additional context and where to find detailed implementation guides:
+#### Application Configuration
+Core application settings that define your Laravel app's identity, URL structure, and environment parameters. Reference environment variables from the same service.
+```yaml
+APP_URL: ${zeropsSubdomain} # zeropsSubdomain variable is system generated
+ASSET_URL: ${APP_URL}
+VITE_APP_NAME: ${APP_NAME} # APP_NAME variable was created during import (envSecrets)
+```
+#### Database Configuration
+Essential database connection parameters that securely reference your PostgreSQL service `db` by hostname and its variables - `password` and `user`.
+It is safe to store `DB_PASSWORD` in `envVariables` by reference as it does not contain the sensitive value itself.
+```yaml
+DB_HOST: db
+DB_PASSWORD: ${db_password}
+DB_USERNAME: ${db_user}
+```
+Read more about [database management](/frameworks/laravel/migrations) for Laravel in Zerops.
+#### Storage Configuration
+S3-compatible object storage settings that enable efficient file handling and asset management in your Laravel application. Reference variables of Object storage service called `storage`.
+```yaml
+AWS_ACCESS_KEY_ID: ${storage_accessKeyId}
+AWS_REGION: us-east-1
+AWS_BUCKET: ${storage_bucketName}
+AWS_ENDPOINT: ${storage_apiUrl}
+AWS_SECRET_ACCESS_KEY: ${storage_secretAccessKey}
+AWS_URL: ${storage_apiUrl}/${storage_bucketName}
+AWS_USE_PATH_STYLE_ENDPOINT: true
+FILESYSTEM_DISK: s3
+```
+Read more about [object storage](/object-storage/overview) in Zerops.
+#### Logging Configuration
+System monitoring and debugging configuration that determines how your application tracks events and errors. Use `syslog` channel to access logs from Zerops Dashboard.
+```
+LOG_CHANNEL: syslog
+```
+Learn how to properly [configure logging](/frameworks/laravel/logs) for Laravel in Zerops.
+#### Mail Configuration
+SMTP server settings that enable your application to send emails through a dedicated mail service. Reference service `mailpit` by hostname.
+```
+MAIL_HOST: mailpit
+```
+Learn how to properly [configure SMTP](/frameworks/laravel/smtp) for Laravel in Zerops.
+#### Cache and Session
+Redis-based configuration for handling application caching, queues, and session management to optimize performance. Reference service `valkey` by hostname.
+```
+REDIS_HOST: valkey
+```
+Learn how to properly [configure cache, queue & session management](/frameworks/laravel/redis) for Laravel in Zerops.
+:::tip
+For automatic execution with each deploy, add these commands to the `initCommands` section of your `zerops.yaml` file.
+```yaml title="zerops.yaml"
+initCommands:
+  - php artisan view:cache
+  - php artisan config:cache
+  - php artisan route:cache
+```
 :::
-### Application versions
-Zerops keeps the 10 most recent versions of your application in internal storage.
-Access the application versions list in Zerops GUI by going to service detail and choosing the **Pipelines & CI/CD settings** section from the left menu. The active version is highlighted - click the button below to show all archived versions.
-  
-Access pipeline details from the additional menu. Pipeline details contain:
-- Pipeline configuration (`zerops.yaml`) used for the selected version
-- Build log (if available)
-- Prepare runtime log (if available)
-You can download the build artifact for selected versions or manually delete inactive versions.
-### Restore an archived version
-Restore archived versions by choosing **Activate** from the additional menu. Zerops will deploy the selected version and archive the currently active version.
-Environment variables restore to their state from the last moment when the selected version was active.
 
 ----------------------------------------
 
-# Features > Scaling Ha
-
-Zerops delivers enterprise-grade infrastructure with built-in automatic scaling and high availability. This means applications and databases dynamically adjust to traffic demands—scaling up during peak loads to maintain performance and scaling down during quiet periods to reduce costs.
-Unlike traditional hosting where resources must be predicted and pre-provisioned, Zerops continuously monitors workloads and automatically allocates exactly what is needed, when it is needed. This intelligent resource management ensures optimal performance without wasted spend.
-## Key Benefits
-- **Cost Optimization**: Only pay for resources actually used
-- **Performance Reliability**: Maintain responsiveness during traffic spikes
-- **Automatic Management**: Built-in best practices with customizable settings
-- **High Availability**: Redundancy options for production environments
-## Understanding Zerops Scaling Architecture
-Zerops uses two fundamentally different approaches for optimizing infrastructure:
-#### **Resource Management (Vertical Scaling)**
-- **Applies to:** Runtime services, databases, shared storage, and Linux containers (Alpine and Ubuntu)
-- **What it does:** Adjusts CPU, RAM, and disk resources within individual containers
-- **Management:** Automated by Zerops, but customizable by users
-:::note
-Docker services do not support automatic vertical scaling. Resource values can be manually changed, but this triggers a VM restart.
-:::
-#### **Container Architecture**
-- **For Runtime Services, Linux Containers, and Docker:** Horizontal Scaling (dynamic container count)
-  - Adds or removes containers/VMs based on load
-  - Requires applications to be designed for HA operation
-  - Container/VM creation limits can be controlled
-  - Docker containers run in VMs rather than native containers
-- **For Databases & Shared Storage:** High Availability Mode (fixed container count)
-  - Single Container OR Multi-Container HA configuration
-  - Must be chosen at service creation (cannot be changed later)
-  - Managed by Zerops (no application changes needed)
-### At-a-Glance Comparison
-* ✓ = Available *(configurable, defaults vary according to service type)*
-  
-      Feature
-      Runtime Services & Linux Containers
-      Databases
-      Shared Storage
-      Docker
-    
-      Automatic Resource Scaling
-      ✓
-      ✓
-      ✓
-      Manual (triggers VM restart)
-    
-      Automatic Horizontal Scaling
-      ✓
-      Fixed # of containers
-      Fixed # of containers
-      ✓
-    
-      High Availability
-      User-implemented
-      Zerops-managed HA mode
-      Zerops-managed HA mode
-      User-implemented
-    
-## When to Configure Scaling
-You can configure scaling settings at three different stages:
-- **During service creation** - Configure initial scaling parameters when creating services in the Zerops GUI. Set resource limits, CPU mode, and container counts from the start.
-- **During import** - Use YAML configuration files to define comprehensive scaling settings including `verticalAutoscaling` parameters and horizontal scaling limits. See [Import & Export YAML Configuration](/references/import) for complete syntax.
-- **After service creation** - Modify most scaling settings anytime through your service's **Automatic scaling configuration** page. Note that some parameters like deployment mode for databases and shared storage cannot be changed after creation.
-This flexibility lets you plan scaling strategies upfront or adapt them as requirements evolve.
-## Part 1: Resource Management
-Resource management in Zerops focuses on efficiently allocating and adjusting CPU, RAM, and disk resources within individual containers based on actual usage patterns.
-### CPU Options
-Two CPU allocation modes are available for any service:
-#### Shared CPU
-Shared CPU provides a physical CPU core shared with up to 10 other applications. Performance varies depending on neighbors, ranging from 1/10 to 10/10 power. This option is cost-effective for non-critical workloads, development, and testing environments.
-#### Dedicated CPU
-Dedicated CPU gives exclusive access to a full physical CPU core(s), ensuring consistent and predictable performance. This option is ideal for production environments and CPU-intensive applications.
-:::tip
-CPU mode can be changed (once per hour) as needed.
-:::
-See the [pricing](/company/pricing#resource-pricing) for the difference between CPU modes.
-### Vertical Scaling
-Vertical scaling adjusts individual resources (CPU, RAM, Disk) within existing containers. When a container needs more/less power, allocated resources are increased/decreased instead of creating a new/removing container.
-This is the preferred scaling method and is attempted first before horizontal scaling.
-These resource management capabilities apply to **runtime** services, **databases**, **shared storage**, and **Linux containers** (Alpine and Ubuntu).
-:::note
-Docker services do not support vertical scaling. Resources for Docker services are fixed at the values set manually and do not automatically adjust based on usage.
-:::
-### Fine-Tuning Resource Allocation
-Resource allocation can be configured through basic and advanced settings:
-#### Minimum and Maximum Resources (Basic)
-Boundaries for CPU cores, RAM, and disk space can be established.
-:::tip Resource Scaling Control
-To prevent scaling of specific resources, simply set identical minimum and maximum values for CPU, RAM, or Disk.
-:::
-#### Start CPU Core Count (Advanced)
-How many CPU cores should be allocated when containers start to ensure reliable and fast startup:
-- Default: 2 cores
-- Applies to both dedicated and shared CPU modes
-- Higher values provide more processing power during application initialization
-- After startup, resources are automatically adjusted based on actual usage and limits
-#### RAM Scaling Thresholds (Advanced)
-RAM usage is monitored every 10 seconds to ensure optimal performance. The minimum free RAM settings serve multiple important purposes: they prevent Out of Memory (OOM) errors, provide space for kernel disk caching (which improves application performance), and maintain a buffer for sudden memory demands.
-Swap is enabled for all containers to help prevent OOM errors, but proper minimum free RAM configuration is still essential—especially for services that use large amounts of RAM or benefit from kernel disk caching. Without sufficient free memory, performance may degrade due to increased disk access.
-Two threshold types determine RAM scaling:
-1. **Minimum Free RAM (absolute value in GB)**
-   - Specifies an absolute threshold for free RAM
-   - Additional memory is triggered when available RAM falls below this fixed amount
-   - Default: 0.0625 GB (64 MB) for most services
-   - Ideal for maintaining system stability and responsiveness
-2. **Minimum Free RAM (% of Granted)**
-   - Establishes a dynamic threshold based on a percentage of total granted memory
-   - Default: 0% (disabled)
-   - The buffer scales proportionally as total memory increases
-   - Particularly useful for handling varying loads
-:::note
-Whichever setting provides more free memory is used.
-:::
-#### CPU Scaling Thresholds (Advanced)
-For services using [dedicated CPU](#dedicated-cpu) cores only, CPU scaling is controlled by:
-1. **Min. Free CPU Cores (%)**
-   - Scale-up is triggered when free capacity drops below a fixed fraction of a single CPU core
-   - Default: 10%
-   - Set as a percentage of a single core's capacity
-   - Example: Setting to 20% means that with one core, at least 20% of that core should remain free
-2. **Dynamic Min. Free Total Core Percent**
-   - Scale-up is triggered when total free capacity across all cores falls below a percentage of total capacity
-   - Default: 0% (disabled)
-   - Dynamically adjusts as the number of cores changes
-   - Ideal for accommodating varying load distributions
-   - Example: 20% setting ensures at least 20% of the combined capacity of all cores remains free
-### Resource Scaling Behavior
-Zerops implements an exponential growth pattern ensuring that **resources grow gradually** for minor load increases but can scale rapidly when significant additional capacity is needed. When resource usage triggers scaling, Zerops initially adds smaller increments, but as demand continues to increase, it can add larger increments to quickly meet the needs of your application.
-Below are the parameters that control this behavior across all services that support vertical scaling:
-- **Data Collection Interval:** How frequently resource usage metrics are collected
-- **Scale-Up Window Interval:** The timeframe in which high usage must persist before adding resources
-- **Scale-Down Window Interval:** The timeframe in which low usage must persist before reducing resources
-- **Scale-Up Threshold Percentile:** The usage percentile that triggers resource scaling up
-- **Scale-Down Threshold Percentile:** The usage percentile that triggers resource scaling down
-- **Minimum Step:** The smallest increment by which resources can increase during scaling
-- **Maximum Step:** The largest possible increment for resources when scaling rapidly under high load
-  
-      Parameter
-      CPU
-      RAM
-      Disk
-    
-      Data Collection Interval
-      10 seconds
-      10 seconds
-      10 seconds
-    
-      Scale-Up Window Interval
-      20 seconds
-      10 seconds
-      10 seconds
-    
-      Scale-Down Window Interval
-      60 seconds
-      120 seconds
-      300 seconds
-    
-      Scale-Up Threshold Percentile
-      60
-      50
-      50
-    
-      Scale-Down Threshold Percentile
-      40
-      50
-      50
-    
-      Minimum Step
-      1 (0.1 cores)
-      0.125 GB
-      0.5 GB
-    
-      Maximum Step
-      40
-      32 GB
-      128 GB
-    
-## Part 2: Container Architecture — Service-Specific Approaches
-Container architecture in Zerops defines how services are distributed across containers. Different service types use fundamentally different approaches:
-1. **Horizontal Scaling** (Runtime Services, Linux Containers, and Docker)
-2. **Deployment Modes** (Databases and Shared Storage)
-### Horizontal Scaling (Runtime Services, Linux Containers, and Docker)
-Horizontal scaling adds or removes entire containers (or VMs for Docker) as demand fluctuates.
-* When vertical scaling reaches its defined maximum, new containers/VMs are automatically added to handle additional load.
-* As demand decreases, containers/VMs are gradually removed to optimize resource usage.
-:::important HA-ready Applications
-For applications to work properly across multiple containers, they must be designed to be HA-ready.
-:::
-#### Setting Horizontal Scaling Parameters
-To configure horizontal scaling, users need to set the minimum and maximum number of containers:
-- **Minimum Containers**: The baseline number of containers that should always be running (system limit: 1)
-- **Maximum Containers**: The upper limit of containers that can be created during high demand (system limit: 10)
-:::tip Disable Horizontal Scaling
-Setting identical minimum and maximum values creates a fixed number of containers (disables automatic horizontal scaling).
-:::
-### Deployment Modes (Databases and Shared Storage)
-For databases and shared storage services, Zerops offers two deployment modes focused on reliability and data integrity.
-:::warning
-Deployment mode cannot be changed after creation.
-:::
-#### Single Container Mode
-Single Container Mode provides one container with vertical scaling only. This is suitable for development environments or non-critical data storage.
-**Characteristics:**
-- Limited redundancy
-- No automatic recovery if the container fails
-- Data since last backup (if available) may be lost if failure occurs
-- Cost-effective for non-production environments
-#### Highly Available (HA) Mode
-Highly Available (HA) Mode creates multiple containers with built-in redundancy. This mode is strongly recommended for production environments and mission-critical data.
-**Characteristics:**
-- Multiple containers distributed across different physical machines
-- Automatic failover and recovery mechanisms
-- Data redundancy and integrity protection
-- Higher reliability and availability
-- Recommended for production use
-:::important
-Database and shared storage services in HA mode have a **fixed number of containers** that cannot be increased or decreased.
-:::
-**Recovery process:**
-In HA mode, when a container or physical machine fails, recovery is handled automatically:
-1. The failed container is disconnected from the cluster
-2. A new container is created on a different physical machine
-3. Data is synchronized from remaining healthy copies
-4. The failed container is removed
-5. Service continues with minimal disruption
-### Fixed Resource Allocation (Docker Services)
-Docker services in Zerops operate differently from other service types:
-#### Docker Service Characteristics
-- **VM-Based Deployment**: Docker services run in virtual machines rather than containers
-- **Fixed Resources**: Unlike other services, Docker services do not support automatic vertical scaling
-- **User-Defined Resources**: Resources are set at creation and remain fixed until manually changed
-- **VM Count Changes**: The number of VMs can be changed, but this requires a VM restart
-- **No Automatic Scaling**: Resource levels do not automatically adjust based on usage
-**Important Considerations for Docker Services:**
-- Initial resource values should be chosen carefully, as they cannot automatically scale
-- Planning for expected peak loads is important when setting resource values
-- Runtime services or Linux containers should be considered instead if dynamic scaling is essential
-- VM restarts cause temporary service disruption when changing VM count or resources
-:::warning
-Docker services use fixed resources that do not automatically scale. Sufficient resources should be allocated at creation to handle expected workload. Additionally, disk space for Docker services can only be increased, not decreased without recreation of the service.
-:::
-## Monitoring Your Infrastructure
-Zerops provides comprehensive monitoring tools in the user interface to track both resource usage and container scaling activities:
-### Resource History Graphs
-Resource and container scaling can be visualized over time:
-- CPU utilization per container
-- RAM usage patterns
-- Disk space consumption
-- Container count changes
-These graphs help understand application resource needs, identify usage patterns, and fine-tune scaling settings for optimal performance and cost efficiency.
-## Troubleshooting
-#### Resource-Related Issues (All Service Types Except Docker)
-**Out of Memory Errors**
-* **Issue:** Application crashes with OOM errors despite resource scaling.
-* **Possible Cause:** Insufficient minimum free RAM setting.
-* **Solution:**
-    - Increase the "Minimum free RAM" setting
-    - Check for memory leaks in the application
-    - Consider setting a higher minimum RAM value
-**Excessive Resource Costs**
-* **Issue:** Resources scaling up but not scaling down efficiently.
-* **Possible Cause:** Scale-down thresholds not optimized.
-* **Solution:**
-    - Review usage patterns in monitoring graphs
-    - Adjust scale-down thresholds to be more aggressive
-    - Set appropriate resource minimums based on base requirements
-#### Runtime Service and Linux Container Issues (Horizontal Scaling)
-**Application Not Working Properly Across Multiple Containers**
-* **Issue:** Application errors or inconsistent behavior when horizontally scaled.
-* **Possible Cause:** Application not designed for distributed operation.
-* **Solution:**
-    - Ensure the application properly handles stateless operation
-    - Implement proper session management across containers
-    - Review and modify application code to support multiple instances
-#### Docker Service Issues
-**Insufficient Resources for Workload**
-* **Issue:** Docker service experiencing performance issues or crashes.
-* **Possible Cause:** Fixed resources inadequate for actual workload.
-* **Solution:**
-    - Since Docker services don't support automatic vertical scaling, a new service with higher resource allocations may be needed
-    - Consider migrating to a runtime service or Linux container if dynamic resource scaling is needed
-*Need help implementing scaling in your project? Join our [Discord community](https://discord.gg/zerops) where our team and other Zerops users can assist you!*
-
-----------------------------------------
-
-# Frameworks > Laravel
-
-# Laravel on Zerops
-> Modern Laravel development demands infrastructure that doesn't get in your way. Zerops provides the foundation that lets you focus on building great apps, not wrestling with environment configuration or resource management.
-## Why Zerops for Laravel?
-Zerops implements what we call "transparent infrastructure" - you get enterprise-grade capabilities with development-friendly ergonomics. This means:
-- **Full system access** across all environments
-- **Granular resource control** starting at 0.125GB RAM
-- **True environment parity** from local to production
-- **Zero-downtime deployments** by default
-*No artificial limitations, no framework-specific compromises - just solid infrastructure that lets Laravel do what it does best.*
-:::tip
-New Zerops accounts receive $15 in free credits for testing. After verifying your account with a $10 initial payment, you'll get an additional $50 in credits.
-:::
-## Quick Start
-Choose a recipe that matches your needs and deploy with a single click. Each recipe sets up a complete environment with all necessary services preconfigured.
-All recipes include:
-- **PHP 8.3 + Nginx**
-- **PostgreSQL 16**
-- **L3/L7 balancers**
-- **Logging & metrics**
-  
-      The most bare-bones examples of Laravel app including core services + PostgreSQL.
-      
-      A full-stack setup including Redis, Object Storage, and Mailpit.
-            
-        Admin panel optimized setup including Redis, Object Storage, and Mailpit.
-              
-        Content management focused setup including Redis, Object Storage, and Mailpit.
-              
-## Core Features
-### Infrastructure and Security
-Each project runs in its own isolated network with enterprise-level security features automatically configured.
-What makes this special is how it combines security with simplicity - this infrastructure requires zero configuration from you – it's all handled automatically when you create your project.
-### Native Service Discovery
-Services within your project communicate seamlessly using internal hostnames:
-```php title=".env"
-DB_HOST=${db_hostname}
-REDIS_HOST=${cache_hostname}
-```
-*Environment variables are automatically injected and synchronized across all containers.*
-### Intelligent Scaling
-One of Zerops' most powerful features is its intelligent autoscaling system, which:
-* Scales resources (CPU, RAM, Disk) up and down based on actual usage
-* Maintains minimum required resources to optimize costs
-* Handles both vertical and horizontal scaling automatically
-* Manages disk space dynamically (a unique feature in the industry)
-Through a simple configuration, you define resource boundaries while Zerops automatically handles the complex scaling decisions:
-```yaml
-# Example scaling configuration
-services:
-  - hostname: app
-    minContainers: 2
-    maxContainers: 6
-    cpu:
-      min: 1
-      max: 4
-    ram:
-      min: 0.25
-      max: 4
-```
-### Zero-Downtime Deployments
-Deploy with confidence using our battle-tested pipeline:
-```yaml title="zerops.yaml"
-zerops:
-  - setup: app
-    build:
-      base: php@8.3
-      buildCommands:
-        - composer install --no-dev --optimize-autoloader
-      deployFiles: ./
-      cache: vendor
-    run:
-      base: php-nginx@8.3
-      initCommands:
-        - php artisan config:cache
-        - php artisan route:cache
-        - php artisan migrate --force --isolated
-```
-### High Availability
-Every service can run in HA mode with automatic failover.
-```yaml
-services:
-  - hostname: db
-    type: postgresql@16
-    mode: HA  # Automatic primary-replica setup
-  - hostname: cache
-    type: valkey@7.2
-    mode: HA  # Redis cluster configuration
-```
-Setting up a production-grade HA database cluster typically requires deep DevOps expertise. Zerops automates this complexity, giving you an enterprise-grade setup with a single configuration flag:
-* **Database Cluster** distributed across multiple physical servers
-* **Automatic failover** and data replication
-* **Enhanced performance** through load distribution
-* **Production-grade reliability** out of the box
-## Development Workflow
-### Team Collaboration
-Zerops enables seamless team development through:
-* **Declarative Infrastructure** - version control your entire setup
-* **Identical Environments** - every team member gets production-parity
-* **Automated Setup** - new team members are productive in minutes
-* **Transparent Configuration** - easily review and audit changes
-### Local Development
-Connect to your production-grade databases without any local setup through Zerops' VPN.
-Start with
-```
-zcli vpn up
-```
-and select your project. Get your database credentials from the service's **Access details** in your project dashboard and update your local `.env`. See PostgreSQL example below:
-```yaml
-DB_CONNECTION=pgsql
-DB_HOST=db.zerops  # References the service's hostname
-DB_PORT=5432
-DB_DATABASE=db
-DB_USERNAME=db
-DB_PASSWORD=[password from Access details]
-```
-With this configuration, you can use any database tool - no local installation needed.
-### Deployment Options
-Choose the workflow that fits your team:
-1. **GitHub/GitLab Integration**
-   - Automatic deployments on push/merge
-   - Branch-specific environments
-   - Build caching and artifacts
-2. **CLI-Driven Pipeline**
-   ```bash
-   # Deploy from your terminal
-   zcli push
-   ```
-3. **Manual Triggers**
-   - Deploy specific versions
-   - Roll back to previous states
-   - Test deployment configurations
-## Next Steps
-- [Environment Variables](/frameworks/laravel/env-variables)
-- [Database Migrations](/frameworks/laravel/migrations)
-- [Cache & Queue with Redis](/frameworks/laravel/redis)
-- [Schedule Jobs & CRON](//frameworks/laravel/cron)
-- [SMTP Configuration](/frameworks/laravel/smtp)
-- [Logs](/frameworks/laravel/logs)
-## Resources
-- [Laravel Documentation](https://laravel.com/docs)
-- [Laravel Recipe Repository](https://github.com/zeropsio/recipe-laravel-minimal)
-- [zCLI Documentation](/references/cli)
-*Need help? Join our [Discord community](https://discord.gg/zeropsio) or check out our [quickstart guide](/frameworks/laravel/introduction).*
-
-----------------------------------------
-
-# Frameworks > Laravel > Cron
-
-Zerops provides a convenient way for managing scheduled tasks through CRON jobs, configured directly in your `zerops.yaml` file. These tasks can be scheduled to run on single or multiple containers with granular timing control.
-## Basic Configuration
-Cron jobs are defined in the `run.crontab` section of your `zerops.yaml`. Each job requires two essential parameters:
-- **command**: The command to execute
-- **timing**: The CRON schedule expression
-```yaml
-run: 
-  crontab:
-    - command: "date >> /var/log/cron.log"
-      timing: "0 * * * *"
-```
-This example logs the current timestamp every hour.
-:::tip Detailed Configuration
-For comprehensive configuration options and examples, refer to our [CRON configuration guide](/zerops-yaml/cron).
-:::
-## Common Implementation Patterns
-### Laravel Scheduler
-To run Laravel's scheduler, configure it to execute every minute:
-```yaml
-run: 
-  crontab:
-    - command: "php artisan schedule:run"
-      timing: "* * * * *"
-      workingDir: /var/www/html
-```
-### Cleanup Tasks
-Execute maintenance tasks on all containers:
-```yaml
-run: 
-  crontab:
-    - command: "rm -rf /tmp/*"
-      timing: "0 0 * * *"
-      allContainers: true
-```
-### Multiple Jobs
-Configure multiple scheduled tasks within a single service:
-```yaml
-run:
-  crontab:
-    - command: "php artisan schedule:run"
-      timing: "* * * * *"
-      workingDir: /var/www/html
-    
-    - command: "php artisan cache:clear"
-      timing: "0 0 * * *"
-      workingDir: /var/www/html
-      
-    - command: "php artisan queue:restart"
-      timing: "0 */6 * * *"
-      workingDir: /var/www/html
-```
-## Best Practices
-1. **Log Output**: Implement comprehensive logging for debugging and monitoring:
-   ```yaml
-   command: "php artisan schedule:run >> /var/log/scheduler.log 2>&1"
-   ```
-2. **Working Directory**: Always specify `workingDir` for Laravel commands to ensure they are executed from the correct location.
-3. **Container Selection**: Use `allContainers: true` carefully to avoid duplicate operations in a multi-container setup.
-4. **Timing Considerations**: Schedule intensive tasks during off-peak hours.
-## Monitoring
-Enable detailed scheduler [logging](/frameworks/laravel/logs) in your `.env`:
-```
-LOG_CHANNEL=daily
-```
-
-----------------------------------------
-
-# Frameworks > Laravel > Env Variables
-
-Zerops manages environment variables without requiring manual `.env` files, enabling application deployment across different environments (development, staging, production) while keeping environment-specific configurations isolated from your code.
-Read more about how [environment variables](/features/env-variables) work in Zerops.
-## Laravel Environment Variables in Zerops
-### Secret Variables
-Some Laravel variables contain sensitive information that should never be exposed as plain text. Manage these using Zerops Secret Variables by:
-* Creating and managing them through the Zerops GUI
-* Defining them in a configuration file when importing a project or service (allows [automatic generation](#automatic-generation-during-import))
-When importing a project or service, you can define secret variables directly in your import configuration:
-```yaml
-services:
-  - hostname: app
-    type: php-nginx@8.4
-    envSecrets:
-      APP_KEY: your-secret-key
-```
-:::tip
-Secret variables can be updated at any time without requiring application redeployment.
-:::
-#### Automatic Generation During Import
-If you prefer to have certain secrets **generated automatically**, you can use the [yaml preprocessor](/references/import-yaml/pre-processor). This is optional and only available during import:
-```yaml
-#yamlPreprocessor=on
-services:
-  - hostname: app
-    type: php-nginx@8.4
-    envSecrets:
-      APP_KEY: )>
-```
-### Runtime Variables
-These variables, defined in `zerops.yaml`, are typically environment-specific but not sensitive.
-:::note
-Changes to runtime variables require application redeployment to take effect.
-:::
-Below is a complete working example of `envVariables` in `zerops.yaml` (sourced from [Laravel Jetstream recipe](https://github.com/zeropsio/recipe-laravel-jetstream/blob/main/zerops.yaml)):
-```yaml title="zerops.yaml"
-run:
-  envVariables:
-    APP_LOCALE: en
-    APP_FAKER_LOCALE: en_US
-    APP_FALLBACK_LOCALE: en
-    APP_MAINTENANCE_DRIVER: file
-    APP_MAINTENANCE_STORE: database
-    APP_TIMEZONE: UTC
-    APP_URL: ${zeropsSubdomain}          # References generated variable
-    ASSET_URL: ${APP_URL}
-    VITE_APP_NAME: ${APP_NAME}
-    # PostgreSQL connection settings
-    DB_CONNECTION: pgsql
-    DB_DATABASE: db
-    DB_HOST: db                          # References database service hostname
-    DB_PASSWORD: ${db_password}          # References database password
-    DB_PORT: 5432
-    DB_USERNAME: ${db_user}              # References database user
-    # S3-compatible object storage settings
-    AWS_ACCESS_KEY_ID: ${storage_accessKeyId}
-    AWS_REGION: us-east-1
-    AWS_BUCKET: ${storage_bucketName}    # References bucket name of service 'storage'
-    AWS_ENDPOINT: ${storage_apiUrl}
-    AWS_SECRET_ACCESS_KEY: ${storage_secretAccessKey} # Safely references secret
-    AWS_URL: ${storage_apiUrl}/${storage_bucketName}
-    AWS_USE_PATH_STYLE_ENDPOINT: true
-    FILESYSTEM_DISK: s3
-    # Logging Configuration
-    LOG_CHANNEL: syslog
-    LOG_LEVEL: debug
-    LOG_STACK: single
-    # SMTP settings for email delivery
-    MAIL_FROM_ADDRESS: hello@example.com
-    MAIL_FROM_NAME: ZeropsLaravel
-    MAIL_HOST: mailpit                   # References mail service hostname
-    MAIL_MAILER: smtp
-    MAIL_PORT: 1025
-    # Redis-based caching and session management
-    BROADCAST_CONNECTION: redis
-    CACHE_PREFIX: cache
-    CACHE_STORE: redis
-    QUEUE_CONNECTION: redis
-    REDIS_CLIENT: phpredis
-    REDIS_HOST: valkey                    # References Redis service hostname
-    REDIS_PORT: 6379
-    SESSION_DRIVER: redis
-    SESSION_ENCRYPT: false
-    SESSION_LIFETIME: 120
-    SESSION_PATH: /
-    # Security Configuration
-    BCRYPT_ROUNDS: 12
-    TRUSTED_PROXIES: "*"
-```
-Let's look at variable configurations that may need additional context and where to find detailed implementation guides:
-#### Application Configuration
-Core application settings that define your Laravel app's identity, URL structure, and environment parameters. Reference environment variables from the same service.
-```yaml
-APP_URL: ${zeropsSubdomain} # zeropsSubdomain variable is system generated
-ASSET_URL: ${APP_URL}
-VITE_APP_NAME: ${APP_NAME} # APP_NAME variable was created during import (envSecrets)
-```
-#### Database Configuration
-Essential database connection parameters that securely reference your PostgreSQL service `db` by hostname and its variables - `password` and `user`.
-It is safe to store `DB_PASSWORD` in `envVariables` by reference as it does not contain the sensitive value itself.
-```yaml
-DB_HOST: db
-DB_PASSWORD: ${db_password}
-DB_USERNAME: ${db_user}
-```
-Read more about [database management](/frameworks/laravel/migrations) for Laravel in Zerops.
-#### Storage Configuration
-S3-compatible object storage settings that enable efficient file handling and asset management in your Laravel application. Reference variables of Object storage service called `storage`.
-```yaml
-AWS_ACCESS_KEY_ID: ${storage_accessKeyId}
-AWS_REGION: us-east-1
-AWS_BUCKET: ${storage_bucketName}
-AWS_ENDPOINT: ${storage_apiUrl}
-AWS_SECRET_ACCESS_KEY: ${storage_secretAccessKey}
-AWS_URL: ${storage_apiUrl}/${storage_bucketName}
-AWS_USE_PATH_STYLE_ENDPOINT: true
-FILESYSTEM_DISK: s3
-```
-Read more about [object storage](/object-storage/overview) in Zerops.
-#### Logging Configuration
-System monitoring and debugging configuration that determines how your application tracks events and errors. Use `syslog` channel to access logs from Zerops Dashboard.
-```
-LOG_CHANNEL: syslog
-```
-Learn how to properly [configure logging](/frameworks/laravel/logs) for Laravel in Zerops.
-#### Mail Configuration
-SMTP server settings that enable your application to send emails through a dedicated mail service. Reference service `mailpit` by hostname.
-```
-MAIL_HOST: mailpit
-```
-Learn how to properly [configure SMTP](/frameworks/laravel/smtp) for Laravel in Zerops.
-#### Cache and Session
-Redis-based configuration for handling application caching, queues, and session management to optimize performance. Reference service `valkey` by hostname.
-```
-REDIS_HOST: valkey
-```
-Learn how to properly [configure cache, queue & session management](/frameworks/laravel/redis) for Laravel in Zerops.
-:::tip
-For automatic execution with each deploy, add these commands to the `initCommands` section of your `zerops.yaml` file.
-```yaml title="zerops.yaml"
-initCommands:
-  - php artisan view:cache
-  - php artisan config:cache
-  - php artisan route:cache
-```
-:::
-
-----------------------------------------
-
-# Frameworks > Laravel > Faq
+# Frameworks > Laravel > Faq
 
   Question: How do I configure environment variables?
 Answer: 
@@ -7674,7 +7217,7 @@ Once the deployment completes, let's verify everything works:
 4. Toggle **Enable Zerops Subdomain Access**
 5. Click the generated URL (e.g., `https://app-xxx.prg1.zerops.app`) to view your application
 :::note
-The Zerops subdomain is perfect for testing and development, but for production, you should [set up your own domain](/features/access#public-access-through-your-domain) under **Public Access through Your Domains**.
+The Zerops subdomain is perfect for testing and development, but for production, you should [set up your own domain](/references/networking/public-access#custom-domain-access) under **Public Access through Your Domains**.
 :::
 ### Testing Database Connectivity
 Let's create a quick route to test database connectivity. Add this to your `routes/web.php`:
@@ -7716,7 +7259,7 @@ DB_PASSWORD=[password from Access details]
 Now you can use your favorite database management tool or run artisan commands while working with the database in Zerops - no local PostgreSQL installation needed!
 ## Next Steps
 Now that your Laravel application is running on Zerops, consider:
-1. Setting up a [custom domain](/features/access#public-access-through-your-domain)
+1. Setting up a [custom domain](/references/networking/public-access#custom-domain-access)
 2. Implementing basic CI/CD pipelines with [GitHub](/references/github-integration) or [GitLab](/references/gitlab-integration) integration
 3. Setting up [object storage](/object-storage/overview)
 ## Conclusion
@@ -8104,7 +7647,7 @@ The deployment process takes just a few minutes. Once complete, you'll receive:
 Zerops provides a built-in VPN feature through its CLI tool, enabling seamless local development against remote resources. Here's how to set it up:
 ### Prerequisites
 - Install the [Zerops CLI](/references/cli#get-started) and log in with [personal access token](/references/cli#personal-access-tokens)
-- Install [Wireguard](/references/vpn) on your system
+- Install [Wireguard](/references/networking/vpn) on your system
 ### Setup Steps
 1. Create your own repository from our [GitHub template](https://github.com/zeropsio/recipe-filament) and clone it locally
 2. **Configure VPN Access**
@@ -8270,7 +7813,7 @@ The deployment process takes just a few minutes. Once complete, you'll receive:
 Zerops provides a built-in VPN feature through its CLI tool, enabling seamless local development against remote resources. Here's how to set it up:
 ### Prerequisites
 - Install the [Zerops CLI](/references/cli#get-started) and log in with [personal access token](/references/cli#personal-access-tokens)
-- Install [Wireguard](/references/vpn) on your system
+- Install [Wireguard](/references/networking/vpn) on your system
 ### Setup Steps
 1. Create your own repository from our [GitHub template](https://github.com/zeropsio/recipe-laravel-jetstream) and clone it locally
 2. **Configure VPN Access**
@@ -8429,7 +7972,7 @@ The deployment process takes just a few minutes. Once complete, you'll receive:
 Zerops provides a built-in VPN feature through its CLI tool, enabling seamless local development against remote resources. Here's how to set it up:
 ### Prerequisites
 - Install the [Zerops CLI](/references/cli#get-started) and log in with [personal access token](/references/cli#personal-access-tokens)
-- Install [Wireguard](/references/vpn) on your system
+- Install [Wireguard](/references/networking/vpn) on your system
 ### Setup Steps
 1. Create your own repository from our [GitHub template](https://github.com/zeropsio/recipe-laravel-minimal) and clone it locally
 2. **Configure VPN Access**
@@ -8587,7 +8130,7 @@ The deployment process takes just a few minutes. Once complete, you'll receive:
 Zerops provides a built-in VPN feature through its CLI tool, enabling seamless local development against remote resources. Here's how to set it up:
 ### Prerequisites
 - Install the [Zerops CLI](/references/cli#get-started) and log in with [personal access token](/references/cli#personal-access-tokens)
-- Install [Wireguard](/references/vpn) on your system
+- Install [Wireguard](/references/networking/vpn) on your system
 ### Setup Steps
 1. Create your own repository from our [GitHub template](https://github.com/zeropsio/recipe-filament) and clone it locally
 2. **Configure VPN Access**
@@ -9001,12 +8544,6 @@ Enable `enableSubdomainAccess` to access the Mailpit web interface where you can
 - Monitor email delivery rates and bounce rates
 - Use Mailpit in development to catch and debug emails
 
-----------------------------------------
-
-# Gleam > How To > Access
-
-
-
 ----------------------------------------
 
 # Gleam > How To > Build Pipeline
@@ -9376,7 +8913,7 @@ The os version is fixed and cannot be customised.
 ### ports
 _OPTIONAL._ Specifies one or more internal ports on which your application will listen.
 Projects in Zerops represent a group of one or more services. Services can be of different types (runtime services, databases, message brokers, object storage, etc.). All services of the same project share a **dedicated private network**. To connect to a service within the same project, just use the service hostname and its internal port.
-For example, to connect to a Gleam service with hostname = "app" and port = 3000 from another service of the same project, simply use `app:3000`. Read more about [how to access a Gleam service](/gleam/how-to/access).
+For example, to connect to a Gleam service with hostname = "app" and port = 3000 from another service of the same project, simply use `app:3000`. Read more about [how to access a Gleam service](/references/networking/internal-access#basic-service-communication).
 Each port has following attributes:
 | parameter   | description                                                                                                                                                                                                                                                                                                            |
 | ----------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
@@ -10001,12 +9538,6 @@ In case you haven't found an answer (and also if you have), we and our community
 Have you build something that others might find useful? Don't hesitate to share your knowledge!
 ## Popular Guides
 
-----------------------------------------
-
-# Go > How To > Access
-
-
-
 ----------------------------------------
 
 # Go > How To > Build Pipeline
@@ -10368,7 +9899,7 @@ The os version is fixed and cannot be customised.
 ### ports
 _OPTIONAL._ Specifies one or more internal ports on which your application will listen.
 Projects in Zerops represent a group of one or more services. Services can be of different types (runtime services, databases, message brokers, object storage, etc.). All services of the same project share a **dedicated private network**. To connect to a service within the same project, just use the service hostname and its internal port.
-For example, to connect to a Go service with hostname = "app" and port = 8080 from another service of the same project, simply use `app:8080`. Read more about [how to access a Go service](/go/how-to/access).
+For example, to connect to a Go service with hostname = "app" and port = 8080 from another service of the same project, simply use `app:8080`. Read more about [how to access a Go service](/references/networking/internal-access#basic-service-communication).
 Each port has following attributes:
   
       Parameter
@@ -11143,12 +10674,6 @@ Read more about the build and deploy pipeline
 You get a powerful managed platform with all the best features unlocked for a price that's nearly on par with VPS. You can create as many environments as you need, even one for each developer working on a project, all with the same infrastructure as production, so they can utilize Zerops for their local development. No more "but it works on my machine".
 :::
 
-----------------------------------------
-
-# Java > How To > Access
-
-
-
 ----------------------------------------
 
 # Java > How To > Build Pipeline
@@ -11510,7 +11035,7 @@ The os version is fixed and cannot be customized.
 ### ports
 _OPTIONAL._ Specifies one or more internal ports on which your application will listen.
 Projects in Zerops represent a group of one or more services. Services can be of different types (runtime services, databases, message brokers, object storage, etc.). All services of the same project share a **dedicated private network**. To connect to a service within the same project, just use the service hostname and its internal port.
-For example, to connect to a Java service with hostname = "app" and port = 8080 from another service of the same project, simply use `app:8080`. Read more about [how to access a Java service](/java/how-to/access).
+For example, to connect to a Java service with hostname = "app" and port = 8080 from another service of the same project, simply use `app:8080`. Read more about [how to access a Java service](/references/networking/internal-access#basic-service-communication).
 Each port has following attributes:
   
       Parameter
@@ -12289,14 +11814,14 @@ Due to security reasons Zerops doesn't allow exposing KeyDB service directly to
 ### Start VPN connection
 You can securely connect to KeyDB from your local workspace via Zerops VPN. Zerops VPN client is included into zCLI, the Zerops command-line tool. To start a VPN connection to the selected Zerops project, follow these steps:
 1. [Install & setup zCLI](/references/cli)
-2. [Start the Zerops VPN](/references/vpn#start-vpn)
+2. [Start the Zerops VPN](/references/networking/vpn#start-vpn)
 ### Access KeyDB through VPN
 Once the VPN session is established, you have the secured connection to the project's private network in Zerops. You can access all project services locally by using their hostname. The only difference is that no [environment variables](#use-keydb-environment-variables) are available when connected through VPN. To connect to KeyDB in Zerops you have to copy the [access details](#copy-access-details-from-zerops-gui) manually from Zerops GUI.
 :::caution
 Do not use SSL/TLS protocols when connecting to KeyDB over VPN. Zerops KeyDB is not configured to support these protocols. The security is assured by the VPN.
 :::
 ### Stop VPN connection
-[Stop the Zerops VPN](/references/vpn#stop-vpn) in zCLI.
+[Stop the Zerops VPN](/references/networking/vpn#stop-vpn) in zCLI.
 ### Connect to KeyDB from another Zerops project
 All services of the same project share a **dedicated private network**. You can use the service hostname to connect from one service to another within the same project.
 Different Zerops projects have no special connection. They can communicate with each other only via the internet. If you need to connect to a KeyDB service in a Zerops project from a runtime service in another project, you need to use the [Zerops VPN](#access-keydb-through-vpn). Due to security reasons Zerops doesn't allow exposing KeyDB service directly to the internet.
@@ -12782,14 +12307,14 @@ Due to security reasons Zerops doesn't allow exposing MariaDB service directly t
 ### Start VPN connection
 You can securely connect to MariaDB from your local workspace via Zerops VPN. Zerops VPN client is included into zCLI, the Zerops command-line tool. To start a VPN connection to the selected Zerops project, follow these steps:
 1. [Install & setup zCLI](/references/cli)
-2. [Start the Zerops VPN](/references/vpn#start-vpn)
+2. [Start the Zerops VPN](/references/networking/vpn#start-vpn)
 ### Access MariaDB through VPN
 Once the VPN session is established, you have the secured connection to the project's private network in Zerops. You can access all project services locally by using their hostname. The only difference is that no [environment variables](#use-mariadb-environment-variables) are available when connected through VPN. To connect to MariaDB in Zerops you have to copy the [access details](#copy-access-details-from-zerops-gui) manually from Zerops GUI.
 :::caution
 Do not use SSL/TLS protocols when connecting to MariaDB over VPN. Zerops MariaDB is not configured to support these protocols. The security is assured by the VPN.
 :::
 ### Stop VPN connection
-[Stop the Zerops VPN](/references/vpn#stop-vpn) in zCLI.
+[Stop the Zerops VPN](/references/networking/vpn#stop-vpn) in zCLI.
 ### Connect to MariaDB from another Zerops project
 All services of the same project share a **dedicated private network**. You can use the service hostname to connect from one service to another within the same project.
 Different Zerops projects have no special connection. They can communicate with each other only via the internet. If you need to connect to a MariaDB service in a Zerops project from a runtime service in another project, you need to use the [Zerops VPN](#access-mariadb-through-vpn). Due to security reasons Zerops doesn't allow exposing MariaDB service directly to the internet.
@@ -13164,7 +12689,7 @@ When the import is finished, Adminer will be running as a PHP service in your pr
 By default Adminer service is private and is accessible from your local workstation over VPN.
 You can securely connect to MariaDB from your local workspace via Zerops VPN. Zerops VPN client is included into zCLI, the Zerops command-line tool. To start a VPN connection to the selected Zerops project, follow these steps:
 1. [Install & setup zCLI](/references/cli)
-2. [Start the Zerops VPN](/references/vpn)
+2. [Start the Zerops VPN](/references/networking/vpn)
 3. Type `http://adminer` into your browser
 :::caution
 Do not use https when connecting to Adminer via VPN.
@@ -13198,7 +12723,7 @@ When the import is finished, phpMyAdmin will be running as a PHP service in your
 By default phpMyAdmin service is private and is accessible from your local workstation over VPN.
 You can securely connect to MariaDB from your local workspace via Zerops VPN. Zerops VPN client is included into zCLI, the Zerops command-line tool. To start a VPN connection to the selected Zerops project, follow these steps:
 1. [Install & setup zCLI](/references/cli)
-2. [Start the Zerops VPN](/references/vpn)
+2. [Start the Zerops VPN](/references/networking/vpn)
 3. Type `http://phpmyadmin` into your browser
 :::caution
 Do not use https when connecting to phpMyAdmin via VPN.
@@ -13401,7 +12926,7 @@ The service provides three pre-configured API keys, each with specific access le
 ## Network Architecture & Access
 ### Access Methods
 #### Public HTTPS Access
-When enabled, access via [Zerops subdomain](/features/access#public-access-through-zerops-subdomain).
+When enabled, access via [Zerops subdomain](/references/networking/public-access#zerops-subdomain-access).
 #### Internal Project Access
 Services within the same project can reach Meilisearch directly:
 ```
@@ -13592,12 +13117,6 @@ Answer:
     Zerops provides built-in prerender.io support. Simply set the `PRERENDER_TOKEN` environment variable with your prerender.io service token. See our [prerender.io documentation](/nginx/how-to/env-variables#prerenderio-support) for details.
   
 
-----------------------------------------
-
-# Nginx > How To > Access
-
-
-
 ----------------------------------------
 
 # Nginx > How To > Build Pipeline
@@ -13748,7 +13267,7 @@ If no ports are specified, Zerops adds the port TCP 80 automatically.
 If you want the web server to listen on other port(s) than `:80`, you must [customize](/nginx/how-to/customize-web-server) your web server configuration as well.
 :::
 Projects in Zerops represent a group of one or more services. Services can be of different types (runtime services, databases, message brokers, object storage, etc.). All services of the same project share a **dedicated private network**. To connect to a service within the same project, just use the service hostname and its internal port.
-For example, to connect to a Nginx static service with hostname = "app" and port = 80 from another service of the same project, simply use `app:80`. Read more about [how to access a Nginx static service](/nginx/how-to/access).
+For example, to connect to a Nginx static service with hostname = "app" and port = 80 from another service of the same project, simply use `app:80`. Read more about [how to access a Nginx static service](/references/networking/internal-access#basic-service-communication).
 :::info
 Do not use the port **:443**. All the incoming traffic is terminated on the Zerops internal balancer where the SSL certificate is installed and the request is forwarded to your Nginx static service as a **http://** on the port **:80**.
 :::
@@ -14612,12 +14131,6 @@ Answer:
     Set the environment variable `CI: true` to resolve the problem. This allows the installation to proceed automatically without requiring manual confirmation.
   
 
-----------------------------------------
-
-# Nodejs > How To > Access
-
-
-
 ----------------------------------------
 
 # Nodejs > How To > Build Pipeline
@@ -14987,7 +14500,7 @@ The os version is fixed and cannot be customized.
 ### ports
 _OPTIONAL._ Specifies one or more internal ports on which your application will listen.
 Projects in Zerops represent a group of one or more services. Services can be of different types (runtime services, databases, message brokers, object storage, etc.). All services of the same project share a **dedicated private network**. To connect to a service within the same project, just use the service hostname and its internal port.
-For example, to connect to a Node.js service with hostname = "app" and port = 3000 from another service of the same project, simply use `app:3000`. Read more about [how to access a Node.js service](/nodejs/how-to/access).
+For example, to connect to a Node.js service with hostname = "app" and port = 3000 from another service of the same project, simply use `app:3000`. Read more about [how to access a Node.js service](/references/networking/internal-access#basic-service-communication).
 Each port has following attributes:
   
       Parameter
@@ -16087,12 +15600,6 @@ Don't know how to start or got stuck during the process? You might not be the fi
 In case you haven't found an answer (and also if you have), we and our community are looking forward to hearing from you on Discord.
 Have you build something that others might find useful? Don't hesitate to share your knowledge!
 
-----------------------------------------
-
-# Php > How To > Access
-
-
-
 ----------------------------------------
 
 # Php > How To > Build Pipeline
@@ -16463,7 +15970,7 @@ If no ports are specified, Zerops adds the port TCP 80 automatically.
 If you want the web server to listen on other port(s) than `:80`, you must [customize](/php/how-to/customize-web-server) your web server configuration as well.
 :::
 Projects in Zerops represent a group of one or more services. Services can be of different types (runtime services, databases, message brokers, object storage, etc.). All services of the same project share a **dedicated private network**. To connect to a service within the same project, just use the service hostname and its internal port.
-For example, to connect to a PHP service with hostname = "app" and port = 80 from another service of the same project, simply use `app:80`. Read more about [how to access a PHP service](/php/how-to/access).
+For example, to connect to a PHP service with hostname = "app" and port = 80 from another service of the same project, simply use `app:80`. Read more about [how to access a PHP service](/references/networking/internal-access#basic-service-communication).
 :::info
 Do not use the port **:443**. All the incoming traffic is terminated on the Zerops internal balancer where the SSL certificate is installed and the request is forwarded to your PHP+Nginx / PHP+Apache service as a **http://** on the port **:80**.
 :::
@@ -17436,19 +16943,19 @@ Zerops offers two methods for connecting to your PostgreSQL database from outsid
 ### Method 1: Connect via Zerops VPN
 You can securely connect to PostgreSQL from your local workstation via Zerops VPN:
 1. [Install & set up zCLI](/references/cli)
-2. [Start the Zerops VPN](/references/vpn#start-vpn)
+2. [Start the Zerops VPN](/references/networking/vpn#start-vpn)
 3. Use the connection details from Access Details in the PostgreSQL service detail in Zerops GUI
-4. When finished, [stop the Zerops VPN](/references/vpn#stop-vpn)
+4. When finished, [stop the Zerops VPN](/references/networking/vpn#stop-vpn)
 :::warning Important notes
 * Do not use SSL/TLS protocols when connecting over VPN. Security is provided by the VPN tunnel.
-* If your connection over VPN doesn't work, try adding `.zerops` suffix to the service hostname (e.g., `database1.zerops`). For additional help, check the [VPN troubleshooting page](/references/vpn/troubleshooting).
+* If your connection over VPN doesn't work, try adding `.zerops` suffix to the service hostname (e.g., `database1.zerops`). For additional help, check the [VPN troubleshooting page](/references/networking/vpn#troubleshooting).
 :::
 ### Method 2: Connect via Direct IP Access
 Direct IP Access uses [pgBouncer](https://www.pgbouncer.org/) for connection pooling and TLS termination.
 Internally, port `5432` is available without SSL. Externally, connections are secured with TLS through pgBouncer (port `6432`) before being routed to your PostgreSQL service.
 #### Enable external access
 1. Navigate to your PostgreSQL service in the Zerops GUI and choose the **Public Access through IP Addresses** section
-2. Choose either IPv6 (available by default) or IPv4 (requires the [unique IPv4](/features/access#dedicated-ipv4-address-330-days) add-on)
+2. Choose either IPv6 (available by default) or IPv4 (requires the [unique IPv4](/references/networking/public-access#ipv4-configuration) add-on)
 3. Open one or more ports and point them to your PostgreSQL service (the system will direct them through pgBouncer)
    - Choose any port from 10-65435 (except 80 and 443)
    - Select destination service and internal port
@@ -17775,7 +17282,7 @@ You can install these tools with a simple one-click import in Zerops:
 2. Copy and paste one of the following YAML configurations:
 ### Accessing Management Tools
 After installation, you can access these tools via VPN:
-1. [Start the Zerops VPN](/references/vpn)
+1. [Start the Zerops VPN](/references/networking/vpn)
 2. Type `http://adminerevo` or `http://phpmyadmin` in your browser
 :::tip
 Try `http://adminerevo.zerops` or `http://phpmyadmin.zerops` if you encounter any connection issues.
@@ -17785,7 +17292,7 @@ Do not use https when connecting to management tools via VPN.
 :::
 ## Database Tools on Your Workstation
 You can use various database management tools from your local workstation to connect to your PostgreSQL database in Zerops:
-1. **Establish a secure tunnel** using the [Zerops VPN](/references/vpn) to create an encrypted connection to your Zerops project
+1. **Establish a secure tunnel** using the [Zerops VPN](/references/networking/vpn) to create an encrypted connection to your Zerops project
 2. **Obtain the [connection details](/postgresql/how-to/connect#connection-details)** from Zerops GUI
     - Environment variables are not available through VPN connections
 3. Connect with your **preferred database tool**
@@ -17937,12 +17444,6 @@ In case you haven't found an answer (and also if you have), we and our community
 Have you build something that others might find useful? Don't hesitate to share your knowledge!
 ## Popular Guides
 
-----------------------------------------
-
-# Python > How To > Access
-
-
-
 ----------------------------------------
 
 # Python > How To > Build Pipeline
@@ -18273,7 +17774,7 @@ The os version is fixed and cannot be customised.
 ### ports
 _OPTIONAL._ Specifies one or more internal ports on which your application will listen.
 Projects in Zerops represent a group of one or more services. Services can be of different types (runtime services, databases, message brokers, object storage, etc.). All services of the same project share a **dedicated private network**. To connect to a service within the same project, just use the service hostname and its internal port.
-For example, to connect to a Python service with hostname = "app" and port = 8000 from another service of the same project, simply use `app:8000`. Read more about [how to access a Python service](/python/how-to/access).
+For example, to connect to a Python service with hostname = "app" and port = 8000 from another service of the same project, simply use `app:8000`. Read more about [how to access a Python service](/references/networking/internal-access#basic-service-communication).
 Each port has following attributes:
   
       Parameter
@@ -19172,7 +18673,7 @@ Disconnects from the Zerops VPN.
 zcli vpn down
 ```
 :::note
-For more detailed information about Zerops VPN configuration and troubleshooting, visit the [VPN Documentation](/references/vpn).
+For more detailed information about Zerops VPN configuration and troubleshooting, visit the [VPN Documentation](/references/networking/vpn).
 :::
 ## Project Management
 ### project list
@@ -19207,7 +18708,7 @@ Displays environment variables for the current project scope.
 zcli project env [flags]
 ```
 **Flags:**
-- `--export` - Prepends export keyword to each env in output: 'export `{{.Key}}={{.Value}}`'
+- `--export` - Prepends export keyword to each env in output: `export {{.Key}}={{.Value}}`
 - `-P, --project-id string` - Required when you have access to multiple projects
 - `--service string` - Service name, in which context the environment variables are output
 - `--template string` - Output template (default: "`{{.Key}}={{.Value}}`")
@@ -19455,51 +18956,6 @@ tail -f ~/.config/zerops/zerops.log
 
 ----------------------------------------
 
-# References > Firewall
-
-Zerops includes a comprehensive firewall system implemented using [nftables](https://en.wikipedia.org/wiki/Nftables) to ensure platform security.
-The primary focus is on managing outbound communication to prevent potential platform misuse while maintaining the flexibility needed for legitimate applications.
-## What is a Firewall?
-A Firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules.
-At Zerops, we implemented a robust firewall system to protect our platform and your applications.
-## Port Access Rules
-### UDP Ports
-*No restrictions*
-### TCP Ports
-#### **TCP ports 1-1024**
-The following specific ports are allowed:
-- **22** - SSH
-- **53** - DNS
-- **80** - HTTP
-- **123** - NTP
-- **443** - HTTPS
-- **587** - SMTP (with STARTTLS)
-*All other TCP ports in the range 1-1024 are **blocked** for security reasons, see below.*
-#### **TCP ports 1025-65535**
-*No restrictions*
-## Security Measures
-These firewall rules are strategically implemented to:
-- Prevent unauthorized use of the Zerops infrastructure for spam or network attacks
-- Protect Zerops and its users from potential security threats
-- Maintain compliance with security best practices
-## Common Use Cases
-### Standard Web Applications (HTTP/HTTPS)
-- Full access to HTTP/HTTPS communication (ports 80/443)
-- Unrestricted DNS queries (port 53)
-- Time synchronization via NTP (port 123)
-### Email Services
-- SMTP access through port 587 (with STARTTLS)
-- For detailed SMTP configuration, see our [SMTP documentation](/references/smtp)
-## Requesting Firewall Modifications
-If your application requires access to additional ports:
-1. Contact Zerops support at [support@zerops.io](mailto:support@zerops.io).
-2. Include in your request:
-   - Specific ports and protocols needed.
-   - Detailed explanation of your use case.
-   - Mention your Project ID and Organization ID from your Zerops Dashboard.
-
-----------------------------------------
-
 # References > Github Integration
 
 Discover how to seamlessly integrate your GitHub repository with Zerops for automated builds and deployments.
@@ -20368,7 +19824,163 @@ services:
     ```yaml
     APP_PRIVATE_KEY: |
       -----BEGIN PRIVATE KEY-----
-      MIIEvwIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDWRgQntuMGJfME
+      MIIEvwIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDWRgQntuMGJfME
+      wj9wLrBqNyUd13k1nRuzHZ3x5VJodRrPjX19M9gFXuY95zTJti6VOG+pZftzuTkf
+      +MlW9NwFEe/g0OomY6UwfKfPj4/ib3MPiASg2o4Ixqu0mv3IrLOsGmU25J38gAVQ
+      I3oohW4+B7Vp+2+RnLQCx1FsweWpa8wR0ffQwl0LsWSEWyutfSxi+5pbYwWORBOK
+      yESmGFqGBhMfl0KutBqNAGLt9IYS61bYIqnvfzHqE1uIH3/+ViNzMAr56xt8Lr5a
+      +Y84Mmer1h1wnh6OHnOE6y2sw+876RO8OjMTnHq6v1HDnKHQyCNHxDvpqihy7hly
+      RtCpC9fuCJC94lB0Gf65xgJC55Jx7gGRSbdLUhN2XZdQeAGPtdidz5KqC8S02fhi
+      DKe0C78hpUGD8MZU4GqvqlyiHoouBhKugkba7F0NeSOLVC9GPLdKNjt5AyCi72pQ
+      z8vXaBk8TIb7F+WeQ3NtLw8sgZj0XjXRtx/S6SSoTIOkIKB6hKsPV0k+Z7VaVJ+F
+      pXPsr2CbwcH0iyCJC6A6hLQWnDnts26PLcFck7hE6UjE4BsBhXQhcyMTe5Yai3y4
+      V5NWoHinkLO9NX2N2hBcpQWSSCbr0wSg33xAHROzcG1w5/n1fq46723CbWW3Gcsf
+      naL/hPIt3MSsiz28RqjHlB7qXiWEBQIDAQABAoICAQCemAYdSv0voMkFfaysoLIM
+      e7JqKwDY0OcepM4xq1VaYUqt0oDOOaArIXly2f01SzWhVrs2+3eoyLBiXKbRSLzM
+      t+D/WkHklh4/DBS8yPprU6grF7atQ/aawkl2jL1IWaNGv+aoQYA50pucHBYfhdr5
+      6IS649JJSV3nLJW01LLiuhm6Gtm8Vw+9RtgqKrziVOKUhLtT5q/HA9YfA2nkMeRW
+      jIp8+Fzvp/h64o1WqITP3gZSRR3YWSGdqiQ2VXJL0n+8kxOctQqL2KEl/s6lfpFD
+      G2CA6VeeQyWnfNY6qG8avcHQsJb7bfdc35xqFzWhrXCHftQFd98madrFvWpVpKF1
+      fjSrQAWHShgyCBQuBteWhYWFlWMkYX3tab6MUS8vUR3LQuv3NGEWvQMgxA2eBzq2
+      iPhTnCJ0EQIMgsBg+O6qW2JuJMdTwB2U+WlLJiJnSBQ5aWwDKjIIzoH17lYmDOvz
+      ij0ZbzHUx01wU5w58z8mi//PppQheaxIT0jZkoGXOmbMsCTv/UcxlqnVHJ1ysA8d
+      QgK+3L+7dyjl3k5IQNt9f49X/C5D0oPYGuzPuP37HzEZYZbYtz5CoICUf6nNFGBl
+      aetSTGRs6ePVqHlo1cZQdk5fIQwX7yelehEb/Cpjk0mv5sk8cJcYviAnkQyUBjOE
+      wujWkG9XTisPMl3c6pAkJQKCAQEA/5TAJKP/uGofwDxoFXg4zjyRsqWeWpIvny5E
+      K9avHPdqFcU1DGAVwUfw6z5Grx8QzWZbnPFI5KMvdVoLpDMubw1XWQCY5X7AD3Iu
+      C9C0cbE+vW8d0AKGEt2q4ERTMZ5dqJiAN/tGJ8wH9mQxOhoim1MPAb0PZJg6WHda
+      4uN/wnZCuhEVnU86vbKhMJUZYotxEiV3qokZzV7zwsYOdCDw5iipm6McrRVrfdyE
+      u4yIyorq9RB3JChhkgkKSLaFHpuG/YOSM0DQ3vizC57w3LpJ+i+d2FR7Z8fYPSSW
+      BF/hUBUNZG4kk4wxH9dYk27ohBSI2u44n50zrQGST36vxETodwKCAQEA1p/uia4V
+      cHilRd454sQMevtbZO2Zak/g7MzxIUIPI363CKCfjIu/t3iyJ5xohI6OVdqdvE0/
+      hEiVJkv5YNXNLvQFnF7y7z5/HKjkEe72TrZuBwWSoQx69UP9QymzMuV+41f8aVpc
+      c2Xe7XWXK+X56ZGRFND5sB8hd65G9D818Qi90kQyYlb43l8CyiylqYIYh8ldIqHU
+      jAzNGk65kpW6CkL9v/qloKrpAWxErAinB40MHBvgZULj7LijCt2orHOPjOjC1f8n
+      BDf9eBKT+gTLXifIggGBh0iBxen9d2S7/Wz4ySLX47ijDgH0aQO8d668z+c9As0t
+      lz1HmEqLtyLSYwKCAQBH3Y/ZvbOeK1kaOOIbh16Rvz5IuYE5fnmdjOjmWsuKnZda
+      38T24d28J3p661v8ygNzfiCslLwmbixeFx/G4A1idKHnCN/1SBrBPR3tfJYAkhJO
+      OfxsDQmeLG5r+UpbXWiAi8Eh/KnRbvGeOrYM3GR2wHgryPmXE6b0UTthKQ83owFI
+      SJ2HSkv+I0hn3MTyjLsSmy526W4z7UslrYNK7ChQz4ZBmS/rC2baUTOReQbNzRoc
+      JrEZnbEx2xDlOU1dOeZPSrvFZahVyiCuV9bqegdrLhB4T+kTWYJYTv1P5ZX5arIF
+      V2M5ieYWSftCGaGP4iZJSUrqts1dDGATsk/CJI4pAoIBAQCnIfYk2x6w7hJt/ScA
+      swCxCGpchzYv9rJGVTX1WzbkwjmQi1yTmwQZwPCjLgaqK0UmEE9DIriyr78OCp3R
+      Tc0xoi94XOw7aGSeEdtBJ+BA3YmDCFDt/wUFWAOyOJfmq5aLPao+9HIIHy1hp2+o
+      bLeXrpbXKgE2qJdsVpfEfjDoWZFQW3EM6YN1z3EhtXDwNnIZ07ImVPVqdlGGCgYy
+      40vzz8VAqdQu8MjwJbq4aSiBFdJ3VTICSPurDQFSZdiDKp5/8YZAFSjx/RPyXC1F
+      xlQEJ2DZ9IhErC76y0NppVVLfX+jSfHq0I6RSu5klNdAMB+ymvUE6Hh3TO4i5vI0
+      E/bXAoIBAQCEXLJhLE/imGPl1Fbqh4lnr2iRMzN3cPxb6DHiKoFXhY18/WWneXEI
+      8DwK0D+n8spX67YyelFqBjWi4JrG2KhZmPSBF7p7lPypjPdbjkCnSJ0Qjrvdo5ns
+      46CtmUH8d54SAdgRkXypc1y/3mOnVAhnSRUYm5mtDOtfG0dXdsfS/uDXVRZkTv7S
+      xjdaHi3Ap+oxTMS+zWfKvYAx5g0gTdvb+FdsN89T9XRRx+7N5TmG9D+sUAqNEWkH
+      7SG6By8x+JqhURZOF9T9n2TX7N9g/+c0y9J10Ol5r0rDFM4SSTX9A5NmqfNF6LO7
+      A0bX/JM8kHjLlJNrtioxcT+dX4lL6/zT
+      -----END PRIVATE KEY-----
+    ```
+  
+---
+### generateRSA4096Key (name)
+This Function Generates public and private RSA 4096bit key pairs (including SSH) and stores them for later use as internal variables with names using the base name and variants.
+  
+      Field
+      Details
+    
+      Syntax:
+      `)>`
+    
+      Variants:
+      The base name parameter stores all generated key versions as internal variables, combined with the Available Variants.
+    
+#### Available Variants
+  
+      Variant
+      Description
+      How to use with: `)>`
+    
+      Public
+      Public key version. This value is also returned by the called function.
+      ``
+    
+      PublicSsh
+      SSH formatted public key version. For use as the authorized key file.
+      ``
+    
+      Private
+      Private key version in the standard format.
+      ``
+    
+#### Usage in import YAML
+:::caution
+  These Generated keys are formatted as multiline strings. That means using the `|` syntax is necessary in import YAML.
+:::
+```yaml
+#yamlPreprocessor=on
+services:
+- hostname: app
+  type: nodejs@16
+  envSecrets:
+    GENERATED_PUBLIC_KEY: |
+      )>
+    APP_PUBLIC_KEY: |
+      
+    APP_PUBLIC_KEY_SSH: 
+    APP_PRIVATE_KEY: |
+      
+```
+#### Output of import YAML
+:::info
+  You can clearly see the multiline strings and the `|` syntax in Output.
+:::
+  
+    - Generated as a multiline value
+    - The same value as in APP_PUBLIC_KEY.
+    ```yaml
+    GENERATED_PUBLIC_KEY: |
+      -----BEGIN PUBLIC KEY-----
+      MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1kYEJ7bjBiXzBMI/cC6w
+      ajclHdd5NZ0bsx2d8eVSaHUaz419fTPYBV7mPec0ybYulThvqWX7c7k5H/jJVvTc
+      BRHv4NDqJmOlMHynz4+P4m9zD4gEoNqOCMartJr9yKyzrBplNuSd/IAFUCN6KIVu
+      Pge1aftvkZy0AsdRbMHlqWvMEdH30MJdC7FkhFsrrX0sYvuaW2MFjkQTishEphha
+      hgYTH5dCrrQajQBi7fSGEutW2CKp738x6hNbiB9//lYjczAK+esbfC6+WvmPODJn
+      q9YdcJ4ejh5zhOstrMPvO+kTvDozE5x6ur9Rw5yh0MgjR8Q76aoocu4ZckbQqQvX
+      7giQveJQdBn+ucYCQueSce4BkUm3S1ITdl2XUHgBj7XYnc+SqgvEtNn4YgyntAu/
+      IaVBg/DGVOBqr6pcoh6KLgYSroJG2uxdDXkji1QvRjy3SjY7eQMgou9qUM/L12gZ
+      PEyG+xflnkNzbS8PLIGY9F410bcf0ukkqEyDpCCgeoSrD1dJPme1WlSfhaVz7K9g
+      m8HB9IsgiQugOoS0Fpw57bNujy3BXJO4ROlIxOAbAYV0IXMjE3uWGot8uFeTVqB4
+      p5CzvTV9jdoQXKUFkkgm69MEoN98QB0Ts3BtcOf59X6uOu9twm1ltxnLH52i/4Ty
+      LdzErIs9vEaox5Qe6l4lhAUCAwEAAQ==
+      -----END PUBLIC KEY-----
+      ```
+  
+    - Generated as a multiline value.
+    - The same value as in GENERATED_PUBLIC_KEY.
+    ```yaml
+    APP_PUBLIC_KEY: |
+      -----BEGIN PUBLIC KEY-----
+      MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1kYEJ7bjBiXzBMI/cC6w
+      ajclHdd5NZ0bsx2d8eVSaHUaz419fTPYBV7mPec0ybYulThvqWX7c7k5H/jJVvTc
+      BRHv4NDqJmOlMHynz4+P4m9zD4gEoNqOCMartJr9yKyzrBplNuSd/IAFUCN6KIVu
+      Pge1aftvkZy0AsdRbMHlqWvMEdH30MJdC7FkhFsrrX0sYvuaW2MFjkQTishEphha
+      hgYTH5dCrrQajQBi7fSGEutW2CKp738x6hNbiB9//lYjczAK+esbfC6+WvmPODJn
+      q9YdcJ4ejh5zhOstrMPvO+kTvDozE5x6ur9Rw5yh0MgjR8Q76aoocu4ZckbQqQvX
+      7giQveJQdBn+ucYCQueSce4BkUm3S1ITdl2XUHgBj7XYnc+SqgvEtNn4YgyntAu/
+      IaVBg/DGVOBqr6pcoh6KLgYSroJG2uxdDXkji1QvRjy3SjY7eQMgou9qUM/L12gZ
+      PEyG+xflnkNzbS8PLIGY9F410bcf0ukkqEyDpCCgeoSrD1dJPme1WlSfhaVz7K9g
+      m8HB9IsgiQugOoS0Fpw57bNujy3BXJO4ROlIxOAbAYV0IXMjE3uWGot8uFeTVqB4
+      p5CzvTV9jdoQXKUFkkgm69MEoN98QB0Ts3BtcOf59X6uOu9twm1ltxnLH52i/4Ty
+      LdzErIs9vEaox5Qe6l4lhAUCAwEAAQ==
+      -----END PUBLIC KEY-----
+    ```
+  
+    - Generated as a single value
+    ```yaml
+    APP_PUBLIC_KEY_SSH: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDWRgQntuMGJfMEwj9wLrBqNyUd13k1nRuzHZ3x5VJodRrPjX19M9gFXuY95zTJti6VOG+pZftzuTkf+MlW9NwFEe/g0OomY6UwfKfPj4/ib3MPiASg2o4Ixqu0mv3IrLOsGmU25J38gAVQI3oohW4+B7Vp+2+RnLQCx1FsweWpa8wR0ffQwl0LsWSEWyutfSxi+5pbYwWORBOKyESmGFqGBhMfl0KutBqNAGLt9IYS61bYIqnvfzHqE1uIH3/+ViNzMAr56xt8Lr5a+Y84Mmer1h1wnh6OHnOE6y2sw+876RO8OjMTnHq6v1HDnKHQyCNHxDvpqihy7hlyRtCpC9fuCJC94lB0Gf65xgJC55Jx7gGRSbdLUhN2XZdQeAGPtdidz5KqC8S02fhiDKe0C78hpUGD8MZU4GqvqlyiHoouBhKugkba7F0NeSOLVC9GPLdKNjt5AyCi72pQz8vXaBk8TIb7F+WeQ3NtLw8sgZj0XjXRtx/S6SSoTIOkIKB6hKsPV0k+Z7VaVJ+FpXPsr2CbwcH0iyCJC6A6hLQWnDnts26PLcFck7hE6UjE4BsBhXQhcyMTe5Yai3y4V5NWoHinkLO9NX2N2hBcpQWSSCbr0wSg33xAHROzcG1w5/n1fq46723CbWW3GcsfnaL/hPIt3MSsiz28RqjHlB7qXiWEBQ==
+    ```
+  
+    - Generated as a multiline value
+    ```yaml
+    APP_PRIVATE_KEY: |
+      -----BEGIN PRIVATE KEY-----
+      MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDWRgQntuMGJfME
       wj9wLrBqNyUd13k1nRuzHZ3x5VJodRrPjX19M9gFXuY95zTJti6VOG+pZftzuTkf
       +MlW9NwFEe/g0OomY6UwfKfPj4/ib3MPiASg2o4Ixqu0mv3IrLOsGmU25J38gAVQ
       I3oohW4+B7Vp+2+RnLQCx1FsweWpa8wR0ffQwl0LsWSEWyutfSxi+5pbYwWORBOK
@@ -20421,441 +20033,746 @@ services:
       -----END PRIVATE KEY-----
     ```
   
+## Import modifiers
+Modifiers provide a simpler way to transform values compared to using functions alone. You can chain multiple modifiers together using the `|` symbol, making it easy to apply several transformations in sequence. They work with both string and function expressions - just add them between the `` markers, right before the closing `>`.
 ---
-### generateRSA4096Key (name)
-This Function Generates public and private RSA 4096bit key pairs (including SSH) and stores them for later use as internal variables with names using the base name and variants.
+### List of import modifiers
+  
+      Name
+      Description
+    
+      sha256
+      Generate a hash of the incoming string using sha256 algorithm.
+    
+      sha512
+      Generate a hash of the incoming string using sha512 algorithm.
+    
+      bcrypt
+      
+        Generate a hash of the incoming string using bcrypt algorithm.
+        Fixed configuration: Number of cycles = 11
+      
+      argon2id
+      
+        Generate a hash of the incoming string using argon2id algorithm.
+        Fixed configuration: Memory = 64MiB, Iterations = 4, Parallelism = 4, SaltLen = 16B, KeyLength = 32B
+      
+      toHex
+      Encodes provided string/bytes into hexadecimal
+    
+      toString
+      Encodes provided string/bytes into string comprised of [a-zA-Z0-9_-.]
+    
+      upper
+      Maps all unicode letters to their upper case
+    
+      lower
+      Maps all unicode letters to their lower case
+    
+      title
+      Maps all words to title case (first letter upper case, rest lower case)
+    
+      noop
+      Does nothing - used in tests
+    
+---
+### Examples of correctly using import modifiers
+    
+    - `, )>` will output a random string of 30 characters:
+    ```yaml
+    7a14c8e74bc98a0d74253b1d1a4ef6
+    ```
+    - `)| sha256>` will output the sha256 hash of the `` variable:
+    ```yaml
+    081b91d6dff5036229a92e2442fb65d7c8124571d4e70a2ac4729aeb86957407
+    ```
+    - `)| sha512>` will output the sha512 hash of the `` variable:
+    ```yaml
+    89c05547de0aa4926512a958f95ab8bf4096ceec63ad5aad4266890bfa059e0cc98917c54276ba4cd61f1dde4c8efda948fc967885c9dd50558ed939722ca10c
+    ```
+    - `)| bcrypt>` will output the bcrypt hash of the `` variable:
+    ```yaml
+    $2a$10$CxKZX0yIxdc7ts6eI5aBu.g.heAsFcePdMDEpnlViTlo3vGc//PXe
+    ```
+    - `)| argon2id>` will output the argon2id hash of the `` variable:
+    ```yaml
+    $argon2id$v=19$m=98304,t=1,p=3$uWBpmoUT3sfckXHyRF9hlg$8bGtNffuHxaRIgN99zCmJeGEYJF5BY2J9TwzqmezP28
+    ```
+  
+    - Using upper case modifier:
+    ```yaml
+    Input:  
+    Output: STATIC STRING WITH A MODIFIER
+    ```
+    - Using lower case modifier:
+    ```yaml
+    Input:  
+    Output: static string with a modifier
+    ```
+    - Using title case modifier:
+    ```yaml
+    Input:  
+    Output: Static String With A Modifier
+    ```
+    - Chaining multiple modifiers:
+    ```yaml
+    Input:  
+    Output: static string with a modifier
+    ```
+    - Using modifiers with functions:
+    ```yaml
+    Input:  ) | upper>
+    Output: 7A14C8E74BC98A0D74253B1D1A4EF6
+    
+    Input:  , ) | lower>)>
+    Output: h73ep149sd
+    ```
+:::tip Using a space before the pipe separator
+As you can see above, unlike the case of the string expression, using a space before the `|` separator in a function expression doesn't add an additional space character to the result.
+:::
+
+----------------------------------------
+
+# References > Import Yaml > Type List
+
+This is a list of all supported service types that can be used in import yaml configuration file.
+:::note
+Versions listed on the same line are aliases of the same underlying version.
+:::
+## Available service types
+### Static Services
+  
+      Service Type
+      Versions
+    
+      Nginx
+      
+      Static
+      
+### Containers and virtual machines
+  
+      Service Type
+      Versions
+    
+      Alpine
+      
+      Ubuntu
+      
+### Runtime services
+  
+      Service Type
+      Versions
+    
+      Bun
+      
+      Deno
+      
+      .NET
+      
+      Elixir
+      
+      Gleam
+      
+      Go
+      
+      Java
+      
+      Node.js
+      
+      PHP & Apache
+      
+      PHP & nginx
+      
+      Python
+      
+      Rust
+      
+### Database services
+  
+      Database Type
+      Versions
+    
+      KeyDB
+      
+      MariaDB
+      
+      PostgreSQL
+      
+      Qdrant
+      
+      Valkey
+      
+### Search Engine
+  
+      Search Engine
+      Versions
+    
+      Elasticsearch
+      
+      Meilisearch
+      
+      Typesense
+      
+### Message Broker
+  
+      Message Broker
+      Versions
+    
+      Kafka
+      
+      NATS
+      
+### Storage Services
+  
+      Database Type
+      Versions
+    
+      Object storage
+      
+      Shared storage
+      
+
+----------------------------------------
+
+# References > Import
+
+The Zerops YAML configuration provides powerful capabilities for both importing and exporting projects and services. This documentation covers how to define your infrastructure as code and move configurations between environments.
+## YAML Configuration Basics
+The Zerops YAML configuration can be used to create or replicate services in Zerops. You can import configurations in two ways:
+- **Using the GUI**:
+  - **For projects**: In the Zerops dashboard, click on **Import a project** in the Projects section
+  - **For services**: Navigate to a project's details page and click **Import services** in the services section
+- **Using the [CLI](/references/cli)**: Run `zcli project project-import` for projects or `zcli project service-import` for individual services
+Both methods provide straightforward ways to migrate or replicate infrastructure as needed.
+This section provides a comprehensive example of an import YAML configuration file, allowing you to define and import a project and its services with environment variables.
+```yaml
+# ==== Define a project to import ====
+project:
+  # REQUIRED. Name of your project
+  name: project0
+  # Project description
+  description: "This project is an example only"
+  # Project core package - LIGHT/SERIOUS
+  corePackage: SERIOUS
+  # List of project tags for filtering
+  tags:
+    - test
+    - dev
+  # Project-level environment variables
+  envVariables:
+    LOG_LEVEL: info
+    API_VERSION: v1
+# ==== Define a list of services to import into the project ====
+services:
+  # REQUIRED. Name of your service
+  - hostname: app
+    # REQUIRED. Choose from list of supported technologies and their versions
+    type: nodejs@22
+    # HA or NON_HA mode
+    mode: HA
+    # Map of secret environment variables
+    envSecrets:
+      SECRET_KEY: )>
+    # Environment variables defined in .env format (automatically creates secret envs)
+    dotEnvSecrets: |
+      APP_KEY=)>
+      DB_PASSWORD=secure123
+    # Object storage size in GB
+    objectStorageSize: 2
+    # Choose object storage policy from a predefined list
+    objectStoragePolicy: public-read-write
+    # Define additional policy
+    objectStorageRawPolicy:
+    # One time build git repository
+    buildFromGit: https://github.com/myorg/myapp
+    # true or false
+    enableSubdomainAccess: true
+    # The higher the sooner the service is created
+    priority: 1
+    # Vertical autoscaling configuration object
+    verticalAutoscaling:
+      minCpu: 1
+      maxCpu: 3
+      # Choose SHARED or DEDICATED
+      cpuMode: DEDICATED
+      minRam: 1
+      maxRam: 4
+      minDisk: 1
+      maxDisk: 10
+      startCpuCoreCount: 2
+      minFreeCpuCores: 0.5
+      minFreeCpuPercent: 20
+      minFreeRamGB: 0.5
+      minFreeRamPercent: 20
+    # Minimum number of containers
+    minContainers: 2
+    # Maximum number of containers
+    maxContainers: 6
+    # List of shared storage services to connect to
+    mount:
+      - teststorage1
+    # Full nginx config
+    nginxConfig: |-
+      server {
+          listen 80 default_server;
+          listen [::]:80 default_server;
+          server_name _;
+          root /var/www;
+          location / {
+              try_files $uri $uri/ /index.html;
+          }
+          access_log syslog:server=unix:/dev/log,facility=local1 default_short;
+          error_log syslog:server=unix:/dev/log,facility=local1;
+      }
+    # Zerops.yaml configuration
+    zeropsSetup: backendapi
+    zeropsYaml:
+      zerops:
+        - setup: backendapi
+          build:
+            base: nodejs@22
+            buildCommands:
+              - npm ci
+              - npm run build
+            deployFiles: ./
+            cache: node_modules
+          run:
+            initCommands:
+              - npm run db:migrate
+            start: npm start
+    # When set to true, enables overriding an existing runtime service with the same hostname and triggers a redeploy
+    override: false
+  # REQUIRED. Name of your other service
+  - hostname: teststorage1
+    type: shared-storage
+    ...
+```
+:::note
+The example above is a general guideline; not all keys are valid for every service type. For technology-specific details, refer to the **Create service** page in the **How To** section of the Zerops documentation.
+- `REQUIRED.` If a parent object is defined, the key-value pair is required to be filled. All other key-value pairs are optional.
+:::
+## Project Configuration
+The project configuration is used to define the project you want to import.
+### Usage
   
       Field
-      Details
+      Type
+      Description
     
-      Syntax:
-      `)>`
+      project
+      object
+      _REQUIRED, if a whole project is imported_ 
+Only one project can be defined.
     
-      Variants:
-      The base name parameter stores all generated key versions as internal variables, combined with the Available Variants.
+      name
+      string, REQUIRED
+      The name of the new project. Duplicates are allowed.
     
-#### Available Variants
-  
-      Variant
-      Description
-      How to use with: `)>`
+      description
+      string
+      Description of the new project.
     
-      Public
-      Public key version. This value is also returned by the called function.
-      ``
+      corePackage
+      string
+      [Core package](/features/infrastructure#project-core-options) of the new project. 
+Values: LIGHT/SERIOUS (default LIGHT)
     
-      PublicSsh
-      SSH formatted public key version. For use as the authorized key file.
-      ``
+      tags
+      list of strings
+      One or more string tags.
+Tags provide better orientation in projects.
     
-      Private
-      Private key version in the standard format.
-      ``
+      envVariables
+      map[string]string
+      [Project-level environment variables](/features/env-variables#project-variables) that are available to all services in the project.
     
-#### Usage in import YAML
-:::caution
-  These Generated keys are formatted as multiline strings. That means using the `|` syntax is necessary in import YAML.
+:::important
+The `corePackage` value can be upgraded later from Lightweight to Serious Core, but cannot be downgraded. Upgrades involve a brief service disruption and are partially destructive (logs/statistics are lost). Make sure to choose a suitable core package for your project. Learn more about [core upgrade process](/features/infrastructure#project-core-upgrade).
 :::
+This example will create a project named `project0` with [serious core](/features/infrastructure#serious-core) package and the description `This project is an example only`. The project will have two tags: `test` and `dev`, and two environment variables: `LOG_LEVEL` and `API_VERSION`:
+```yaml
+# ==== Define a project to import ====
+project:
+  # REQUIRED. Name of your project
+  name: project0
+  # Project description
+  description: "This project is an example only"
+  # Project core package
+  corePackage: LIGHT
+  # List of project tags for filtering
+  tags:
+    - test
+    - dev
+  # Project-level environment variables
+  envVariables:
+    LOG_LEVEL: info
+    API_VERSION: v1
+```
+## Service Configuration
+The service configuration defines one or more services to import into your project. Services are specified as an array under the `services` key, allowing you to configure multiple services in a single YAML file. You need at least one service and either an existing project to import into or a project defined in the YAML file.
+The Service Configuration section is divided into multiple subsections for better organization:
+- [**Service Basic Configuration**](#service-basic-configuration) - Core parameters like hostname, type, mode, and environment variables
+- [**Service Vertical Autoscaling**](#service-vertical-autoscaling) - CPU, RAM, and disk scaling settings
+- [**Service Horizontal Autoscaling**](#service-horizontal-autoscaling) - Container count scaling settings
+- [**Service Mount Shared Storage**](#service-mount-shared-storage) - Connecting to shared storage services
+- [**Service Nginx Configuration**](#service-nginx-configuration) - Custom web server settings
+- [**Service zerops.yaml Configuration**](#service-zeropsyaml-configuration) - Build and run configurations
 ```yaml
 #yamlPreprocessor=on
 services:
-- hostname: app
-  type: nodejs@16
-  envSecrets:
-    GENERATED_PUBLIC_KEY: |
-      )>
-    APP_PUBLIC_KEY: |
-      
-    APP_PUBLIC_KEY_SSH: 
-    APP_PRIVATE_KEY: |
-      
-```
-#### Output of import YAML
-:::info
-  You can clearly see the multiline strings and the `|` syntax in Output.
-:::
-  
-    - Generated as a multiline value
-    - The same value as in APP_PUBLIC_KEY.
-    ```yaml
-    GENERATED_PUBLIC_KEY: |
-      -----BEGIN PUBLIC KEY-----
-      MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1kYEJ7bjBiXzBMI/cC6w
-      ajclHdd5NZ0bsx2d8eVSaHUaz419fTPYBV7mPec0ybYulThvqWX7c7k5H/jJVvTc
-      BRHv4NDqJmOlMHynz4+P4m9zD4gEoNqOCMartJr9yKyzrBplNuSd/IAFUCN6KIVu
-      Pge1aftvkZy0AsdRbMHlqWvMEdH30MJdC7FkhFsrrX0sYvuaW2MFjkQTishEphha
-      hgYTH5dCrrQajQBi7fSGEutW2CKp738x6hNbiB9//lYjczAK+esbfC6+WvmPODJn
-      q9YdcJ4ejh5zhOstrMPvO+kTvDozE5x6ur9Rw5yh0MgjR8Q76aoocu4ZckbQqQvX
-      7giQveJQdBn+ucYCQueSce4BkUm3S1ITdl2XUHgBj7XYnc+SqgvEtNn4YgyntAu/
-      IaVBg/DGVOBqr6pcoh6KLgYSroJG2uxdDXkji1QvRjy3SjY7eQMgou9qUM/L12gZ
-      PEyG+xflnkNzbS8PLIGY9F410bcf0ukkqEyDpCCgeoSrD1dJPme1WlSfhaVz7K9g
-      m8HB9IsgiQugOoS0Fpw57bNujy3BXJO4ROlIxOAbAYV0IXMjE3uWGot8uFeTVqB4
-      p5CzvTV9jdoQXKUFkkgm69MEoN98QB0Ts3BtcOf59X6uOu9twm1ltxnLH52i/4Ty
-      LdzErIs9vEaox5Qe6l4lhAUCAwEAAQ==
-      -----END PUBLIC KEY-----
-      ```
-  
-    - Generated as a multiline value.
-    - The same value as in GENERATED_PUBLIC_KEY.
-    ```yaml
-    APP_PUBLIC_KEY: |
-      -----BEGIN PUBLIC KEY-----
-      MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1kYEJ7bjBiXzBMI/cC6w
-      ajclHdd5NZ0bsx2d8eVSaHUaz419fTPYBV7mPec0ybYulThvqWX7c7k5H/jJVvTc
-      BRHv4NDqJmOlMHynz4+P4m9zD4gEoNqOCMartJr9yKyzrBplNuSd/IAFUCN6KIVu
-      Pge1aftvkZy0AsdRbMHlqWvMEdH30MJdC7FkhFsrrX0sYvuaW2MFjkQTishEphha
-      hgYTH5dCrrQajQBi7fSGEutW2CKp738x6hNbiB9//lYjczAK+esbfC6+WvmPODJn
-      q9YdcJ4ejh5zhOstrMPvO+kTvDozE5x6ur9Rw5yh0MgjR8Q76aoocu4ZckbQqQvX
-      7giQveJQdBn+ucYCQueSce4BkUm3S1ITdl2XUHgBj7XYnc+SqgvEtNn4YgyntAu/
-      IaVBg/DGVOBqr6pcoh6KLgYSroJG2uxdDXkji1QvRjy3SjY7eQMgou9qUM/L12gZ
-      PEyG+xflnkNzbS8PLIGY9F410bcf0ukkqEyDpCCgeoSrD1dJPme1WlSfhaVz7K9g
-      m8HB9IsgiQugOoS0Fpw57bNujy3BXJO4ROlIxOAbAYV0IXMjE3uWGot8uFeTVqB4
-      p5CzvTV9jdoQXKUFkkgm69MEoN98QB0Ts3BtcOf59X6uOu9twm1ltxnLH52i/4Ty
-      LdzErIs9vEaox5Qe6l4lhAUCAwEAAQ==
-      -----END PUBLIC KEY-----
-    ```
-  
-    - Generated as a single value
-    ```yaml
-    APP_PUBLIC_KEY_SSH: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDWRgQntuMGJfMEwj9wLrBqNyUd13k1nRuzHZ3x5VJodRrPjX19M9gFXuY95zTJti6VOG+pZftzuTkf+MlW9NwFEe/g0OomY6UwfKfPj4/ib3MPiASg2o4Ixqu0mv3IrLOsGmU25J38gAVQI3oohW4+B7Vp+2+RnLQCx1FsweWpa8wR0ffQwl0LsWSEWyutfSxi+5pbYwWORBOKyESmGFqGBhMfl0KutBqNAGLt9IYS61bYIqnvfzHqE1uIH3/+ViNzMAr56xt8Lr5a+Y84Mmer1h1wnh6OHnOE6y2sw+876RO8OjMTnHq6v1HDnKHQyCNHxDvpqihy7hlyRtCpC9fuCJC94lB0Gf65xgJC55Jx7gGRSbdLUhN2XZdQeAGPtdidz5KqC8S02fhiDKe0C78hpUGD8MZU4GqvqlyiHoouBhKugkba7F0NeSOLVC9GPLdKNjt5AyCi72pQz8vXaBk8TIb7F+WeQ3NtLw8sgZj0XjXRtx/S6SSoTIOkIKB6hKsPV0k+Z7VaVJ+FpXPsr2CbwcH0iyCJC6A6hLQWnDnts26PLcFck7hE6UjE4BsBhXQhcyMTe5Yai3y4V5NWoHinkLO9NX2N2hBcpQWSSCbr0wSg33xAHROzcG1w5/n1fq46723CbWW3GcsfnaL/hPIt3MSsiz28RqjHlB7qXiWEBQ==
-    ```
-  
-    - Generated as a multiline value
-    ```yaml
-    APP_PRIVATE_KEY: |
-      -----BEGIN PRIVATE KEY-----
-      MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDWRgQntuMGJfME
-      wj9wLrBqNyUd13k1nRuzHZ3x5VJodRrPjX19M9gFXuY95zTJti6VOG+pZftzuTkf
-      +MlW9NwFEe/g0OomY6UwfKfPj4/ib3MPiASg2o4Ixqu0mv3IrLOsGmU25J38gAVQ
-      I3oohW4+B7Vp+2+RnLQCx1FsweWpa8wR0ffQwl0LsWSEWyutfSxi+5pbYwWORBOK
-      yESmGFqGBhMfl0KutBqNAGLt9IYS61bYIqnvfzHqE1uIH3/+ViNzMAr56xt8Lr5a
-      +Y84Mmer1h1wnh6OHnOE6y2sw+876RO8OjMTnHq6v1HDnKHQyCNHxDvpqihy7hly
-      RtCpC9fuCJC94lB0Gf65xgJC55Jx7gGRSbdLUhN2XZdQeAGPtdidz5KqC8S02fhi
-      DKe0C78hpUGD8MZU4GqvqlyiHoouBhKugkba7F0NeSOLVC9GPLdKNjt5AyCi72pQ
-      z8vXaBk8TIb7F+WeQ3NtLw8sgZj0XjXRtx/S6SSoTIOkIKB6hKsPV0k+Z7VaVJ+F
-      pXPsr2CbwcH0iyCJC6A6hLQWnDnts26PLcFck7hE6UjE4BsBhXQhcyMTe5Yai3y4
-      V5NWoHinkLO9NX2N2hBcpQWSSCbr0wSg33xAHROzcG1w5/n1fq46723CbWW3Gcsf
-      naL/hPIt3MSsiz28RqjHlB7qXiWEBQIDAQABAoICAQCemAYdSv0voMkFfaysoLIM
-      e7JqKwDY0OcepM4xq1VaYUqt0oDOOaArIXly2f01SzWhVrs2+3eoyLBiXKbRSLzM
-      t+D/WkHklh4/DBS8yPprU6grF7atQ/aawkl2jL1IWaNGv+aoQYA50pucHBYfhdr5
-      6IS649JJSV3nLJW01LLiuhm6Gtm8Vw+9RtgqKrziVOKUhLtT5q/HA9YfA2nkMeRW
-      jIp8+Fzvp/h64o1WqITP3gZSRR3YWSGdqiQ2VXJL0n+8kxOctQqL2KEl/s6lfpFD
-      G2CA6VeeQyWnfNY6qG8avcHQsJb7bfdc35xqFzWhrXCHftQFd98madrFvWpVpKF1
-      fjSrQAWHShgyCBQuBteWhYWFlWMkYX3tab6MUS8vUR3LQuv3NGEWvQMgxA2eBzq2
-      iPhTnCJ0EQIMgsBg+O6qW2JuJMdTwB2U+WlLJiJnSBQ5aWwDKjIIzoH17lYmDOvz
-      ij0ZbzHUx01wU5w58z8mi//PppQheaxIT0jZkoGXOmbMsCTv/UcxlqnVHJ1ysA8d
-      QgK+3L+7dyjl3k5IQNt9f49X/C5D0oPYGuzPuP37HzEZYZbYtz5CoICUf6nNFGBl
-      aetSTGRs6ePVqHlo1cZQdk5fIQwX7yelehEb/Cpjk0mv5sk8cJcYviAnkQyUBjOE
-      wujWkG9XTisPMl3c6pAkJQKCAQEA/5TAJKP/uGofwDxoFXg4zjyRsqWeWpIvny5E
-      K9avHPdqFcU1DGAVwUfw6z5Grx8QzWZbnPFI5KMvdVoLpDMubw1XWQCY5X7AD3Iu
-      C9C0cbE+vW8d0AKGEt2q4ERTMZ5dqJiAN/tGJ8wH9mQxOhoim1MPAb0PZJg6WHda
-      4uN/wnZCuhEVnU86vbKhMJUZYotxEiV3qokZzV7zwsYOdCDw5iipm6McrRVrfdyE
-      u4yIyorq9RB3JChhkgkKSLaFHpuG/YOSM0DQ3vizC57w3LpJ+i+d2FR7Z8fYPSSW
-      BF/hUBUNZG4kk4wxH9dYk27ohBSI2u44n50zrQGST36vxETodwKCAQEA1p/uia4V
-      cHilRd454sQMevtbZO2Zak/g7MzxIUIPI363CKCfjIu/t3iyJ5xohI6OVdqdvE0/
-      hEiVJkv5YNXNLvQFnF7y7z5/HKjkEe72TrZuBwWSoQx69UP9QymzMuV+41f8aVpc
-      c2Xe7XWXK+X56ZGRFND5sB8hd65G9D818Qi90kQyYlb43l8CyiylqYIYh8ldIqHU
-      jAzNGk65kpW6CkL9v/qloKrpAWxErAinB40MHBvgZULj7LijCt2orHOPjOjC1f8n
-      BDf9eBKT+gTLXifIggGBh0iBxen9d2S7/Wz4ySLX47ijDgH0aQO8d668z+c9As0t
-      lz1HmEqLtyLSYwKCAQBH3Y/ZvbOeK1kaOOIbh16Rvz5IuYE5fnmdjOjmWsuKnZda
-      38T24d28J3p661v8ygNzfiCslLwmbixeFx/G4A1idKHnCN/1SBrBPR3tfJYAkhJO
-      OfxsDQmeLG5r+UpbXWiAi8Eh/KnRbvGeOrYM3GR2wHgryPmXE6b0UTthKQ83owFI
-      SJ2HSkv+I0hn3MTyjLsSmy526W4z7UslrYNK7ChQz4ZBmS/rC2baUTOReQbNzRoc
-      JrEZnbEx2xDlOU1dOeZPSrvFZahVyiCuV9bqegdrLhB4T+kTWYJYTv1P5ZX5arIF
-      V2M5ieYWSftCGaGP4iZJSUrqts1dDGATsk/CJI4pAoIBAQCnIfYk2x6w7hJt/ScA
-      swCxCGpchzYv9rJGVTX1WzbkwjmQi1yTmwQZwPCjLgaqK0UmEE9DIriyr78OCp3R
-      Tc0xoi94XOw7aGSeEdtBJ+BA3YmDCFDt/wUFWAOyOJfmq5aLPao+9HIIHy1hp2+o
-      bLeXrpbXKgE2qJdsVpfEfjDoWZFQW3EM6YN1z3EhtXDwNnIZ07ImVPVqdlGGCgYy
-      40vzz8VAqdQu8MjwJbq4aSiBFdJ3VTICSPurDQFSZdiDKp5/8YZAFSjx/RPyXC1F
-      xlQEJ2DZ9IhErC76y0NppVVLfX+jSfHq0I6RSu5klNdAMB+ymvUE6Hh3TO4i5vI0
-      E/bXAoIBAQCEXLJhLE/imGPl1Fbqh4lnr2iRMzN3cPxb6DHiKoFXhY18/WWneXEI
-      8DwK0D+n8spX67YyelFqBjWi4JrG2KhZmPSBF7p7lPypjPdbjkCnSJ0Qjrvdo5ns
-      46CtmUH8d54SAdgRkXypc1y/3mOnVAhnSRUYm5mtDOtfG0dXdsfS/uDXVRZkTv7S
-      xjdaHi3Ap+oxTMS+zWfKvYAx5g0gTdvb+FdsN89T9XRRx+7N5TmG9D+sUAqNEWkH
-      7SG6By8x+JqhURZOF9T9n2TX7N9g/+c0y9J10Ol5r0rDFM4SSTX9A5NmqfNF6LO7
-      A0bX/JM8kHjLlJNrtioxcT+dX4lL6/zT
-      -----END PRIVATE KEY-----
-    ```
-  
-## Import modifiers
-Modifiers provide a simpler way to transform values compared to using functions alone. You can chain multiple modifiers together using the `|` symbol, making it easy to apply several transformations in sequence. They work with both string and function expressions - just add them between the `` markers, right before the closing `>`.
----
-### List of import modifiers
+  - hostname: app           # REQUIRED: Unique service identifier
+    type: nodejs@22                 # REQUIRED: Service type and version
+    mode: HA                        # HA or NON_HA mode (default: NON_HA)
+    # Environment variables
+    envSecrets:                     # Secret environment variables (blurred in GUI)
+      SECRET_KEY: )>  # Generated random string
+    dotEnvSecrets: |                # Environment vars in .env format
+      APP_KEY=)>
+    # Storage configuration
+    objectStorageSize: 2            # Object storage size in GB
+    objectStoragePolicy: public-read-write  # Predefined S3 bucket policy
+    # Note: Typically you would use either objectStoragePolicy OR objectStorageRawPolicy, not both
+    objectStorageRawPolicy: |       # Custom S3 bucket policy
+      {
+        "Version": "2012-10-17",
+        "Statement": [
+          {
+            "Effect": "Allow",
+            "Principal": "*",
+            "Action": ["s3:GetObject"],
+            "Resource": ["arn:aws:s3:::{{ .BucketName }}/*"]
+          }
+        ]
+      }
+    # Build and deployment
+    buildFromGit: https://github.com/myorg/myapp  # Git repo for one-time build
+    enableSubdomainAccess: true     # Enable public access via Zerops subdomain
+    priority: 1                     # Higher priority services are created sooner
+    override: true                  # When true, triggers redeploy of existing service
+    # Vertical autoscaling
+    verticalAutoscaling:
+      minCpu: 1                     # Minimum number of virtual CPUs
+      maxCpu: 3                     # Maximum number of virtual CPUs
+      cpuMode: DEDICATED            # SHARED or DEDICATED CPU mode
+      minRam: 1                     # Minimum RAM in GB
+      maxRam: 4                     # Maximum RAM in GB
+      minDisk: 1                    # Minimum disk space in GB
+      maxDisk: 10                   # Maximum disk space in GB
+      startCpuCoreCount: 2          # Initial CPU core count
+      minFreeCpuCores: 0.5          # Min free CPU cores before scaling
+      minFreeCpuPercent: 20         # Min free CPU percentage before scaling
+      minFreeRamGB: 0.5             # Min free RAM in GB before scaling
+      minFreeRamPercent: 20         # Min free RAM percentage before scaling
+    # Horizontal autoscaling
+    minContainers: 2                # Minimum number of containers (default: 1, max: 10)
+    maxContainers: 6                # Maximum number of containers (max: 10)
+    # Shared storage
+    mount:                          # List of shared storage services to mount
+      - teststorage1
+    # Nginx configuration
+    nginxConfig: |-                 # Custom nginx configuration
+      server {
+          listen 80 default_server;
+          listen [::]:80 default_server;
+          server_name _;
+          root /var/www/public;
+          location / {
+              try_files $uri $uri/ /index.html;
+          }
+          access_log syslog:server=unix:/dev/log,facility=local1 default_short;
+          error_log syslog:server=unix:/dev/log,facility=local1;
+      }
+    # Zerops.yaml configuration
+    zeropsSetup: backendapi          # Service setup name from zeropsYaml or repo
+    zeropsYaml:                     # Full zerops.yaml configuration
+      zerops:
+        - setup: backendapi
+          build:
+            base: nodejs@22
+            buildCommands:
+              - npm ci
+              - npm run build
+            deployFiles: ./
+            cache: node_modules
+          run:
+            initCommands:
+              - npm run db:migrate
+            start: npm start
+  # A second, simpler service example
+  - hostname: teststorage1
+    type: shared-storage
+```
+This example includes all possible configuration options for Zerops services. Not all options are required or applicable to every service type. The example shows two services in the same YAML file: a fully configured Node.js API service and a simpler static frontend service.
+### Service Basic Configuration
   
-      Name
+      Field
+      Type
       Description
     
-      sha256
-      Generate a hash of the incoming string using sha256 algorithm.
-    
-      sha512
-      Generate a hash of the incoming string using sha512 algorithm.
+      services
+      list of objects, REQUIRED
+      At least one service is required.
     
-      bcrypt
-      
-        Generate a hash of the incoming string using bcrypt algorithm.
-        Fixed configuration: Number of cycles = 11
-      
-      argon2id
+      hostname
+      string, REQUIRED
       
-        Generate a hash of the incoming string using argon2id algorithm.
-        Fixed configuration: Memory = 64MiB, Iterations = 4, Parallelism = 4, SaltLen = 16B, KeyLength = 32B
+        The unique service identifier.
+        Limitations:
+        - duplicates in the same project forbidden
+        - maximum 25 characters, lowercase ASCII letters (a-z) or numbers (0-9) only
       
-      toHex
-      Encodes provided string/bytes into hexadecimal
-    
-      toString
-      Encodes provided string/bytes into string comprised of [a-zA-Z0-9_-.]
-    
-      upper
-      Maps all unicode letters to their upper case
-    
-      lower
-      Maps all unicode letters to their lower case
+      type
+      enum, REQUIRED
+      Specifies the service type and version. See [supported types](/references/import-yaml/type-list).
     
-      title
-      Maps all words to title case (first letter upper case, rest lower case)
+      mode
+      enum
+      Values: HA / NON_HA (default NON_HA)
+Defines the operation mode of the service.
     
-      noop
-      Does nothing - used in tests
+      envSecrets
+      map[string]string
+      Environment variables that are blurred by default in Zerops GUI. Can be edited or deleted in Zerops GUI.
     
----
-### Examples of correctly using import modifiers
+      dotEnvSecrets
+      string (multiline)
+      Environment variables in .env file format that are automatically created as secret envs.
     
-    - `, )>` will output a random string of 30 characters:
-    ```yaml
-    7a14c8e74bc98a0d74253b1d1a4ef6
-    ```
-    - `)| sha256>` will output the sha256 hash of the `` variable:
-    ```yaml
-    081b91d6dff5036229a92e2442fb65d7c8124571d4e70a2ac4729aeb86957407
-    ```
-    - `)| sha512>` will output the sha512 hash of the `` variable:
-    ```yaml
-    89c05547de0aa4926512a958f95ab8bf4096ceec63ad5aad4266890bfa059e0cc98917c54276ba4cd61f1dde4c8efda948fc967885c9dd50558ed939722ca10c
-    ```
-    - `)| bcrypt>` will output the bcrypt hash of the `` variable:
-    ```yaml
-    $2a$10$CxKZX0yIxdc7ts6eI5aBu.g.heAsFcePdMDEpnlViTlo3vGc//PXe
-    ```
-    - `)| argon2id>` will output the argon2id hash of the `` variable:
-    ```yaml
-    $argon2id$v=19$m=98304,t=1,p=3$uWBpmoUT3sfckXHyRF9hlg$8bGtNffuHxaRIgN99zCmJeGEYJF5BY2J9TwzqmezP28
-    ```
-  
-    - Using upper case modifier:
-    ```yaml
-    Input:  
-    Output: STATIC STRING WITH A MODIFIER
-    ```
-    - Using lower case modifier:
-    ```yaml
-    Input:  
-    Output: static string with a modifier
-    ```
-    - Using title case modifier:
-    ```yaml
-    Input:  
-    Output: Static String With A Modifier
-    ```
-    - Chaining multiple modifiers:
-    ```yaml
-    Input:  
-    Output: static string with a modifier
-    ```
-    - Using modifiers with functions:
-    ```yaml
-    Input:  ) | upper>
-    Output: 7A14C8E74BC98A0D74253B1D1A4EF6
+      objectStorageSize
+      integer
+      Object storage size in GB.
     
-    Input:  , ) | lower>)>
-    Output: h73ep149sd
-    ```
-:::tip Using a space before the pipe separator
-As you can see above, unlike the case of the string expression, using a space before the `|` separator in a function expression doesn't add an additional space character to the result.
-:::
-
-----------------------------------------
-
-# References > Import Yaml > Type List
-
-This is a list of all supported service types that can be used in import yaml configuration file.
-:::note
-Versions listed on the same line are aliases of the same underlying version.
+      objectStoragePolicy
+      enum
+      
+        Values: **private / public-read / public-objects-read / public-write / public-read-write / custom**
+        Select a predefined AWS S3 bucket access policy.
+      
+      objectStorageRawPolicy
+      json
+      
+        Define your own AWS S3 bucket access policy. See [AWS docs](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-policy-language-overview.html) for details.
+        Use `{{ .BucketName }}` placeholder if you need to use bucket name in your custom policy rules.
+      
+      buildFromGit
+      string (URL)
+      
+        A URL of a Github or Gitlab repository used for a one-time build of your service.
+      
+      enableSubdomainAccess
+      boolean
+      
+        Default: `false`
+        Set `true`, if you want to enable a public access to your service via a Zerops subdomain. Not suitable for production.
+      
+      priority
+      integer
+      
+        Services are sorted before creation by priority in descending order, i.e. the higher the priority the sooner the service is created.
+      
+      override
+      boolean
+      
+        Default: `false`
+        This only works for **runtime** services.
+        The parameter allows you to replace an existing runtime service with the same hostname byt triggering a redeploy if the service already exists.
+      
+```yaml
+#yamlPreprocessor=on
+services:
+# REQUIRED: Name of your service
+- hostname: app
+  # REQUIRED: Choose from list of supported technologies and their versions
+  type: nodejs@22
+  # High-Availability or Non-High-Availability mode
+  mode: HA
+  # Map of secret environment variables
+  envSecrets:
+    SECRET_KEY: )>
+  # Environment variables in .env format
+  dotEnvSecrets: |
+    APP_KEY=)>
+  # Object storage size in GB
+  objectStorageSize: 2
+  # Choose object storage policy from a predefined list
+  objectStoragePolicy: public-read-write
+  # Define additional policy
+  objectStorageRawPolicy:
+  # One time build git repository
+  buildFromGit: https://github.com/myorg/myapp
+  # Enables public access via zerops.app subdomain
+  enableSubdomainAccess: true
+  # The higher the sooner the service is created
+  priority: 1
+  # When set to true, triggers a redeploy of an existing runtime service with the same hostname
+  override: false
+```
+This yaml will create a `nodejs@latest` service named `app` in `HA` (High-Availability) mode with the following configurations:
+- Environment variables:
+  - From `envSecrets`: `SECRET_KEY` (requires yamlPreprocessor)
+  - From `dotEnvSecrets`: `APP_KEY` in .env format (requires yamlPreprocessor)
+- Object storage: 2GB with `public-read-write` policy
+- Git repository: `https://github.com/zeropsio/recipe-nodejs`
+- Public access enabled via Zerops subdomain
+- Priority: 1
+- Override existing service: `false`
+The `services` object allows you to define one or more services in the same yaml file.
+:::caution
+The `yamlPreprocessor` option in your project & service import YAML is required to generate random secret values, passwords, and public/private key pairs. For more information, see the [yamlPreprocessor](/references/import-yaml/pre-processor) page.
 :::
-## Available service types
-### Static Services
+### Service Vertical Autoscaling
+The vertical autoscaling configuration defines how the service can scale its resources vertically.
   
-      Service Type
-      Versions
+      Field
+      Type
+      Description
     
-      Nginx
-      
-      Static
-      
-### Containers and virtual machines
-  
-      Service Type
-      Versions
+      minCpu
+      integer
+      Minimum number of virtual CPUs
     
-      Alpine
-      
-      Ubuntu
-      
-### Runtime services
-  
-      Service Type
-      Versions
+      maxCpu
+      integer
+      Maximum number of virtual CPUs
     
-      Bun
-      
-      Deno
-      
-      .NET
-      
-      Elixir
-      
-      Gleam
-      
-      Go
-      
-      Java
+      cpuMode
+      enum
+      Values: **SHARED / DEDICATED**
+    
+      minRam
+      float
       
-      Node.js
+        Minimum RAM in GB that each container of the service can scale down to.
       
-      PHP & Apache
+      maxRam
+      float
       
-      PHP & nginx
+        Maximum RAM in GB that each container of the service can scale up to.
       
-      Python
+      minDisk
+      float
       
-      Rust
+        Minimum disk space in GB that each container of the service can scale down to.
       
-### Database services
-  
-      Database Type
-      Versions
-    
-      KeyDB
+      maxDisk
+      float
       
-      MariaDB
+        Maximum disk space in GB that each container of the service can scale up to.
       
-      PostgreSQL
+      startCpuCoreCount
+      integer
       
-      Qdrant
+        Number of CPU cores with which each container starts.
       
-      Valkey
+      minFreeCpuCores
+      float
       
-### Search Engine
-  
-      Search Engine
-      Versions
-    
-      Elasticsearch
+        Minimum number of unused CPU cores before a container starts scaling.
       
-      Meilisearch
+      minFreeCpuPercent
+      float
       
-      Typesense
+        Minimum percentage of unused CPU cores before a container starts scaling.
       
-### Message Broker
-  
-      Message Broker
-      Versions
-    
-      Kafka
+      minFreeRamGB
+      float
       
-      NATS
+        Minimum unused memory in GB before a container starts scaling.
       
-### Storage Services
-  
-      Database Type
-      Versions
-    
-      Object storage
+      minFreeRamPercent
+      float
       
-      Shared storage
+        Minimum percentage of unused memory before a container starts scaling.
       
-
-----------------------------------------
-
-# References > Import
-
-The Zerops YAML configuration provides powerful capabilities for both importing and exporting projects and services. This documentation covers how to define your infrastructure as code and move configurations between environments.
-## YAML Configuration Basics
-The Zerops YAML configuration can be used to create or replicate services in Zerops. You can import configurations in two ways:
-- **Using the GUI**:
-  - **For projects**: In the Zerops dashboard, click on **Import a project** in the Projects section
-  - **For services**: Navigate to a project's details page and click **Import services** in the services section
-- **Using the [CLI](/references/cli)**: Run `zcli project project-import` for projects or `zcli project service-import` for individual services
-Both methods provide straightforward ways to migrate or replicate infrastructure as needed.
-This section provides a comprehensive example of an import YAML configuration file, allowing you to define and import a project and its services with environment variables.
 ```yaml
-# ==== Define a project to import ====
-project:
-  # REQUIRED. Name of your project
-  name: project0
-  # Project description
-  description: "This project is an example only"
-  # Project core package - LIGHT/SERIOUS
-  corePackage: SERIOUS
-  # List of project tags for filtering
-  tags:
-    - test
-    - dev
-  # Project-level environment variables
-  envVariables:
-    LOG_LEVEL: info
-    API_VERSION: v1
-# ==== Define a list of services to import into the project ====
 services:
-  # REQUIRED. Name of your service
   - hostname: app
-    # REQUIRED. Choose from list of supported technologies and their versions
     type: nodejs@22
-    # HA or NON_HA mode
-    mode: HA
-    # Map of secret environment variables
-    envSecrets:
-      SECRET_KEY: )>
-    # Environment variables defined in .env format (automatically creates secret envs)
-    dotEnvSecrets: |
-      APP_KEY=)>
-      DB_PASSWORD=secure123
-    # Object storage size in GB
-    objectStorageSize: 2
-    # Choose object storage policy from a predefined list
-    objectStoragePolicy: public-read-write
-    # Define additional policy
-    objectStorageRawPolicy:
-    # One time build git repository
     buildFromGit: https://github.com/myorg/myapp
-    # true or false
     enableSubdomainAccess: true
-    # The higher the sooner the service is created
-    priority: 1
-    # Vertical autoscaling configuration object
     verticalAutoscaling:
-      minCpu: 1
-      maxCpu: 3
-      # Choose SHARED or DEDICATED
-      cpuMode: DEDICATED
-      minRam: 1
-      maxRam: 4
-      minDisk: 1
-      maxDisk: 10
-      startCpuCoreCount: 2
-      minFreeCpuCores: 0.5
-      minFreeCpuPercent: 20
-      minFreeRamGB: 0.5
-      minFreeRamPercent: 20
+      minCpu: 1                     # Minimum number of virtual CPUs
+      maxCpu: 3                     # Maximum number of virtual CPUs
+      cpuMode: DEDICATED            # SHARED or DEDICATED CPU mode
+      minRam: 1                     # Minimum RAM in GB
+      maxRam: 4                     # Maximum RAM in GB
+      minDisk: 1                    # Minimum disk space in GB
+      maxDisk: 10                   # Maximum disk space in GB
+      startCpuCoreCount: 2          # Initial CPU core count
+      minFreeCpuCores: 0.5          # Min free CPU cores before scaling
+      minFreeCpuPercent: 20         # Min free CPU percentage before scaling
+      minFreeRamGB: 0.5             # Min free RAM in GB before scaling
+      minFreeRamPercent: 20         # Min free RAM percentage before scaling
+```
+This yaml will create a service with the hostname `app` with `php-nginx@8.4` runtime with `HA` High-Availability mode for vertical autoscaling:
+- CPU: `1-3` virtual CPUs in `DEDICATED` mode
+- RAM: `1-4 GB`
+- Disk Space: `1-10 GB`
+### Service Horizontal Autoscaling
+The horizontal autoscaling configuration is used to define the horizontal autoscaling settings for the service.
+  
+      Field
+      Type
+      Description
+    
+  minContainers
+  integer
+  Minimum number of containers of the service.
+Default: 1, maximum value: 10
+  maxContainers
+  integer
+  Maximum number of containers of the service.
+Maximum value: 10
+```yaml
+services:
+  - hostname: app
+    type: nodejs@22
+    buildFromGit: https://github.com/zeropsio/recipe-php
+    enableSubdomainAccess: true
     # Minimum number of containers
     minContainers: 2
     # Maximum number of containers
     maxContainers: 6
-    # List of shared storage services to connect to
+```
+The `minContainers` and `maxContainers` parameters allow you to define the minimum and maximum number of containers for the service. The service will automatically scale between these values as needed.
+### Service Mount Shared Storage
+The mount shared storage configuration defines which shared storage services should be mounted to the service.
+  
+      Field
+      Type
+      Description
+    
+    mount
+    list of strings
+    Mount shared storage to the service. `buildFromGit` must be filled.
+    
+```yaml
+services:
+  - hostname: app
+    type: nodejs@22
+    buildFromGit: https://github.com/myorg/myapp
+    enableSubdomainAccess: true
     mount:
       - teststorage1
-    # Full nginx config
+```
+The `mount:` parameter allows you to mount a shared storage (which should be created inside the project) to the service.
+### Service Nginx Configuration
+The nginx configuration defines the nginx settings for the service.
+  
+      Field
+      Type
+      Description
+    
+      nginxConfig
+      string (multiline)
+      Insert full nginx config.
+    
+```yaml
+#yamlPreprocessor=on
+services:
+  - hostname: app
+    type: php-nginx@8.4
+    enableSubdomainAccess: true
     nginxConfig: |-
       server {
           listen 80 default_server;
@@ -20868,753 +20785,1128 @@ services:
           access_log syslog:server=unix:/dev/log,facility=local1 default_short;
           error_log syslog:server=unix:/dev/log,facility=local1;
       }
-    # Zerops.yaml configuration
+```
+The `nginxConfig: |-` parameter allows you to specify a custom nginx configuration for the service.
+### Service zerops.yaml Configuration
+The `zeropsSetup` and `zeropsYaml` parameters provide flexibility in how you define and use your service configurations. Both parameters are optional and work together in the following ways:
+  
+      Field
+      Type
+      Description
+    
+      zeropsSetup
+      string
+      Specifies which service setup to use. This should match a setup name found in either the `zeropsYaml` parameter (if provided) or the `zerops.yaml` file in the repository root. If not specified, defaults to the service hostname.
+    
+      zeropsYaml
+      object
+      Contains the full [zerops.yaml configuration](/zerops-yaml/specification). If provided, this will be used instead of looking for a `zerops.yaml` file in the repository.
+    
+```yaml
+services:
+  - hostname: app
+    type: nodejs@22
+    buildFromGit: https://github.com/myorg/myapp
+    # Specify which setup to use from zerops.yaml
     zeropsSetup: backendapi
+    # Full zerops.yaml configuration
     zeropsYaml:
       zerops:
         - setup: backendapi
           build:
-            base: nodejs@22
+            base: nodejs@18
             buildCommands:
               - npm ci
               - npm run build
-            deployFiles: ./
+            deployFiles: ./dist
             cache: node_modules
           run:
             initCommands:
               - npm run db:migrate
             start: npm start
-    # When set to true, enables overriding an existing runtime service with the same hostname and triggers a redeploy
-    override: false
-  # REQUIRED. Name of your other service
-  - hostname: teststorage1
-    type: shared-storage
-    ...
 ```
-:::note
-The example above is a general guideline; not all keys are valid for every service type. For technology-specific details, refer to the **Create service** page in the **How To** section of the Zerops documentation.
-- `REQUIRED.` If a parent object is defined, the key-value pair is required to be filled. All other key-value pairs are optional.
+#### How They Work Together
+- **Neither parameter specified**:
+  - The system looks for a `zerops.yaml` file in the repository root
+  - It searches for a setup with a name that matches the service hostname
+- **Only `zeropsSetup` specified**:
+  - The system looks for a setup with the specified name in the `zerops.yaml` file in the repository root
+- **Only `zeropsYaml` specified**:
+  - The system uses the provided YAML configuration instead of looking for a file in the repository
+  - It searches for a setup with a name that matches the service hostname
+- **Both parameters specified**:
+  - The system uses the provided `zeropsYaml` configuration
+  - It specifically looks for the setup named in `zeropsSetup` within that YAML
+If the specified `zeropsSetup` does not exist in the available YAML configuration (either provided in `zeropsYaml` or found in the repository), the import will fail.
+## Export
+Zerops provides the ability to export your existing projects and services as YAML configurations through the GUI. This feature is particularly useful for:
+- Creating backups of your project configurations
+- Replicating project or service setups across different environments
+- Sharing project templates with team members
+- Creating version-controlled infrastructure configurations
+The exported YAML follows the same structure as the import YAML configuration detailed above. It will contain all the configuration parameters you've set for your project and services.
+### How to Export
+#### Exporting a Single Service
+Navigate to your service dashboard in the Zerops GUI, click the three-dot menu (⋮) in the top-right corner of the service card, and choose **Export service as yaml**.
+#### Exporting an Entire Project
+In the Zerops GUI, go to the project dashboard, click the three-dot menu (⋮) in the top-right corner of the project card, and select **Export project as yaml**.
+### Using Exported Configurations
+The exported YAML files are compatible with:
+- The Zerops GUI import functionality
+- The `zcli project project-import` command
+- The `zcli project service-import` command (for single service exports)
+This allows you to easily move configurations between environments or create new instances of your infrastructure.
+
+----------------------------------------
+
+# References > Logging
+
+## Overview
+Zerops automatically collects logs from all services in your project through a built-in logger service. These logs include runtime operations, database activities, build processes, and more.
+## Project-Wide Logs
+To view all project logs, navigate to your project detail and select the **Log Forwarding & Logs Overview** page. In the **Project logs overview** section, you'll find a consolidated view of all logging activity from all services with multiple filtering options.
+Additionally, from the same page, you can set up [log forwarding](#log-forwarding) to external logging services for more advanced analysis and long-term storage.
+## Service-Specific Logs
+Zerops provides different log types depending on the service:
+### Build Logs
+Shows the output from your build process:
+- **GUI**: Service detail → **Pipelines & CI/CD settings** section → Pipeline detail → Build log
+- **CLI**: zcli service log --showBuildLogs
+:::note
+The build log button is available only when the [build pipeline](/features/pipeline#build-phase) was triggered for the selected deploy.
+:::
+### Prepare Runtime Logs
+Documents the creation of a custom runtime image:
+- **GUI**: Service detail → **Pipelines & CI/CD settings** section → Pipeline detail → Prepare runtime log
+- **CLI**: *Not currently supported*
+:::note
+The prepare runtime log button is available only when the [prepare runtime phase](/features/pipeline#runtime-prepare-phase-optional) was triggered for the selected deploy.
+:::
+### Runtime/Database Logs
+Contains the operational output from your service.
+- **GUI**:
+  - Runtime services: Service detail → **Runtime logs**
+  - Database services: Service detail → **Database logs**
+- **CLI**: zcli service log
+:::note
+Each container has its own log. For services with multiple containers, select the specific container in the header. You can filter logs by severity level or time period.
+To view logs from all containers of a service combined, you can either use the Project logs view or click the **Go to full service log** button in the service detail page.
+:::
+:::important
+For severity levels to work properly in Zerops, your application must log to syslog.
+:::
+## Log Forwarding
+For more advanced log analysis and centralized logging, you can forward all your Zerops logs to external logging services. The Zerops logger service uses **syslog-ng** to enable this functionality.
+### Ready-Made Configurations
+Zerops provides pre-configured setups for popular logging services:
+- **[Better Stack](https://betterstack.com/)**
+- **[Papertrail](https://www.papertrail.com/)**
+To set up one of these integrations, go to your project detail, select **Log Forwarding & Logs Overview**, choose your preferred service, and follow the guided steps in the interface.
+### Custom Log Forwarding Configuration
+You can set up forwarding to any syslog-ng compatible software. To do this, navigate to your project detail, select **Log Forwarding & Logs Overview**, and choose the "Setup forwarding to any syslog-ng compatible software" option.
+When configuring your custom syslog-ng setup, note the following important details:
+#### Certificate Configuration
+- Certificates are located in `/etc/ssl/certs`
+- If your configuration references `/etc/syslog-ng/ca.d` or `/etc/syslog-ng/cert.d`, change these paths to `/etc/ssl/certs`
+- For custom certificates, you can use: `ca-file("/etc/syslog-ng/user.crt")`
+- You can combine custom certificates with standard certificates using: `ca-dir("/etc/ssl/certs")`
+  (This will verify both your custom certificate and standard certificates like those from LetsEncrypt)
+#### Source Configuration
+- Zerops uses `s_src` as the source configuration name
+- This differs from Papertrail, which might instruct you to "replace 's_sys' with the name you found" - in Zerops, always use `s_src` instead
+
+----------------------------------------
+
+# References > Networking > Cloudflare
+
+This guide provides step-by-step instructions for configuring Cloudflare to work with your Zerops applications, covering DNS records, proxy settings, SSL/TLS configuration, and common troubleshooting scenarios.
+## Prerequisites
+Before starting, ensure you have:
+- A Cloudflare account
+- A registered domain name
+- Access to your Zerops project with [domain access configured](/references/networking/public-access#custom-domain-access)
+- Your Zerops IP addresses (IPv4 and/or IPv6) from the Zerops GUI
+## DNS Record Configuration
+Configure your DNS records in Cloudflare using one of these approaches based on your needs:
+### With Cloudflare Proxy
+#### IPv6 only
+```bash
+Type    Name              Content                Proxy status   TTL
+AAAA             Proxied        Auto
+```
+Cloudflare handles IPv4 to IPv6 translation, making your service accessible to both IPv4 and IPv6 users. Uses Zerops' free dedicated IPv6 address.
+:::note
+Do not add a proxied A record with shared IPv4 when using this setup, as it would prevent proper IPv4 traffic routing.
+:::
+#### Dedicated IPv4
+```bash
+Type    Name              Content                Proxy status   TTL
+A              Proxied        Auto
+# Optional
+AAAA             Proxied        Auto
+```
+Uses your dedicated IPv4 address with Cloudflare's proxy features.
+:::tip
+Adding the AAAA record allows visitors with IPv6 support to connect directly via IPv6.
+:::
+#### Shared IPv4 *(not recommended)*
+```bash
+Type    Name              Content                Proxy status  TTL
+AAAA             DNS only      Auto
+A               Proxied       Auto
+```
+:::tip Why Not?
+Creates inconsistent security posture by mixing direct and proxied connections. Consider using IPv6 only or dedicated IPv4 configurations instead.
+:::
+### DNS-Only Configuration (Without Cloudflare Proxy)
+If you prefer direct connections without Cloudflare's proxy features:
+#### Shared IPv4
+```bash
+Type    Name              Content                Proxy status   TTL
+A               DNS only       Auto
+AAAA             DNS only       Auto
+```
+Uses Zerops' free shared IPv4.
+:::note Both A + AAAA Required
+Adding AAAA record is essential for shared IPv4 configuration as it serves as a [security measure](/references/networking/dns#understand-shared-ipv4) to prevent unauthorized domain claims.
+:::
+#### Dedicated IPv4
+```bash
+Type    Name              Content                Proxy status   TTL
+A              DNS only       Auto
+# Optional
+AAAA             DNS only       Auto
+```
+Uses your dedicated IPv4 address.
+:::tip
+Adding the AAAA record allows visitors with IPv6 support to connect directly via IPv6.
+:::
+#### IPv6 only
+```bash
+Type    Name              Content                Proxy status   TTL
+AAAA             DNS only       Auto
+```
+Uses only Zerops' free dedicated IPv6.
+:::note
+This configuration will only work for users with IPv6 connectivity.
+:::
+## Wildcard Domain Configuration
+Zerops supports wildcard domains (`*.`) that allow routing all subdomains to your project.
+### DNS Records for Wildcards
+Configure wildcard domains using either method:
+#### Method A: Direct Wildcard Records
+```bash
+Type   Name              Content               Proxy status       TTL
+A      *.      DNS only/Proxied   Auto
+AAAA   *.      DNS only/Proxied   Auto
+```
+#### Method B: CNAME to Main Domain
+First ensure your main domain has proper A/AAAA records, then add:
+```bash
+Type    Name              Content         Proxy status       TTL
+CNAME   *.      DNS only/Proxied   Auto
+```
+### Certificate Validation for Wildcards
+To enable automatic SSL certificate issuance for wildcard domains:
+```bash
+Type    Name                            Content                     Proxy status   TTL
+CNAME   _acme-challenge.   .zerops.zone   DNS only       Auto
+```
+This CNAME record allows Zerops to handle the DNS-01 challenge required for wildcard SSL certificates.
+### Higher-Level Wildcard Subdomains
+You can also set up higher-level wildcard subdomains like `*..`:
+#### Method A: Direct Configuration
+```bash
+Type   Name                          Content               Proxy status       TTL
+A      *..      DNS only/Proxied   Auto
+AAAA   *..      DNS only/Proxied   Auto
+```
+#### Method B: Using a CNAME Record
+```bash
+Type    Name                          Content                     Proxy status       TTL
+CNAME   *..   .   DNS only/Proxied   Auto
+```
+or
+```bash
+Type    Name                          Content         Proxy status       TTL
+CNAME   *..      DNS only/Proxied   Auto
+```
+For certificate validation with higher-level wildcards:
+```bash
+Type    Name                                        Content                                 Proxy status   TTL
+CNAME   _acme-challenge..   ..zerops.zone   DNS only       Auto
+```
+### Combining Main Domain and Wildcard Domain
+To use both `` and `*.`, specify both variants in your [Zerops configuration](/references/networking/public-access#http-routing-setup). Zerops automatically issues a single shared certificate for both the main domain and all its subdomains.
+## Cloudflare SSL/TLS Configuration
+### Essential SSL/TLS Settings
+1. **Set Encryption Mode**
+   - Navigate to **SSL/TLS** → **Overview** in your Cloudflare dashboard
+   - Select **Full (strict)** for production or **Full** for testing
+   - **Never use Flexible mode** - this will cause redirect loops
+2. **Edge Certificates**
+   - Go to **SSL/TLS** → **Edge Certificates**
+   - Ensure **Always Use HTTPS** is enabled for production
+   - Keep **Automatic HTTPS Rewrites** enabled
+### Certificate Validation Configuration
+For proper certificate issuance, especially with Let's Encrypt:
+#### Option A: Simple Setup (Testing/Development)
+- Temporarily disable **Always Use HTTPS** during initial certificate setup
+- Re-enable after certificates are issued
+#### Option B: Production Setup
+Keep **Always Use HTTPS** enabled and create a Configuration Rule:
+1. Go to **Rules** → **Configuration Rules**
+2. Create a new rule with these settings:
+   - **Rule name:** "Allow ACME Challenge"
+   - **Field:** URI Path
+   - **Operator:** starts with
+   - **Value:** `/.well-known/acme-challenge/`
+   - **Action:** Disable **Automatic HTTPS Rewrites**
+This rule allows certificate validation to work while maintaining HTTPS enforcement for all other traffic.
+## Validation and Testing
+### DNS Resolution Testing
+```bash
+# Check IPv4 resolution
+dig A 
+# Check IPv6 resolution
+dig AAAA 
+# Check from specific DNS server
+dig @1.1.1.1 
+```
+### Connectivity Testing
+```bash
+# Basic HTTPS test
+curl -vI https://
+# Test with specific subdomain (for wildcards)
+curl -vI https://api.
+# Test IPv4 specifically
+curl -4 -v https://
+# Test IPv6 specifically
+curl -6 -v https://
+```
+### Cloudflare-Specific Checks
+1. **Verify proxy status** in Cloudflare DNS dashboard (orange cloud = proxied)
+2. **Check SSL/TLS mode** in SSL/TLS → Overview
+3. **Confirm certificate issuance** in SSL/TLS → Edge Certificates
+4. **Test redirect behavior** by accessing `http://` version of your domain
+## Troubleshooting Common Issues
+### SSL Certificate Problems
+**Symptom:** "Too many redirects" or SSL errors
+**Solutions:**
+- Verify SSL/TLS mode is set to **Full** or **Full (strict)**, not **Flexible**
+- Check that both Zerops and Cloudflare have valid certificates
+- Ensure **Always Use HTTPS** is properly configured
+- For new domains, refresh the Cloudflare SSL/TLS page as settings may display incorrectly initially
+**Symptom:** Certificate validation fails for wildcard domains
+**Solutions:**
+- Verify the `_acme-challenge` CNAME record is correctly configured
+- Ensure DNS propagation is complete (check with `dig` command)
+- Check that the CNAME points to `.zerops.zone`
+### DNS Resolution Issues
+**Symptom:** Domain not resolving
+**Solutions:**
+- Confirm DNS records are correctly configured in Cloudflare
+- Verify proxy status matches your intended setup
+- Check for typos in IP addresses
+- Wait for DNS propagation (typically 5-10 minutes)
+**Symptom:** IPv4 traffic not working with IPv6-only setup
+**Solutions:**
+- Ensure Cloudflare proxy is enabled (orange cloud)
+- Verify IPv6 address is correct in AAAA record
+- Confirm no conflicting A record with shared IPv4 exists
+## Security Considerations
+- Always use **Full (strict)** SSL mode for production
+- Enable **HSTS (HTTP Strict Transport Security)** in Cloudflare
+- Consider enabling **Bot Fight Mode** for additional protection
+- Use Cloudflare's **Firewall Rules** to block malicious traffic
+- Regularly monitor SSL certificate expiration dates
+## Getting Help
+If you encounter issues not covered in this guide:
+- Check the [general DNS configuration guide](/references/networking/dns#technical-background) for additional context
+- Review your Zerops service logs for error messages
+- Verify your configuration against Cloudflare's documentation
+- Test with simple curl commands to isolate the problem
+- Contact Zerops support via [email](mailto:support@zerops.io) or reach out on [Discord](https://discord.gg/zeropsio)
+
+----------------------------------------
+
+# References > Networking > Dns
+
+This guide will show you how to configure DNS records and proxy settings to work with your Zerops applications.
+:::important Cloudflare
+If you're using Cloudflare, check out our dedicated [Cloudflare DNS Configuration Guide](/references/networking/cloudflare) for step-by-step instructions specific to Cloudflare's interface and features.
 :::
-## Project Configuration
-The project configuration is used to define the project you want to import.
-### Usage
-    
-          Field
-          Type
-          Description
-        
-          project
-          object
-          _REQUIRED, if a whole project is imported_ 
-Only one project can be defined.
-        
-          name
-          string, REQUIRED
-          The name of the new project. Duplicates are allowed.
-        
-          description
-          string
-          Description of the new project.
-        
-          corePackage
-          string
-          [Core package](/features/infrastructure#project-core-options) of the new project. 
-Values: LIGHT/SERIOUS (default LIGHT)
-        
-          tags
-          list of strings
-          One or more string tags.
-Tags provide better orientation in projects.
-        
-          envVariables
-          map[string]string
-          [Project-level environment variables](/features/env-variables#project-variables) that are available to all services in the project.
-        
-:::important
-The `corePackage` value can be upgraded later from Lightweight to Serious Core, but cannot be downgraded. Upgrades involve a brief service disruption and are partially destructive (logs/statistics are lost). Make sure to choose a suitable core package for your project. Learn more about [core upgrade process](/features/infrastructure#project-core-upgrade).
+## DNS Configuration
+DNS records for Zerops services can be configured in two main ways:
+* **With Proxy**: Routes traffic through proxy services, providing additional security and performance features (recommended for DDoS protection)
+* **Without Proxy (DNS Only)**: Direct connection to your Zerops service's IP address
+DNS allows you to set two records based on IP address type:
+* **A** record for **IPv4** - Zerops offers either a free **shared** IPv4 or a paid **dedicated** IPv4
+* **AAAA** record for **IPv6** - Zerops provides a free **dedicated** IPv6
+### With Proxy
+#### IPv6 only
+```bash
+Type    Name              Content                Proxy status   TTL
+AAAA             Proxied        Auto
+```
+:::note
+Make sure your proxy service supports IPv4 to IPv6 translation for this configuration to work for **both IPv4 and IPv6** users.
+Do not add a proxied A record with shared IPv4 - doing so would prevent the proxy from properly routing IPv4 traffic to your service.
 :::
-This example will create a project named `project0` with [serious core](/features/infrastructure#serious-core) package and the description `This project is an example only`. The project will have two tags: `test` and `dev`, and two environment variables: `LOG_LEVEL` and `API_VERSION`:
-```yaml
-# ==== Define a project to import ====
-project:
-  # REQUIRED. Name of your project
-  name: project0
-  # Project description
-  description: "This project is an example only"
-  # Project core package
-  corePackage: LIGHT
-  # List of project tags for filtering
-  tags:
-    - test
-    - dev
-  # Project-level environment variables
-  envVariables:
-    LOG_LEVEL: info
-    API_VERSION: v1
+#### Dedicated IPv4
+```bash
+Type    Name              Content                Proxy status   TTL
+A              Proxied        Auto
+# Optional
+AAAA             Proxied        Auto
 ```
-## Service Configuration
-The service configuration defines one or more services to import into your project. Services are specified as an array under the `services` key, allowing you to configure multiple services in a single YAML file. You need at least one service and either an existing project to import into or a project defined in the YAML file.
-The Service Configuration section is divided into multiple subsections for better organization:
-- [**Service Basic Configuration**](#service-basic-configuration) - Core parameters like hostname, type, mode, and environment variables
-- [**Service Vertical Autoscaling**](#service-vertical-autoscaling) - CPU, RAM, and disk scaling settings
-- [**Service Horizontal Autoscaling**](#service-horizontal-autoscaling) - Container count scaling settings
-- [**Service Mount Shared Storage**](#service-mount-shared-storage) - Connecting to shared storage services
-- [**Service Nginx Configuration**](#service-nginx-configuration) - Custom web server settings
-- [**Service zerops.yaml Configuration**](#service-zeropsyaml-configuration) - Build and run configurations
-```yaml
-#yamlPreprocessor=on
-services:
-  - hostname: app           # REQUIRED: Unique service identifier
-    type: nodejs@22                 # REQUIRED: Service type and version
-    mode: HA                        # HA or NON_HA mode (default: NON_HA)
-    # Environment variables
-    envSecrets:                     # Secret environment variables (blurred in GUI)
-      SECRET_KEY: )>  # Generated random string
-    dotEnvSecrets: |                # Environment vars in .env format
-      APP_KEY=)>
-    # Storage configuration
-    objectStorageSize: 2            # Object storage size in GB
-    objectStoragePolicy: public-read-write  # Predefined S3 bucket policy
-    # Note: Typically you would use either objectStoragePolicy OR objectStorageRawPolicy, not both
-    objectStorageRawPolicy: |       # Custom S3 bucket policy
-      {
-        "Version": "2012-10-17",
-        "Statement": [
-          {
-            "Effect": "Allow",
-            "Principal": "*",
-            "Action": ["s3:GetObject"],
-            "Resource": ["arn:aws:s3:::{{ .BucketName }}/*"]
-          }
-        ]
-      }
-    # Build and deployment
-    buildFromGit: https://github.com/myorg/myapp  # Git repo for one-time build
-    enableSubdomainAccess: true     # Enable public access via Zerops subdomain
-    priority: 1                     # Higher priority services are created sooner
-    override: true                  # When true, triggers redeploy of existing service
-    # Vertical autoscaling
-    verticalAutoscaling:
-      minCpu: 1                     # Minimum number of virtual CPUs
-      maxCpu: 3                     # Maximum number of virtual CPUs
-      cpuMode: DEDICATED            # SHARED or DEDICATED CPU mode
-      minRam: 1                     # Minimum RAM in GB
-      maxRam: 4                     # Maximum RAM in GB
-      minDisk: 1                    # Minimum disk space in GB
-      maxDisk: 10                   # Maximum disk space in GB
-      startCpuCoreCount: 2          # Initial CPU core count
-      minFreeCpuCores: 0.5          # Min free CPU cores before scaling
-      minFreeCpuPercent: 20         # Min free CPU percentage before scaling
-      minFreeRamGB: 0.5             # Min free RAM in GB before scaling
-      minFreeRamPercent: 20         # Min free RAM percentage before scaling
-    # Horizontal autoscaling
-    minContainers: 2                # Minimum number of containers (default: 1, max: 10)
-    maxContainers: 6                # Maximum number of containers (max: 10)
-    # Shared storage
-    mount:                          # List of shared storage services to mount
-      - teststorage1
-    # Nginx configuration
-    nginxConfig: |-                 # Custom nginx configuration
-      server {
-          listen 80 default_server;
-          listen [::]:80 default_server;
-          server_name _;
-          root /var/www/public;
-          location / {
-              try_files $uri $uri/ /index.html;
-          }
-          access_log syslog:server=unix:/dev/log,facility=local1 default_short;
-          error_log syslog:server=unix:/dev/log,facility=local1;
-      }
-    # Zerops.yaml configuration
-    zeropsSetup: backendapi          # Service setup name from zeropsYaml or repo
-    zeropsYaml:                     # Full zerops.yaml configuration
-      zerops:
-        - setup: backendapi
-          build:
-            base: nodejs@22
-            buildCommands:
-              - npm ci
-              - npm run build
-            deployFiles: ./
-            cache: node_modules
-          run:
-            initCommands:
-              - npm run db:migrate
-            start: npm start
-  # A second, simpler service example
-  - hostname: teststorage1
-    type: shared-storage
+:::tip
+Adding also AAAA record can be beneficial as visitors with IPv6 support will connect directly via IPv6.
+:::
+#### Shared IPv4 *(valid but NOT recommended)*
+```bash
+Type    Name              Content                Proxy status  TTL
+AAAA             DNS only      Auto
+A               Proxied       Auto
 ```
-This example includes all possible configuration options for Zerops services. Not all options are required or applicable to every service type. The example shows two services in the same YAML file: a fully configured Node.js API service and a simpler static frontend service.
-### Service Basic Configuration
-  
-      Field
-      Type
-      Description
-    
-      services
-      list of objects, REQUIRED
-      At least one service is required.
-    
-      hostname
-      string, REQUIRED
-      
-        The unique service identifier.
-        Limitations:
-        - duplicates in the same project forbidden
-        - maximum 25 characters, lowercase ASCII letters (a-z) or numbers (0-9) only
-      
-      type
-      enum, REQUIRED
-      Specifies the service type and version. See [supported types](/references/import-yaml/type-list).
-    
-      mode
-      enum
-      Values: HA / NON_HA (default NON_HA)
-Defines the operation mode of the service.
-    
-      envSecrets
-      map[string]string
-      Environment variables that are blurred by default in Zerops GUI. Can be edited or deleted in Zerops GUI.
-    
-      dotEnvSecrets
-      string (multiline)
-      Environment variables in .env file format that are automatically created as secret envs.
-    
-      objectStorageSize
-      integer
-      Object storage size in GB.
-    
-      objectStoragePolicy
-      enum
-      
-        Values: **private / public-read / public-objects-read / public-write / public-read-write / custom**
-        Select a predefined AWS S3 bucket access policy.
-      
-      objectStorageRawPolicy
-      json
-      
-        Define your own AWS S3 bucket access policy. See [AWS docs](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-policy-language-overview.html) for details.
-        Use `{{ .BucketName }}` placeholder if you need to use bucket name in your custom policy rules.
-      
-      buildFromGit
-      string (URL)
-      
-        A URL of a Github or Gitlab repository used for a one-time build of your service.
-      
-      enableSubdomainAccess
-      boolean
-      
-        Default: `false`
-        Set `true`, if you want to enable a public access to your service via a Zerops subdomain. Not suitable for production.
-      
-      priority
-      integer
-      
-        Services are sorted before creation by priority in descending order, i.e. the higher the priority the sooner the service is created.
-      
-      override
-      boolean
-      
-        Default: `false`
-        This only works for **runtime** services.
-        The parameter allows you to replace an existing runtime service with the same hostname byt triggering a redeploy if the service already exists.
-      
-```yaml
-#yamlPreprocessor=on
-services:
-# REQUIRED: Name of your service
-- hostname: app
-  # REQUIRED: Choose from list of supported technologies and their versions
-  type: nodejs@22
-  # High-Availability or Non-High-Availability mode
-  mode: HA
-  # Map of secret environment variables
-  envSecrets:
-    SECRET_KEY: )>
-  # Environment variables in .env format
-  dotEnvSecrets: |
-    APP_KEY=)>
-  # Object storage size in GB
-  objectStorageSize: 2
-  # Choose object storage policy from a predefined list
-  objectStoragePolicy: public-read-write
-  # Define additional policy
-  objectStorageRawPolicy:
-  # One time build git repository
-  buildFromGit: https://github.com/myorg/myapp
-  # Enables public access via zerops.app subdomain
-  enableSubdomainAccess: true
-  # The higher the sooner the service is created
-  priority: 1
-  # When set to true, triggers a redeploy of an existing runtime service with the same hostname
-  override: false
+:::tip Why not?
+It does not make sense to expose your IPv6 address while proxying the shared IPv4. Use [IPv6 only](#ipv6-only) setup instead.
+:::
+### Without Proxy
+#### Shared IPv4
+```bash
+Type    Name              Content                Proxy status   TTL
+AAAA             DNS only       Auto
+A               DNS only       Auto
 ```
-This yaml will create a `nodejs@latest` service named `app` in `HA` (High-Availability) mode with the following configurations:
-- Environment variables:
-  - From `envSecrets`: `SECRET_KEY` (requires yamlPreprocessor)
-  - From `dotEnvSecrets`: `APP_KEY` in .env format (requires yamlPreprocessor)
-- Object storage: 2GB with `public-read-write` policy
-- Git repository: `https://github.com/zeropsio/recipe-nodejs`
-- Public access enabled via Zerops subdomain
-- Priority: 1
-- Override existing service: `false`
-The `services` object allows you to define one or more services in the same yaml file.
-:::caution
-The `yamlPreprocessor` option in your project & service import YAML is required to generate random secret values, passwords, and public/private key pairs. For more information, see the [yamlPreprocessor](/references/import-yaml/pre-processor) page.
+:::note Both A + AAAA Required
+Adding AAAA record is essential for shared IPv4 configuration as it serves as a [security measure](#understand-shared-ipv4) to prevent unauthorized domain claims.
 :::
-### Service Vertical Autoscaling
-The vertical autoscaling configuration defines how the service can scale its resources vertically.
-  
-      Field
-      Type
-      Description
-    
-      minCpu
-      integer
-      Minimum number of virtual CPUs
-    
-      maxCpu
-      integer
-      Maximum number of virtual CPUs
-    
-      cpuMode
-      enum
-      Values: **SHARED / DEDICATED**
-    
-      minRam
-      float
-      
-        Minimum RAM in GB that each container of the service can scale down to.
-      
-      maxRam
-      float
-      
-        Maximum RAM in GB that each container of the service can scale up to.
-      
-      minDisk
-      float
-      
-        Minimum disk space in GB that each container of the service can scale down to.
-      
-      maxDisk
-      float
-      
-        Maximum disk space in GB that each container of the service can scale up to.
-      
-      startCpuCoreCount
-      integer
-      
-        Number of CPU cores with which each container starts.
-      
-      minFreeCpuCores
-      float
-      
-        Minimum number of unused CPU cores before a container starts scaling.
-      
-      minFreeCpuPercent
-      float
-      
-        Minimum percentage of unused CPU cores before a container starts scaling.
-      
-      minFreeRamGB
-      float
-      
-        Minimum unused memory in GB before a container starts scaling.
-      
-      minFreeRamPercent
-      float
-      
-        Minimum percentage of unused memory before a container starts scaling.
-      
-```yaml
-services:
-  - hostname: app
-    type: nodejs@22
-    buildFromGit: https://github.com/myorg/myapp
-    enableSubdomainAccess: true
-    verticalAutoscaling:
-      minCpu: 1                     # Minimum number of virtual CPUs
-      maxCpu: 3                     # Maximum number of virtual CPUs
-      cpuMode: DEDICATED            # SHARED or DEDICATED CPU mode
-      minRam: 1                     # Minimum RAM in GB
-      maxRam: 4                     # Maximum RAM in GB
-      minDisk: 1                    # Minimum disk space in GB
-      maxDisk: 10                   # Maximum disk space in GB
-      startCpuCoreCount: 2          # Initial CPU core count
-      minFreeCpuCores: 0.5          # Min free CPU cores before scaling
-      minFreeCpuPercent: 20         # Min free CPU percentage before scaling
-      minFreeRamGB: 0.5             # Min free RAM in GB before scaling
-      minFreeRamPercent: 20         # Min free RAM percentage before scaling
+#### Dedicated IPv4
+```bash
+Type    Name              Content                Proxy status   TTL
+A              DNS only       Auto
+# Optional
+AAAA             DNS only       Auto
+```
+:::tip
+Adding also AAAA record can be beneficial as visitors with IPv6 support will connect directly via IPv6.
+:::
+#### IPv6 only
+```bash
+Type    Name              Content                Proxy status   TTL
+AAAA             DNS only       Auto
+```
+:::note
+This configuration will only work for users with IPv6 connectivity, which may limit your service accessibility.
+:::
+## Wildcard Domain Configuration
+Zerops supports wildcard domains (`*.`) that allow routing all subdomains to your project.
+### DNS Configuration
+#### Method A: Direct configuration of A and AAAA records
+Configure wildcard DNS records following the same patterns described in the [DNS Configuration](#dns-configuration) section, using `*.` in the Name field:
+```bash
+Type   Name              Content               Proxy status       TTL
+A      *.      DNS only/Proxied   Auto
+AAAA   *.      DNS only/Proxied   Auto
+```
+#### Method B: Using a CNAME record
+First configure A and AAAA records for your main domain (``), then set up a CNAME record:
+```bash
+Type    Name              Content         Proxy status       TTL
+CNAME   *.      DNS only/Proxied   Auto
+```
+### Certificate Validation
+For proper HTTPS certificate functionality with wildcard domains, configure:
+```bash
+Type    Name                            Content                     Proxy status   TTL
+CNAME   _acme-challenge.   .zerops.zone   DNS only       Auto
 ```
-This yaml will create a service with the hostname `app` with `php-nginx@8.4` runtime with `HA` High-Availability mode for vertical autoscaling:
-- CPU: `1-3` virtual CPUs in `DEDICATED` mode
-- RAM: `1-4 GB`
-- Disk Space: `1-10 GB`
-### Service Horizontal Autoscaling
-The horizontal autoscaling configuration is used to define the horizontal autoscaling settings for the service.
-  
-      Field
-      Type
-      Description
-    
-  minContainers
-  integer
-  Minimum number of containers of the service.
-Default: 1, maximum value: 10
-  maxContainers
-  integer
-  Maximum number of containers of the service.
-Maximum value: 10
-```yaml
-services:
-  - hostname: app
-    type: nodejs@22
-    buildFromGit: https://github.com/zeropsio/recipe-php
-    enableSubdomainAccess: true
-    # Minimum number of containers
-    minContainers: 2
-    # Maximum number of containers
-    maxContainers: 6
+This record enables Zerops to issue and verify a wildcard certificate for your domain.
+### Higher-Level Wildcard Subdomains
+You can also set up higher-level wildcard subdomains like `*..`:
+#### Method A: Direct configuration
+```bash
+Type   Name                          Content               Proxy status       TTL
+A      *..      DNS only/Proxied   Auto
+AAAA   *..      DNS only/Proxied   Auto
 ```
-The `minContainers` and `maxContainers` parameters allow you to define the minimum and maximum number of containers for the service. The service will automatically scale between these values as needed.
-### Service Mount Shared Storage
-The mount shared storage configuration defines which shared storage services should be mounted to the service.
-  
-      Field
-      Type
-      Description
-    
-    mount
-    list of strings
-    Mount shared storage to the service. `buildFromGit` must be filled.
-    
-```yaml
-services:
-  - hostname: app
-    type: nodejs@22
-    buildFromGit: https://github.com/myorg/myapp
-    enableSubdomainAccess: true
-    mount:
-      - teststorage1
+#### Method B: Using a CNAME record
+```bash
+Type    Name                          Content                     Proxy status       TTL
+CNAME   *..   .   DNS only/Proxied   Auto
 ```
-The `mount:` parameter allows you to mount a shared storage (which should be created inside the project) to the service.
-### Service Nginx Configuration
-The nginx configuration defines the nginx settings for the service.
-  
-      Field
-      Type
-      Description
-    
-      nginxConfig
-      string (multiline)
-      Insert full nginx config.
-    
-```yaml
-#yamlPreprocessor=on
-services:
-  - hostname: app
-    type: php-nginx@8.4
-    enableSubdomainAccess: true
-    nginxConfig: |-
-      server {
-          listen 80 default_server;
-          listen [::]:80 default_server;
-          server_name _;
-          root /var/www;
-          location / {
-              try_files $uri $uri/ /index.html;
-          }
-          access_log syslog:server=unix:/dev/log,facility=local1 default_short;
-          error_log syslog:server=unix:/dev/log,facility=local1;
-      }
+or
+```bash
+Type    Name                          Content         Proxy status       TTL
+CNAME   *..      DNS only/Proxied   Auto
 ```
-The `nginxConfig: |-` parameter allows you to specify a custom nginx configuration for the service.
-### Service zerops.yaml Configuration
-The `zeropsSetup` and `zeropsYaml` parameters provide flexibility in how you define and use your service configurations. Both parameters are optional and work together in the following ways:
-  
-      Field
-      Type
-      Description
-    
-      zeropsSetup
-      string
-      Specifies which service setup to use. This should match a setup name found in either the `zeropsYaml` parameter (if provided) or the `zerops.yaml` file in the repository root. If not specified, defaults to the service hostname.
-    
-      zeropsYaml
-      object
-      Contains the full [zerops.yaml configuration](/zerops-yaml/specification). If provided, this will be used instead of looking for a `zerops.yaml` file in the repository.
-    
-```yaml
-services:
-  - hostname: app
-    type: nodejs@22
-    buildFromGit: https://github.com/myorg/myapp
-    # Specify which setup to use from zerops.yaml
-    zeropsSetup: backendapi
-    # Full zerops.yaml configuration
-    zeropsYaml:
-      zerops:
-        - setup: backendapi
-          build:
-            base: nodejs@18
-            buildCommands:
-              - npm ci
-              - npm run build
-            deployFiles: ./dist
-            cache: node_modules
-          run:
-            initCommands:
-              - npm run db:migrate
-            start: npm start
+For certificate validation:
+```bash
+Type    Name                                        Content                                 Proxy status   TTL
+CNAME   _acme-challenge..   ..zerops.zone   DNS only       Auto
 ```
-#### How They Work Together
-- **Neither parameter specified**:
-  - The system looks for a `zerops.yaml` file in the repository root
-  - It searches for a setup with a name that matches the service hostname
-- **Only `zeropsSetup` specified**:
-  - The system looks for a setup with the specified name in the `zerops.yaml` file in the repository root
-- **Only `zeropsYaml` specified**:
-  - The system uses the provided YAML configuration instead of looking for a file in the repository
-  - It searches for a setup with a name that matches the service hostname
-- **Both parameters specified**:
-  - The system uses the provided `zeropsYaml` configuration
-  - It specifically looks for the setup named in `zeropsSetup` within that YAML
-If the specified `zeropsSetup` does not exist in the available YAML configuration (either provided in `zeropsYaml` or found in the repository), the import will fail.
-## Export
-Zerops provides the ability to export your existing projects and services as YAML configurations through the GUI. This feature is particularly useful for:
-- Creating backups of your project configurations
-- Replicating project or service setups across different environments
-- Sharing project templates with team members
-- Creating version-controlled infrastructure configurations
-The exported YAML follows the same structure as the import YAML configuration detailed above. It will contain all the configuration parameters you've set for your project and services.
-### How to Export
-#### Exporting a Single Service
-Navigate to your service dashboard in the Zerops GUI, click the three-dot menu (⋮) in the top-right corner of the service card, and choose **Export service as yaml**.
-#### Exporting an Entire Project
-In the Zerops GUI, go to the project dashboard, click the three-dot menu (⋮) in the top-right corner of the project card, and select **Export project as yaml**.
-### Using Exported Configurations
-The exported YAML files are compatible with:
-- The Zerops GUI import functionality
-- The `zcli project project-import` command
-- The `zcli project service-import` command (for single service exports)
-This allows you to easily move configurations between environments or create new instances of your infrastructure.
+### Combining Main Domain and Wildcard Domain
+To use both `` and `*.`, specify both variants in your [Zerops configuration](/references/networking/public-access#http-routing-setup). Zerops automatically issues a single shared certificate for both the main domain and all its subdomains.
+## Validation Steps
+Test your configuration:
+```bash
+# Check DNS resolution
+dig AAAA 
+# Verify connectivity
+curl -vI https://
+# Test IPv4 access
+curl -4 -v https://
+# Test IPv6 access
+curl -6 -v https://
+```
+## Troubleshooting Guide
+1. **DNS Resolution Issues**
+   - Confirm correct record configuration
+   - Verify proxy status settings
+   - Check IPv6 address accuracy
+   - Allow time for DNS propagation (typically 5-10 minutes)
+2. **Connection Problems**
+   - Test both IPv4 and IPv6 connectivity
+   - Check proxy server status if applicable
+   - Confirm port configurations
+3. **Certificate Issues**
+   - Verify proper _acme-challenge CNAME configuration for wildcard domains
+   - Check that DNS records match the domains configured in Zerops
+   - **Provider-specific certificate problems**: Consult your DNS provider's documentation for SSL/TLS configuration requirements
+## Technical Background
+### Understanding Shared IPv4 Addresses {#understand-shared-ipv4}
+Shared IPv4 allows multiple Zerops projects to use the same IPv4 address while maintaining separate routing for each project. Here's how it works:
+1. When a visitor makes a request, it first arrives at the shared IPv4 address
+2. The system looks at the domain name in the request (using SNI - Server Name Indication)
+3. For security, it checks if this domain properly resolves to your project's IPv6 address
+4. Only if IPv6 address matches your project will the traffic be routed correctly
+This is why configuring both A (IPv4) and AAAA (IPv6) records is crucial when using shared IPv4 addresses - the IPv6 record acts as a security key that helps prevent unauthorized use of the shared IPv4 address.
+### Certificate Verification Methods
+When issuing SSL/TLS certificates, different verification methods are used depending on the certificate type:
+#### HTTP-01 vs DNS-01 Verification
+- **Regular certificates** (for a single domain like ``) are typically issued using the **HTTP-01** challenge method. This verification checks that you control the domain by placing a specific file at a specific URL.
+- **Wildcard certificates** (for domains like `*.`) must be issued using the **DNS-01** challenge method. This method requires creating specific TXT records in your DNS configuration.
+### How Zerops Handles Wildcard Certificate Verification
+Zerops simplifies the DNS-01 challenge process:
+1. You create a CNAME record (e.g., `_acme-challenge. CNAME .zerops.zone`)
+2. When a certificate needs to be issued or renewed, Zerops automatically creates the required TXT records on its `zerops.zone` domain
+3. The certificate authority verifies these TXT records through the CNAME redirection
+4. Once verified, the wildcard certificate is issued without requiring manual intervention
+
+----------------------------------------
+
+# References > Networking > Firewall
+
+Zerops includes a comprehensive firewall system implemented using [nftables](https://en.wikipedia.org/wiki/Nftables) to ensure platform security.
+The primary focus is on managing outbound communication to prevent potential platform misuse while maintaining the flexibility needed for legitimate applications.
+## What is a Firewall?
+A Firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules.
+At Zerops, we implemented a robust firewall system to protect our platform and your applications.
+## Port Access Rules
+### UDP Ports
+*No restrictions*
+### TCP Ports
+#### **TCP ports 1-1024**
+The following specific ports are allowed:
+- **22** - SSH
+- **53** - DNS
+- **80** - HTTP
+- **123** - NTP
+- **443** - HTTPS
+- **587** - SMTP (with STARTTLS)
+*All other TCP ports in the range 1-1024 are **blocked** for security reasons, see below.*
+#### **TCP ports 1025-65535**
+*No restrictions*
+## Security Measures
+These firewall rules are strategically implemented to:
+- Prevent unauthorized use of the Zerops infrastructure for spam or network attacks
+- Protect Zerops and its users from potential security threats
+- Maintain compliance with security best practices
+## Common Use Cases
+### Standard Web Applications (HTTP/HTTPS)
+- Full access to HTTP/HTTPS communication (ports 80/443)
+- Unrestricted DNS queries (port 53)
+- Time synchronization via NTP (port 123)
+### Email Services
+- SMTP access through port 587 (with STARTTLS)
+- For detailed SMTP configuration, see our [SMTP documentation](/references/smtp)
+## Requesting Firewall Modifications
+If your application requires access to additional ports:
+1. Contact Zerops support at [support@zerops.io](mailto:support@zerops.io).
+2. Include in your request:
+   - Specific ports and protocols needed.
+   - Detailed explanation of your use case.
+   - Mention your Project ID and Organization ID from your Zerops Dashboard.
 
 ----------------------------------------
 
-# References > Logging
-
-## Overview
-Zerops automatically collects logs from all services in your project through a built-in logger service. These logs include runtime operations, database activities, build processes, and more.
-## Project-Wide Logs
-To view all project logs, navigate to your project detail and select the **Log Forwarding & Logs Overview** page. In the **Project logs overview** section, you'll find a consolidated view of all logging activity from all services with multiple filtering options.
-Additionally, from the same page, you can set up [log forwarding](#log-forwarding) to external logging services for more advanced analysis and long-term storage.
-## Service-Specific Logs
-Zerops provides different log types depending on the service:
-### Build Logs
-Shows the output from your build process:
-- **GUI**: Service detail → **Pipelines & CI/CD settings** section → Pipeline detail → Build log
-- **CLI**: zcli service log --showBuildLogs
+# References > Networking > Internal Access
+
+This guide covers internal communication between services and methods for accessing your project's private network. For an overview of all access methods, see the [Access & Networking guide](/features/access).
+## Internal Access Methods
+Choose the access method that fits your needs:
+- **[Service-to-Service Communication](#service-to-service-communication)** - Direct communication between services in the same project
+- **[Environment Variables](#environment-variables)** - Share configuration and credentials between services
+- **[External Access to Private Network](#external-access-to-private-network)** - Connect from outside the project using VPN or SSH
+## Service-to-Service Communication
+Every Zerops project includes a dedicated private network that automatically connects all services within the project.
+### Network Architecture
+**Automatic Service Discovery:**
+- All services communicate directly using service hostnames
+- No manual network configuration required
+- Traffic stays isolated within your project's private network
+### Basic Service Communication
+Connect to any service within the same project using the service hostname and internal port, e.g.:
+```bash
+# Connect to 'api' service on port 3000
+http://api:3000/health
+```
 :::note
-The build log button is available only when the [build pipeline](/features/pipeline#build-phase) was triggered for the selected deploy.
+Do not use `https://` when communicating between runtime services in the same project. The internal communication is done over a private network and is isolated from other projects.
 :::
-### Prepare Runtime Logs
-Documents the creation of a custom runtime image:
-- **GUI**: Service detail → **Pipelines & CI/CD settings** section → Pipeline detail → Prepare runtime log
-- **CLI**: *Not currently supported*
-:::note
-The prepare runtime log button is available only when the [prepare runtime phase](/features/pipeline#runtime-prepare-phase-optional) was triggered for the selected deploy.
+### Internal Ports Configuration
+Services expose internal ports for communication within the project:
+- **Define ports** in your service's `zerops.yaml` [configuration](/zerops-yaml/specification#ports-)
+- **HTTP ports** are accessible for web traffic between services
+- **TCP/UDP ports** support database connections and custom protocols
+- **Multiple ports** can be exposed per service for different purposes
+:::tip Connect from another project
+To connect to a service from **another Zerops project**, you'll need to use [public access methods](/references/networking/public-access) since different projects don't share private networks.
 :::
-### Runtime/Database Logs
-Contains the operational output from your service.
-- **GUI**:
-  - Runtime services: Service detail → **Runtime logs**
-  - Database services: Service detail → **Database logs**
-- **CLI**: zcli service log
-:::note
-Each container has its own log. For services with multiple containers, select the specific container in the header. You can filter logs by severity level or time period.
-To view logs from all containers of a service combined, you can either use the Project logs view or click the **Go to full service log** button in the service detail page.
+### Environment Variables
+Zerops creates default environment variables for each service to help you with connection within the same project. To avoid the need to copy the access parameters manually, use generated environment variables of the service.
+#### Generated Environment Variables
+Each service automatically receives environment variables containing connection details for other services in the project:
+```bash
+# Database connection variables
+DATABASE_HOST=postgres
+DATABASE_PORT=5432
+DATABASE_URL=postgresql://app_user:secure_password@postgres:5432/myapp
+```
+#### Prefix the environment variable key
+All services of the same project can reference environment variables from other services. To use an environment variable from one service in another service in the same project, you must prefix the environment variable key with the service hostname and underscore.
+**Example:**
+To access the `API_TOKEN` env variable of the `app` service, use `app_API_TOKEN` as the env variable key.
+:::tip Environment Variables Guide
+For complete information on environment variable types, isolation, and management, see the [Environment Variables Reference](/features/env-variables).
+:::
+## External Access to Private Network
+Access your project's private network from external locations for development and administration.
+### VPN Access
+You can securely connect to your application from your local workspace via Zerops VPN. Zerops VPN client is included into zCLI, the Zerops command-line tool.
+#### Start VPN connection
+To start a VPN connection to the selected Zerops project, follow these steps:
+1. [Install & setup zCLI](/references/cli)
+2. [Start the Zerops VPN](/references/networking/vpn#start-vpn)
+#### Access application through VPN
+Once the VPN session is established, you have the secured connection to the project's private network in Zerops. You can access all project services locally by using their hostname. The only difference is that no environment variables are available when connected through VPN. To connect to your application in Zerops set the hostname and internal port e.g. `http://app:3000`
+:::info
+Do not use `https://` when communicating over the VPN. The security is assured by the VPN. The internal communication is done over a private network and is isolated from other projects.
 :::
-:::important
-For severity levels to work properly in Zerops, your application must log to syslog.
+:::tip VPN Setup
+For complete VPN setup, configuration, and troubleshooting, see the [VPN Reference Guide](/references/networking/vpn).
 :::
-## Log Forwarding
-For more advanced log analysis and centralized logging, you can forward all your Zerops logs to external logging services. The Zerops logger service uses **syslog-ng** to enable this functionality.
-### Ready-Made Configurations
-Zerops provides pre-configured setups for popular logging services:
-- **[Better Stack](https://betterstack.com/)**
-- **[Papertrail](https://www.papertrail.com/)**
-To set up one of these integrations, go to your project detail, select **Log Forwarding & Logs Overview**, choose your preferred service, and follow the guided steps in the interface.
-### Custom Log Forwarding Configuration
-You can set up forwarding to any syslog-ng compatible software. To do this, navigate to your project detail, select **Log Forwarding & Logs Overview**, and choose the "Setup forwarding to any syslog-ng compatible software" option.
-When configuring your custom syslog-ng setup, note the following important details:
-#### Certificate Configuration
-- Certificates are located in `/etc/ssl/certs`
-- If your configuration references `/etc/syslog-ng/ca.d` or `/etc/syslog-ng/cert.d`, change these paths to `/etc/ssl/certs`
-- For custom certificates, you can use: `ca-file("/etc/syslog-ng/user.crt")`
-- You can combine custom certificates with standard certificates using: `ca-dir("/etc/ssl/certs")`
-  (This will verify both your custom certificate and standard certificates like those from LetsEncrypt)
-#### Source Configuration
-- Zerops uses `s_src` as the source configuration name
-- This differs from Papertrail, which might instruct you to "replace 's_sys' with the name you found" - in Zerops, always use `s_src` instead
-
-----------------------------------------
-
-# References > Smtp
-
-Simple Mail Transfer Protocol (SMTP) is the internet standard for email transmission. It operates as a set of rules that govern how email messages are formatted, encrypted, and relayed between servers.
-## SMTP in Zerops
-Zerops implements a security-first approach to email sending operations, allowing only port 587 for SMTP communication. This decision aligns with modern security practices and helps maintain the platform's integrity.
-### Port Configuration
+### SSH Access
+Use [SSH](/references/networking/ssh) to connect to your service for debugging and system administration.
+```bash
+# Connect to a specific service
+ssh 
+```
+**Important:** SSH access is temporary and changes are not persistent across deployments.
+:::tip SSH Configuration
+For complete SSH documentation, access control, and advanced usage, see the [SSH Reference Guide].
+:::
+:::note
+When you're finished working with internal access over VPN, [stop the Zerops VPN](/references/networking/vpn#stop-vpn) in zCLI.
+:::
+## Next Steps
+- **Public access configuration:** [Public Access Reference Guide](/references/networking/public-access)
+- **Environment variables:** [Environment Variables Reference](/features/env-variables)
+- **VPN setup:** [VPN Reference Guide](/references/networking/vpn)
+- **SSH access:** [SSH Reference Guide](/references/networking/ssh)
+
+----------------------------------------
+
+# References > Networking > L7 Balancer Config
+
+This guide provides comprehensive documentation for Zerops L7 HTTP balancer configuration and advanced routing features. For basic setup instructions, see the [Domain & Access Configuration](/features/access) guide.
+The L7 HTTP Balancer handles all HTTP/HTTPS traffic and provides advanced application-layer capabilities:
+**Functions:**
+- SSL/TLS termination with automatic certificate management
+- Domain routing and virtual host management
+- Load balancing across multiple service instances
+- Advanced routing features (redirects, access policies, rate limiting)
+- Performance optimization through caching and compression
+**Architecture:**
+- Deployed in two containers for high availability
+- Scales automatically based on traffic patterns
+- Integrated with Let's Encrypt for SSL certificates
+- Configurable through advanced balancer settings
+## L7 HTTP Balancer Configuration
+Access the advanced balancer configuration through your project's HTTP Balancer section → **Advanced balancer configuration**.
+### Connection Handling
+Configure how the balancer manages client connections:
   
-      Port
-      Status
-      Description
+      Setting
+      Default
+      Range
+      Parameter
     
-      587
-      ✅&nbsp;Allowed
-      Modern SMTP submission with STARTTLS
+      Maximum simultaneous connections per worker
+      4000
+      1024-65535
+      worker_connections
+    
+      Accept multiple connections at once
+      on
+      on/off
+      multi_accept
+    
+      How long to keep idle connections open
+      30s
+      1s-300s
+      keepalive_timeout
+    
+      Maximum number of requests per connection
+      100000
+      1-1000000
+      keepalive_requests
+    
+:::tip Recommendations
+- **High-traffic websites**: Increase `worker_connections` to 8000 or higher
+- **API services**: Adjust `keepalive_timeout` to 60 for longer connections
+- **WebSocket applications**: Increase `keepalive_timeout` for persistent connections
+:::
+### Client Request Settings
+Control how the balancer handles incoming requests:
+  
+      Setting
+      Default
+      Range
+      Parameter
     
-      25
-      ❌&nbsp;Blocked
-      Traditional SMTP (security risk)
+      Timeout for receiving client request header
+      10s
+      1s-300s
+      client_header_timeout
+    
+      Timeout for receiving client request body
+      10s
+      1s-300s
+      client_body_timeout
+    
+      Maximum allowed size of client request body
+      512m
+      1k-2048m
+      client_max_body_size
+    
+      Reset connections that have timed out
+      on
+      on/off
+      reset_timedout_connection
+    
+      Timeout for transmitting response to client
+      2s
+      1s-300s
+      send_timeout
+    
+:::tip Recommendations
+- **File upload services**: Increase `client_body_timeout` and `client_max_body_size` to accommodate large files
+- **Slow clients**: Increase header and body timeouts
+- **API endpoints**: Set `client_max_body_size` according to your API payload requirements
+:::
+### Buffer Settings
+Optimize memory usage for request and response handling:
+  
+      Setting
+      Default
+      Range
+      Parameter
     
-      465
-      ❌&nbsp;Blocked
-      Legacy SMTPS (deprecated)
+      Size of buffer for client request header
+      1k
+      1k-64k
+      client_header_buffer_size
+    
+      Number of buffers for large client headers
+      4
+      1-16
+      large_client_header_buffers_number
+    
+      Size of buffers for large client headers
+      8k
+      1k-64k
+      large_client_header_buffers_size
+    
+      Size of buffer for client request body
+      16k
+      1k-1m
+      client_body_buffer_size
+    
+:::tip Recommendations
+- **Large headers**: Increase header buffer sizes for applications with extensive headers
+- **File uploads**: Optimize `client_body_buffer_size` based on typical upload sizes
+- **Memory optimization**: Tune based on available memory and connection patterns
+:::
+### Proxy Settings
+Configure how the balancer communicates with backend services:
+  
+      Setting
+      Parameter
+      Default
+      Range
+      Description
     
-### Why Port 587
-Port 587 is the modern standard for sending emails through SMTP, designed specifically for authenticated client submissions. This port enforces several security measures:
-- Mandatory TLS encryption for data protection
-- Required authentication for all clients
-- Secure transmission through verified providers
-#### How It Works
-Port 587 implements STARTTLS to establish secure connections. The process follows these steps:
-1. Client connects to the SMTP server
-2. Server responds with available capabilities
-3. Client requests STARTTLS upgrade
-4. Connection switches to encrypted TLS
-5. Client provides authentication credentials
-6. Email transmission begins over secure channel
-This implementation balances modern security requirements with broad compatibility, making it the recommended choice for email transmission.
-### Port Restrictions and Platform Security
-Zerops enforces a strict policy of **blocking ports 25 and 465** for email operations.
-:::caution
-This is a permanent security measure with no exceptions, designed to protect both the platform and its users.
+      Enable buffering of client request body
+      proxy_request_buffering
+      off
+      on/off
+      Buffer client request bodies before forwarding
+    
+      Enable buffering of responses from proxied server
+      proxy_buffering
+      on
+      on/off
+      Buffer responses from backend services
+    
+      Size of the buffer used for reading the first part of the response
+      proxy_buffer_size
+      32k
+      1k-256k
+      Buffer size for first part of backend response
+    
+      Number of buffers used for reading a response from the proxied server
+      proxy_buffers_number
+      4
+      1-16
+      Number of buffers for reading backend responses
+    
+      Size of buffers for reading a response from the proxied server
+      proxy_buffers_size
+      256k
+      1k-1m
+      Size of buffers for reading backend responses
+    
+      Size of buffers that can be busy sending response to the client
+      proxy_busy_buffers_size
+      256k
+      1k-1m
+      Size of buffers for sending response to client
+    
+:::tip Recommendations
+- **Real-time APIs**: Set `proxy_buffering` to off for lower latency
+- **Large responses**: Increase `proxy_buffer_size` for handling larger API responses
+- **Multimedia streaming**: Increase `proxy_buffers_size` and `proxy_buffers_number` for larger content
 :::
-Port 25, in particular, is frequently exploited for spam distribution across cloud platforms. Instead of providing basic SMTP functionality, we encourage the use of specialized email services that offer:
-- Advanced deliverability management
-- Comprehensive monitoring and analytics
-- Built-in spam protection
-- Professional IP reputation management
-- Automated bounce handling
-This strict policy stems from a crucial understanding: poor IP reputation from email abuse can cascade across an entire infrastructure. The impact extends beyond email services to affect:
-- Legitimate web applications
-- Platform response times
-- Overall service reliability
-- Other customers' applications
-This is why Zerops maintains this strict policy - to ensure consistent, reliable service for all platform users.
-## Sending Emails from Zerops
-### Recommended Approaches
-You have two main options for sending emails from your Zerops applications:
-1. **Email Provider SMTP Client**
-   - You act as a client using their SMTP servers
-   - Subject to provider's sending limits and policies
-2. **Specialized Email Services**
-   - Purpose-built for application email delivery
-   - Your own dedicated sending infrastructure
-   - Higher limits with scalable pricing
-   - Advanced delivery monitoring and analytics
-### Configuration Examples
-These examples serve as a starting point. Check your email provider's official documentation for current configuration requirements.
-:::note
-Port 587 is mandatory for all SMTP configurations in Zerops. Other ports (25, 465) are blocked for security reasons.
+### Performance Optimization
+Enable various performance enhancements:
+  
+      Setting
+      Default
+      Range
+      Parameter
+    
+      Use sendfile() for file transfers
+      on
+      on/off
+      sendfile
+    
+      Enable TCP_NOPUSH socket option
+      on
+      on/off
+      tcp_nopush
+    
+      Enable TCP_NODELAY socket option
+      on
+      on/off
+      tcp_nodelay
+    
+      Enable gzip compression
+      on
+      on/off
+      gzip
+    
+      Rate limit for response transmission (0 = no limit)
+      0
+      0-1000m
+      limit_rate
+    
+:::tip Recommendations
+- **File serving**: Ensure `sendfile` and `tcp_nopush` are enabled for static content
+- **Real-time applications**: Verify `tcp_nodelay` is enabled
+- **Bandwidth control**: Use `limit_rate` for traffic shaping
+- **Multimedia streaming**: Enable `sendfile` and `tcp_nopush` for optimal streaming performance
 :::
-#### Enterprise Email Providers
+### File Cache Settings
+Optimize file system operations:
   
-      Service
-      Host
-      Port
-      Secure
-      Username
-      Password
+      Setting
+      Default
+      Range
+      Parameter
     
-      Gmail
-      smtp.gmail.com
-      587
-      false
-      your.name@gmail.com
-      App Password required
+      Cache open file descriptors
+      on
+      on/off
+      open_file_cache
     
-      Google Workspace
-      smtp-relay.gmail.com
-      587
-      false
-      your.name@your-domain.com
-      Regular password (App Password if using 2FA)
+      Maximum number of elements in file cache
+      200000
+      1000-1000000
+      open_file_cache_max
     
-      Office 365
-      smtp.office365.com
-      587
-      false
-      your.name@your-domain.com
-      Account password
+      Time after which unused cache elements are removed
+      20s
+      1s-300s
+      open_file_cache_inactive
     
-:::note Google
-- Gmail/Office 365: Better for testing or low-volume sending
-- Google Workspace: Suitable for business needs with higher limits
+      Time interval for checking cached elements validity
+      30s
+      1s-300s
+      open_file_cache_valid
+    
+      Minimum file uses to remain in cache
+      2
+      1-100
+      open_file_cache_min_uses
+    
+      Cache file lookup errors
+      on
+      on/off
+      open_file_cache_errors
+    
+:::tip Recommendations
+- **Static file serving**: Increase cache size and adjust timeouts
+- **Development**: Reduce validation timeout for faster file updates
+- **High I/O applications**: Optimize based on file access patterns
+:::
+### Security Settings
+Configure security-related options:
+  
+      Setting
+      Default
+      Parameter
+    
+      Emit nginx version in error messages and headers
+      off
+      server_tokens
+    
+**Best Practice:** Keep `server_tokens` disabled to avoid revealing server information.
+## Advanced Routing Features
+The L7 HTTP Balancer supports sophisticated routing beyond basic domain mapping.
+Access the advanced location configuration through your project's HTTP Balancer section → click the **gear/settings icon** next to any domain location to open the **Advanced Location Configuration** dialog.
+### Redirect Configuration
+Redirect requests to different URLs with full control:
+**Configuration Options:**
+- **Redirect URL**: Destination for redirected requests
+- **Redirect Code**: HTTP status code for redirection (e.g., 301, 302, 307, 308)
+- **Preserve Path**: Keep original path in redirect URL
+- **Preserve Query**: Keep original query parameters in redirect URL
+  
+### Access Policy Configuration
+Implement IP-based access control. If the request fails the check, a 403 Forbidden error is returned:
+**Policy Types:**
+- **Default Policy**: `allow` or `deny`
+- **CIDR Blocks**: List of IP addresses/ranges that will have the opposite policy than the default
+**Supported Formats:**
+- IPv4 address: `192.168.1.1`
+- IPv4 range: `192.168.1.0/24`
+- IPv6 address: `2001:db8::1`
+- IPv6 range: `2001:db8::/32`
+  
+### Rate Limiting Configuration
+Protect against abuse and ensure fair resource usage. When the rate limit is exceeded, requests are delayed (burst). If they cannot be processed in time, a 503 Service Temporarily Unavailable error is returned:
+**Configuration Parameters:**
+- **Rate Limit Key**: `binary_remote_addr` (per IP) or `server_name` (per domain)
+- **Rate**: Requests per second to allow
+- **Burst**: Number of requests to queue when rate exceeded
+- **Zone Name**: Memory zone for storing rate limiting state
+- **Zone Size**: Memory allocated for rate limiting data (in MB)
+  
+### Basic Authentication
+Add HTTP Basic Authentication to protected resources:
+**Configuration:**
+- **Realm**: Authentication realm name
+- **Users**: Username and password combinations
+  
+### Custom Content Responses
+Return custom content for specific conditions:
+**Configuration:**
+- **HTTP Status Code**: Any valid status code (200, 404, 503, etc.)
+- **Content**: Response body content
+- **Content Type**: MIME type (default: text/plain)
+  
+*Need help? Join our [Discord community](https://discord.gg/zeropsio).*
+
+----------------------------------------
+
+# References > Networking > Public Access
+
+export const languages = [
+    { name: "Bun", link: "/java/how-to/build-pipeline#ports" },
+    { name: "Deno", link: "/go/how-to/build-pipeline#ports" },
+    { name: ".NET", link: "/dotnet/how-to/build-pipeline#ports" },
+    { name: "Elixir", link: "/php/how-to/build-pipeline#ports" },
+    { name: "Gleam", link: "/dotnet/how-to/build-pipeline#ports" },
+    { name: "Go", link: "/go/how-to/build-pipeline#ports" },
+    { name: "Java", link: "/java/how-to/build-pipeline#ports" },
+    { name: "Node.js", link: "/nodejs/how-to/build-pipeline#ports" },
+    { name: "PHP", link: "/php/how-to/build-pipeline#ports" },
+    { name: "Python", link: "/python/how-to/build-pipeline#ports" },
+    { name: "Rust", link: "/rust/how-to/build-pipeline#ports" },
+]
+This guide provides detailed configuration instructions for making your Zerops services publicly accessible from the internet. For an overview of all access methods, see the [Access & Networking guide](/features/access).
+## Public Access Methods
+Choose the access method that best fits your needs:
+- **[Zerops Subdomain Access](#zerops-subdomain-access)** - Quick setup with `.zerops.app` domains, ideal for development and testing
+- **[Custom Domain Access](#custom-domain-access)** - Production-ready access through your own domains with full SSL support
+- **[Direct Port Access](#direct-port-access)** - Direct port routing for non-HTTP protocols and specialized applications
+## Zerops Subdomain Access
+Zerops subdomains provide quick public access through `.zerops.app` addresses, ideal for development and testing environments.
+### Configuration
+1. Navigate to your service detail page in Zerops GUI
+2. Select **Subdomain & domain & IP access** from the left menu (for runtime services)
+3. Toggle the **Zerops subdomain access** switch
+  
+Once enabled, Zerops assigns a unique subdomain for your application. If you've defined multiple [internal ports](/zerops-yaml/specification#ports-) with HTTP support in your `zerops.yaml`, each port receives its own unique `.zerops.app` subdomain.
+### Technical Implementation
+When using Zerops subdomains:
+- Access your application using the `https://` protocol (Zerops automatically manages SSL certificates)
+- Traffic flows through a central HTTP balancer that:
+  - Terminates SSL connections
+  - Forwards requests to your application via HTTP
+  - Handles all security certificates
+### Limitations
+:::warning Production Considerations
+- The central HTTPS balancer is shared across all Zerops projects, which creates a scalability bottleneck
+- Maximum upload size is limited to 50MB
+- Not recommended for production traffic due to scalability bottleneck
+- Better suited for development and testing environments
+:::
+## Custom Domain Access
+Custom domain access provides production-ready public access through your own domain names, offering better performance and full control over domain settings.
+  
+### IP Address Configuration
+Before setting up domain access, you need to configure public IP addresses. Zerops offers the following options:
+#### IPv4 Configuration
+**Dedicated IPv4 Address ($3/30 days)**
+- Dedicated to your project and shared across all project services
+- One IPv4 address per project limit
+- Protects against blacklisting risks associated with shared IPs
+- Subscription automatically renews every 30 days *(cannot be purchased with promo credit)*
+- Fee is non-refundable but address can be reused in another project until subscription ends
+- **Recommended for production workloads**
+**Shared IPv4 Address (Free)**
+- Available at no cost
+- Shared across all Zerops users and their projects
+- Limitations:
+  - For HTTP/HTTPS traffic only
+  - Restricted number of open connections
+  - Shorter connection timeouts
+- **Not recommended for production use**
+#### IPv6 Configuration
+**IPv6 Address (Free)**
+- Dedicated to your project and shared across all project services
+- One IPv6 address per project limit
+- Automatically activated with first domain setup
+- Available for all projects at no additional cost
+:::tip Dual Stack Recommendation
+Since IPv6 support is not universal, using both IPv4 and IPv6 is recommended for maximum accessibility.
+:::
+### HTTP Routing Setup
+To configure domain access:
+1. Go to your service detail page in Zerops GUI and select **Subdomain & domain & IP access** (or access from project's **Project & Services Access Overview** section → **HTTP Balancer (L7) Configuration & Public Access Through Domains**)
+   - For advanced L7 balancer settings (connection handling, buffers, performance optimization), click **Advanced balancer configuration**
+2. Click **Setup first domain access**
+3. Configure domain settings:
+   - Enter domain names (e.g., `mydomain.com`, `app.mydomain.com`)
+   - Add multiple domains if needed (useful for multi-language sites)
+   - Choose SSL certificate management
+4. Define routing rules:
+   - **Source:** The public path (the part of URL after your domain)
+   - **Destination:** Choose which application and internal port receives the traffic
+   - Add multiple routing configurations as needed
+:::tip Alternative Access
+Domain configuration can also be accessed from individual service pages under **Subdomain & domain & IP access**.
+:::
+All settings can be modified later as your needs change.
+### DNS Configuration
+After setting up domain access in Zerops, configure your DNS records with your domain registrar:
+:::tip DNS Configuration Guides
+- **Cloudflare users:** Follow the [Cloudflare DNS Configuration Guide](/references/networking/cloudflare) for step-by-step Cloudflare-specific instructions
+- **Other providers:** Use the [DNS and Proxy Configuration Guide](/references/networking/dns) for universal DNS setup instructions
+:::
+### HTTPS & SSL Configuration
+When using Let's Encrypt certificates (recommended):
+**Certificate Management:**
+- Zerops handles all certificate installation and renewal automatically
+- Certificates are provided free of charge
+- No manual certificate management required
+**Traffic Flow:**
+1. Traffic arrives at your public IPv4/IPv6 addresses
+2. Requests route through your project's dedicated HTTPS balancer
+3. SSL termination occurs at the balancer level
+4. Internal traffic uses HTTP protocol for optimal performance
+**Balancer Architecture:**
+- Deployed in two containers for high availability
+- Scales vertically based on traffic demands
+- Cannot be directly modified by users
+- Included free of charge with custom domain setup
+**Load Balancing:**
+- **Round-robin load balancing** across multiple service instances
+- **Health checks** to route traffic only to healthy instances
+- **Connection pooling** for improved performance
+**Performance Considerations:**
+- Use dedicated IPv4 addresses instead of shared ones for high-traffic applications
+- Consider the [L7 Balancer advanced configuration options](/references/networking/l7-balancer-config) for production optimization
+## Direct Port Access
+Direct port access enables public access to specific ports on your services, supporting any protocol and specialized use cases beyond HTTP.
+:::important Service Compatibility
+Currently, direct public port access is only available for runtime services and PostgreSQL databases.
 :::
-#### Email Service Providers
   
-      Provider
-      Host
-      Port
-      Username
-      Password
-      Features
-    
-      SendGrid
-      smtp.sendgrid.net
-      587
-      apikey
-      SendGrid API key
-      • Free tier available
-• Real-time analytics
-• Webhooks
-• Spam detection
-    
-      Mailgun
-      smtp.mailgun.org
-      587
-      postmaster@your-domain.com
-      Mailgun password
-      • Free tier available
-• Email validation
-• Routing rules
-• Delivery analytics
-    
-      Amazon SES
-      email-smtp.us-east-1.amazonaws.com
-      587
-      SES access key ID
-      SES secret access key
-      • Pay as you go pricing
-• AWS integration
-• High deliverability
-• Auto-scaling
-    
-## Best Practices
-When implementing email functionality in your applications:
-- Store SMTP credentials in environment variables
-- Implement proper error handling and retry logic
-- Use queue systems for bulk sending to prevent rate limits
-- Monitor delivery status and bounce rates
-- Keep SMTP libraries and configurations up to date
+### Port Configuration
+1. Navigate to your service detail page in Zerops GUI:
+   - For runtime services: Select **Subdomain & domain & IP access**
+   - For PostgreSQL services: Select **Direct access through IP address**
+   - Or access from project's **Project & Services Access Overview** section → **Direct IP Accesses to Services**
+2. Configure port settings:
+   - Either **Setup first access through IPv6** or activate **Unique IPv4 add-on** (if needed)
+   - Choose any port from 10-65435 (ports 80 and 443 are reserved)
+   - Select destination service and internal port
+   - Each public port can be mapped to any internal service port
+   - Multiple public ports can point to the same internal port if needed
+   - Port configurations can be set independently for IPv4 and IPv6
+:::tip Service-Level Access
+For runtime services, you can also access port configuration from the service detail page under **Subdomain & domain & IP access**.
+:::
+### Firewall Configuration
+Secure your public ports with optional firewall rules:
+1. **Enable firewall** for specific ports
+2. **Choose policy type:**
+   - **Blacklist:** Block specific IPs/ranges (allow all others)
+   - **Whitelist:** Allow only specific IPs/ranges (block all others)
+3. **Configure IP rules:**
+   - **Single IP format:** Affects only the specific IP address
+   - **IP range format:** Affects all IPs in the specified CIDR range
+ 
+For information about Zerops' platform-wide firewall and port restrictions, see the [Firewall Reference Guide](/references/networking/firewall).
+### Protocol Support
+Direct port access supports:
+- **TCP protocols:** HTTP, HTTPS, database connections, custom TCP services
+- **UDP protocols:** DNS, gaming protocols, custom UDP services
+- **Any port-based protocol** your application requires
+## Next Steps
+- **DNS Configuration:** [DNS and Proxy Configuration Guide](/references/networking/dns) or [Cloudflare Guide](/references/networking/cloudflare)
+- **Advanced Routing:** [L7 Balancer Configuration & Advanced Routing Guide](/references/networking/l7-balancer-config)
+- **Wildcard Domains:** [Wildcard Domain Configuration](/references/networking/dns#wildcard-domain-configuration)
+- **Internal Access:** [Internal Access Configuration Guide](/references/networking/internal-access)
+*Need help? Join our [Discord community](https://discord.gg/zeropsio).*
 
 ----------------------------------------
 
-# References > Ssh
+# References > Networking > Ssh
 
 :::important
 SSH access is available only for runtime services and web servers.
@@ -21637,12 +21929,12 @@ For quick debugging and inspection, use the **Remote Web Terminal** available in
 - Provides instant access to your containers
 - Perfect for quick debugging sessions and emergency access
 ### SSH via VPN (Full Access)
-For full SSH capabilities and persistent connections, connect through the [Zerops VPN](/references/vpn).
+For full SSH capabilities and persistent connections, connect through the [Zerops VPN](/references/networking/vpn).
 ## Setting Up SSH Access
 ### 1. Configure VPN Connection (For SSH Access)
-The [Zerops CLI (zCLI)](/references/cli) comes bundled with the [Zerops VPN](/references/vpn) client. To connect to your [Zerops project](/features/infrastructure#projects):
+The [Zerops CLI (zCLI)](/references/cli) comes bundled with the [Zerops VPN](/references/networking/vpn) client. To connect to your [Zerops project](/features/infrastructure#projects):
 1. [Install and configure zCLI](/references/cli)
-2. [Initialize the Zerops VPN connection](/references/vpn#start-vpn)
+2. [Initialize the Zerops VPN connection](/references/networking/vpn#start-vpn)
 ### 2. Establish SSH Connection via VPN
 Once your VPN session is active, you can connect to any [service](/features/infrastructure#services) using its hostname via SSH:
 ```sh
@@ -21821,7 +22113,7 @@ Be careful with block rules - they can prevent expected SSH access even when all
 
 ----------------------------------------
 
-# References > Vpn
+# References > Networking > Vpn
 
 At Zerops, security is our core priority. We ensure everything stays within a private network with zero exposure to the internet.
 Unlike typical consumer VPNs that focus on changing your public IP address, our WireGuard VPN implementation is specifically designed to give you secure access to your project's services.
@@ -21868,24 +22160,8 @@ Usage:
 Flags:
       --help   Display help for the vpn down command
 ```
-## How do we provide better security?
-We are using WireGuard under the hood for VPN to establish a secure tunnel
-connection to a private network of a Zerops project. This approach provides a safer connection
-compared to SSH.
-Additionally, you won't need to add any passwords or IP addresses for SSH access.
-WireGuard is a free, lightweight, open-source software—technically a communication protocol—that 
-utilizes cryptography.
-It helps us create a secure tunnel that uses UDP for transmitting traffic. We use public/private key pairs
-for authorization.
-Inside Zerops project runs a Wireguard server and zCLI (Zerops Command Line Interface) works as
-a Wireguard client which helps you to interact with your zerops project if you're authorized.
-
-----------------------------------------
-
-# References > Vpn > Troubleshooting
-
-# VPN Troubleshooting Guide
-## 1. Interface Already Exists
+## Troubleshooting
+#### 1. Interface Already Exists
 **Problem**: When running `zcli vpn up`, you get an error like:
 ```
 ERR /opt/homebrew/bin/wg-quick up /opt/homebrew/etc/wireguard/zerops.conf: [+] Interface for zerops is utun6 wg-quick: 'zerops' already exists as 'utun6'
@@ -21895,7 +22171,7 @@ ERR /opt/homebrew/bin/wg-quick up /opt/homebrew/etc/wireguard/zerops.conf: [+] I
 zcli vpn down
 zcli vpn up
 ```
-## 2. Hostname Resolution
+#### 2. Hostname Resolution
 **Problem**: Even with VPN successfully connected, hostname resolution fails with errors like:
 ```
 could not translate host name "hostname" to address: nodename nor servname provided, or not known
@@ -21911,13 +22187,177 @@ psql -h [hostname].zerops -U [user]
 :::tip Windows OS tip
 In the Advanced TCP/IP Settings dialog, navigate to the DNS tab and confirm that "zerops" appears in the "Append these DNS suffixes (in order)" list. If missing, add it using the Add button.
 :::
-## 3. WSL2 VPN Connection
+#### 3. WSL2 VPN Connection
 **Problem**: VPN not running in WSL2
 **Solution**: This might occur because `systemd` is not running in WSL2 by default. To fix:
 1. Run `sudo -e /etc/wsl.conf`
 2. Add `system=true` to `[boot]` section
 3. Comment out the first line `LABEL=cloudimg-rootfs / ext4 defaults 0 1`
 4. In `cmd.exe/PowerShell` run `wsl --shutdown` to restart WSL2
+## How do we provide better security?
+We are using WireGuard under the hood for VPN to establish a secure tunnel
+connection to a private network of a Zerops project. This approach provides a safer connection
+compared to SSH.
+Additionally, you won't need to add any passwords or IP addresses for SSH access.
+WireGuard is a free, lightweight, open-source software—technically a communication protocol—that 
+utilizes cryptography.
+It helps us create a secure tunnel that uses UDP for transmitting traffic. We use public/private key pairs
+for authorization.
+Inside Zerops project runs a Wireguard server and zCLI (Zerops Command Line Interface) works as
+a Wireguard client which helps you to interact with your zerops project if you're authorized.
+
+----------------------------------------
+
+# References > Smtp
+
+Simple Mail Transfer Protocol (SMTP) is the internet standard for email transmission. It operates as a set of rules that govern how email messages are formatted, encrypted, and relayed between servers.
+## SMTP in Zerops
+Zerops implements a security-first approach to email sending operations, allowing only port 587 for SMTP communication. This decision aligns with modern security practices and helps maintain the platform's integrity.
+### Port Configuration
+  
+      Port
+      Status
+      Description
+    
+      587
+      ✅&nbsp;Allowed
+      Modern SMTP submission with STARTTLS
+    
+      25
+      ❌&nbsp;Blocked
+      Traditional SMTP (security risk)
+    
+      465
+      ❌&nbsp;Blocked
+      Legacy SMTPS (deprecated)
+    
+### Why Port 587
+Port 587 is the modern standard for sending emails through SMTP, designed specifically for authenticated client submissions. This port enforces several security measures:
+- Mandatory TLS encryption for data protection
+- Required authentication for all clients
+- Secure transmission through verified providers
+#### How It Works
+Port 587 implements STARTTLS to establish secure connections. The process follows these steps:
+1. Client connects to the SMTP server
+2. Server responds with available capabilities
+3. Client requests STARTTLS upgrade
+4. Connection switches to encrypted TLS
+5. Client provides authentication credentials
+6. Email transmission begins over secure channel
+This implementation balances modern security requirements with broad compatibility, making it the recommended choice for email transmission.
+### Port Restrictions and Platform Security
+Zerops enforces a strict policy of **blocking ports 25 and 465** for email operations.
+:::caution
+This is a permanent security measure with no exceptions, designed to protect both the platform and its users.
+:::
+Port 25, in particular, is frequently exploited for spam distribution across cloud platforms. Instead of providing basic SMTP functionality, we encourage the use of specialized email services that offer:
+- Advanced deliverability management
+- Comprehensive monitoring and analytics
+- Built-in spam protection
+- Professional IP reputation management
+- Automated bounce handling
+This strict policy stems from a crucial understanding: poor IP reputation from email abuse can cascade across an entire infrastructure. The impact extends beyond email services to affect:
+- Legitimate web applications
+- Platform response times
+- Overall service reliability
+- Other customers' applications
+This is why Zerops maintains this strict policy - to ensure consistent, reliable service for all platform users.
+## Sending Emails from Zerops
+### Recommended Approaches
+You have two main options for sending emails from your Zerops applications:
+1. **Email Provider SMTP Client**
+   - You act as a client using their SMTP servers
+   - Subject to provider's sending limits and policies
+2. **Specialized Email Services**
+   - Purpose-built for application email delivery
+   - Your own dedicated sending infrastructure
+   - Higher limits with scalable pricing
+   - Advanced delivery monitoring and analytics
+### Configuration Examples
+These examples serve as a starting point. Check your email provider's official documentation for current configuration requirements.
+:::note
+Port 587 is mandatory for all SMTP configurations in Zerops. Other ports (25, 465) are blocked for security reasons.
+:::
+#### Enterprise Email Providers
+  
+      Service
+      Host
+      Port
+      Secure
+      Username
+      Password
+    
+      Gmail
+      smtp.gmail.com
+      587
+      false
+      your.name@gmail.com
+      App Password required
+    
+      Google Workspace
+      smtp-relay.gmail.com
+      587
+      false
+      your.name@your-domain.com
+      Regular password (App Password if using 2FA)
+    
+      Office 365
+      smtp.office365.com
+      587
+      false
+      your.name@your-domain.com
+      Account password
+    
+:::note Google
+- Gmail/Office 365: Better for testing or low-volume sending
+- Google Workspace: Suitable for business needs with higher limits
+:::
+#### Email Service Providers
+  
+      Provider
+      Host
+      Port
+      Username
+      Password
+      Features
+    
+      SendGrid
+      smtp.sendgrid.net
+      587
+      apikey
+      SendGrid API key
+      • Free tier available
+• Real-time analytics
+• Webhooks
+• Spam detection
+    
+      Mailgun
+      smtp.mailgun.org
+      587
+      postmaster@your-domain.com
+      Mailgun password
+      • Free tier available
+• Email validation
+• Routing rules
+• Delivery analytics
+    
+      Amazon SES
+      email-smtp.us-east-1.amazonaws.com
+      587
+      SES access key ID
+      SES secret access key
+      • Pay as you go pricing
+• AWS integration
+• High deliverability
+• Auto-scaling
+    
+## Best Practices
+When implementing email functionality in your applications:
+- Store SMTP credentials in environment variables
+- Implement proper error handling and retry logic
+- Use queue systems for bulk sending to prevent rate limits
+- Monitor delivery status and bounce rates
+- Keep SMTP libraries and configurations up to date
 
 ----------------------------------------
 
@@ -22245,12 +22685,6 @@ zsc version
 #### Available flags
 - `-h, --help`: Help for the version command
 
-----------------------------------------
-
-# Rust > How To > Access
-
-
-
 ----------------------------------------
 
 # Rust > How To > Build Pipeline
@@ -22610,7 +23044,7 @@ The os version is fixed and cannot be customised.
 ### ports
 _OPTIONAL._ Specifies one or more internal ports on which your application will listen.
 Projects in Zerops represent a group of one or more services. Services can be of different types (runtime services, databases, message brokers, object storage, etc.). All services of the same project share a **dedicated private network**. To connect to a service within the same project, just use the service hostname and its internal port.
-For example, to connect to a Rust service with hostname = "app" and port = 8080 from another service of the same project, simply use `app:8080`. Read more about [how to access a Rust service](/rust/how-to/access).
+For example, to connect to a Rust service with hostname = "app" and port = 8080 from another service of the same project, simply use `app:8080`. Read more about [how to access a Rust service](/references/networking/internal-access#basic-service-communication).
 Each port has following attributes:
   
       Parameter
@@ -23365,7 +23799,7 @@ export const languages = [
 
 # Shared Storage > How To > Manage
 
-Zerops Shared Storage provides several web interfaces to manage, monitor, and troubleshoot your storage. These interfaces are accessible through the [Zerops VPN](/references/vpn) and offer different capabilities for managing your data and monitoring system performance.
+Zerops Shared Storage provides several web interfaces to manage, monitor, and troubleshoot your storage. These interfaces are accessible through the [Zerops VPN](/references/networking/vpn) and offer different capabilities for managing your data and monitoring system performance.
 ## Access Web Interfaces
 ### Filer UI
 * `http://.zerops:8888`
@@ -23903,7 +24337,7 @@ For enabling HTTPS access:
 2. Or use `enableSubdomainAccess: true` when [importing](/references/import#service-configuration) a Typesense service
 #### Direct Node Access
 Allows to access individual nodes using internal DNS:
-1. **Via [Zerops VPN](/references/vpn)**
+1. **Via [Zerops VPN](/references/networking/vpn)**
 2. **Internal Project Access** - services within the same project can reach nodes directly
 Node addressing patterns:
 ##### Standard format
diff --git a/apps/docs/static/llms-small.txt b/apps/docs/static/llms-small.txt
index 63298638..c02efc2e 100644
--- a/apps/docs/static/llms-small.txt
+++ b/apps/docs/static/llms-small.txt
@@ -1,9 +1,3 @@
-----------------------------------------
-
-# Bun > How To > Access
-
-
-
 ----------------------------------------
 
 # Bun > How To > Build Pipeline
@@ -375,7 +369,7 @@ The os version is fixed and cannot be customised.
 ### ports
 _OPTIONAL._ Specifies one or more internal ports on which your application will listen.
 Projects in Zerops represent a group of one or more services. Services can be of different types (runtime services, databases, message brokers, object storage, etc.). All services of the same project share a **dedicated private network**. To connect to a service within the same project, just use the service hostname and its internal port.
-For example, to connect to a Bun service with hostname = "app" and port = 3000 from another service of the same project, simply use `app:3000`. Read more about [how to access a Bun service](access).
+For example, to connect to a Bun service with hostname = "app" and port = 3000 from another service of the same project, simply use `app:3000`. Read more about [how to access a Bun service](/features/access).
 Each port has following attributes:
 | parameter   | description                                                                                                                                                                                                                                                                                                            |
 | ----------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
@@ -1160,12 +1154,6 @@ For advanced configurations or custom requirements:
 - Join our [Discord community](https://discord.gg/zerops)
 - Contact support via [email](mailto:support@zerops.io)
 
-----------------------------------------
-
-# Deno > How To > Access
-
-
-
 ----------------------------------------
 
 # Deno > How To > Build Pipeline
@@ -1531,7 +1519,7 @@ The os version is fixed and cannot be customised.
 ### ports
 _OPTIONAL._ Specifies one or more internal ports on which your application will listen.
 Projects in Zerops represent a group of one or more services. Services can be of different types (runtime services, databases, message brokers, object storage, etc.). All services of the same project share a **dedicated private network**. To connect to a service within the same project, just use the service hostname and its internal port.
-For example, to connect to a Deno service with hostname = "app" and port = 3000 from another service of the same project, simply use `app:3000`. Read more about [how to access a Deno service](/deno/how-to/access).
+For example, to connect to a Deno service with hostname = "app" and port = 3000 from another service of the same project, simply use `app:3000`. Read more about [how to access a Deno service](/references/networking/internal-access#basic-service-communication).
 Each port has following attributes:
 | parameter   | description                                                                                                                                                                                                                                                                                                            |
 | ----------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
@@ -2481,12 +2469,6 @@ Docker services on Zerops have specific scaling characteristics that differ from
 - Implement proper health checks for reliable scaling
 - Use horizontal scaling when possible to avoid VM restarts
 
-----------------------------------------
-
-# Dotnet > How To > Access
-
-
-
 ----------------------------------------
 
 # Dotnet > How To > Build Pipeline
@@ -2852,7 +2834,7 @@ The os version is fixed and cannot be customised.
 ### ports
 _OPTIONAL._ Specifies one or more internal ports on which your application will listen.
 Projects in Zerops represent a group of one or more services. Services can be of different types (runtime services, databases, message brokers, object storage, etc.). All services of the same project share a **dedicated private network**. To connect to a service within the same project, just use the service hostname and its internal port.
-For example, to connect to a .NET service with hostname = "app" and port = 5000 from another service of the same project, simply use `app:5000`. Read more about [how to access a .NET service](/dotnet/how-to/access).
+For example, to connect to a .NET service with hostname = "app" and port = 5000 from another service of the same project, simply use `app:5000`. Read more about [how to access a .NET service](/references/networking/internal-access#basic-service-communication).
 Each port has following attributes:
   
       Parameter
@@ -3587,12 +3569,6 @@ services:
 - [Elasticsearch Official Documentation](https://www.elastic.co/guide/index.html)
 - [Available Elasticsearch Plugins](https://www.elastic.co/guide/en/elasticsearch/plugins/current/index.html)
 
-----------------------------------------
-
-# Elixir > How To > Access
-
-
-
 ----------------------------------------
 
 # Elixir > How To > Build Pipeline
@@ -3960,7 +3936,7 @@ The os version is fixed and cannot be customised.
 ### ports
 _OPTIONAL._ Specifies one or more internal ports on which your application will listen.
 Projects in Zerops represent a group of one or more services. Services can be of different types (runtime services, databases, message brokers, object storage, etc.). All services of the same project share a **dedicated private network**. To connect to a service within the same project, just use the service hostname and its internal port.
-For example, to connect to a Elixir service with hostname = "app" and port = 3000 from another service of the same project, simply use `app:3000`. Read more about [how to access a Elixir service](/elixir/how-to/access).
+For example, to connect to a Elixir service with hostname = "app" and port = 3000 from another service of the same project, simply use `app:3000`. Read more about [how to access a Elixir service](/references/networking/internal-access#basic-service-communication).
 Each port has following attributes:
 | parameter   | description                                                                                                                                                                                                                                                                                                            |
 | ----------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
@@ -4589,137 +4565,82 @@ Have you build something that others might find useful? Don't hesitate to share
 
 # Features > Access
 
-export const languages = [
-    { name: "Bun", link: "/java/how-to/build-pipeline#ports" },
-    { name: "Deno", link: "/go/how-to/build-pipeline#ports" },
-    { name: ".NET", link: "/dotnet/how-to/build-pipeline#ports" },
-    { name: "Elixir", link: "/php/how-to/build-pipeline#ports" },
-    { name: "Gleam", link: "/dotnet/how-to/build-pipeline#ports" },
-    { name: "Go", link: "/go/how-to/build-pipeline#ports" },
-    { name: "Java", link: "/java/how-to/build-pipeline#ports" },
-    { name: "Node.js", link: "/nodejs/how-to/build-pipeline#ports" },
-    { name: "PHP", link: "/php/how-to/build-pipeline#ports" },
-    { name: "Python", link: "/python/how-to/build-pipeline#ports" },
-    { name: "Rust", link: "/rust/how-to/build-pipeline#ports" },
-]
-Zerops provides three ways to make your application accessible from the internet:
-- [Zerops subdomain](#public-access-through-zerops-subdomain) - ideal for testing and development
-- [Custom domain](#public-access-through-your-domain) - recommended for production deployments
-- [Direct port access](#opening-public-ports) - for non-HTTP protocols and specialized use cases
-Each method serves different needs and comes with its own configuration options.
+Zerops provides multiple ways to access your services, whether you need internal communication between services, secure access from your development machine, or public access from the internet.
 :::note
-By default, your runtime service is not publicly accessible until you configure one of these methods.
-:::
-## Public Access Through Zerops Subdomain
-For development and testing purposes, Zerops offers a quick way to make your application accessible through a `.zerops.app` subdomain. This option requires minimal configuration and includes automatic SSL certificate management.
-### Configuration Steps
-1. Navigate to your service detail page in Zerops GUI
-2. Select **Public access & internal ports** from the left menu
-3. Toggle the **Zerops subdomain access** switch
-  
-Once enabled, Zerops assigns a unique subdomain for your application. If you've defined multiple [internal ports](/zerops-yaml/specification#ports-) with HTTP support in your `zerops.yaml`, each port receives its own unique `.zerops.app` subdomain.
-### Technical Details
-When using Zerops subdomains:
-- Access your application using the `https://` protocol (Zerops automatically manages SSL certificates)
-- Traffic flows through a central HTTP balancer that:
-  - Terminates SSL connections
-  - Forwards requests to your application via HTTP
-  - Handles all security certificates
-:::warning Production Limitations
-- The central HTTPS balancer is shared across all Zerops projects, which creates a scalability bottleneck
-- Maximum upload size is limited to 50MB
-- Not recommended for production traffic
-:::
-## Public Access Through Your Domain
-When your application is ready for production or you need to test with your actual domain, configure custom domain access. This method provides better performance, scalability, and full control over your domain settings.
-  
-### IP Address Configuration
-Before setting up domain access, you'll need public IP addresses. Zerops offers the following IP options:
-#### IPv4 Options
-##### Dedicated IPv4 Address ($3/30 days)
-- Dedicated to your project and shared across all project services
-- One IPv4 address per project limit
-- Protects against blacklisting risks associated with shared IPs
-- Subscription automatically renews every 30 days *(cannot be purchased with promo credit)*
-    - Fee is non-refundable but address can be reused in another project until subscription ends
-- **Recommended for production workloads**
-##### Shared IPv4 Address (Free)
-- Available at no cost
-- Shared across all Zerops users and their projects
-- Limitations:
-  - Restricted number of open connections
-  - Shorter connection timeouts
-- **Not recommended for production use**
-#### IPv6 Address (Free)
-- Dedicated to your project and shared across all project services
-- One IPv6 address per project limit
-- Automatically activated with first domain setup
-- Available for all projects at no additional cost
-:::tip
-Since IPv6 support is not universal, using both IPv4 and IPv6 is recommended for maximum accessibility.
-:::
-### Configuring HTTP Routing
-To set up domain access:
-1. Go to your service detail in Zerops GUI and select **Public access & internal ports**
-2. Click **Setup first domain access**
-3. Configure your domain settings:
-   - Enter domain names (e.g., `mydomain.com`, `app.mydomain.com`)
-   - Add multiple domains if needed (useful for multi-language sites)
-   - Choose SSL certificate management
-4. Define routing rules:
-   - Source: The public path (the part of URL after your domain)
-   - Destination: Choose which application and internal port receives the traffic
-   - Add multiple routing configurations as needed
-All settings can be modified later as your needs change.
-### DNS Configuration
-After setting up domain access in Zerops, you'll need to configure your DNS records with your domain registrar.
-:::tip DNS Provider Guides
-- **Cloudflare users**: Follow our [Cloudflare DNS Configuration Guide](/features/cloudflare) for step-by-step Cloudflare-specific instructions
-- **Other providers**: Use the [general DNS and Proxy Configuration Guide](/features/dns) for universal DNS setup instructions
-:::
-### HTTPS Configuration
-When using Let's Encrypt certificates (recommended):
-#### Certificate Management
-- Zerops handles all certificate installation and renewal
-- Certificates are free of charge
-- No manual certificate management required
-#### Traffic Flow
-1. Traffic arrives at your public IPv4/IPv6 addresses
-2. Requests route through your project's dedicated HTTPS balancer
-3. SSL termination occurs at the balancer level
-4. Internal traffic uses HTTP protocol for optimal performance
-#### Balancer Architecture
-- Deployed in two containers for redundancy
-- Scales vertically based on traffic demands
-- Cannot be directly modified
-- Included free of charge
-## Opening Public Ports
-For applications requiring direct port access or non-HTTP protocols, Zerops provides flexible port configuration options.
-:::important
-Currently, direct public port access is only available for runtime services and PostgreSQL databases.
+By default, your services are not publicly accessible until you configure external access. Internal communication between services within the same project works automatically.
+:::
+## How Zerops Networking Works
+Every Zerops project includes a **shared networking infrastructure** that handles all access methods:
+**Private Project Network:**
+- All services within a project share a dedicated private network
+- Services communicate directly using hostnames and internal ports
+- Traffic stays isolated within your project
+**Public Access Infrastructure:**
+- **Core (L3) Balancer** manages IP addresses and direct port access
+- **L7 HTTP Balancer** handles domain routing and SSL termination
+  - Can be extensively configured for advanced routing, performance optimization, and custom behaviors
+  - See the [L7 Balancer Configuration Guide](/references/networking/l7-balancer-config) for detailed options
+- Both are shared across all services in your project
+**Secure External Access:**
+- **Built-in VPN** provides secure tunnel access to your project's private network
+- Useful for development, debugging, and administration
+## Internal Access
+:::tip Complete Internal Access Setup
+See the [Internal access reference guide](/references/networking/internal-access).
+:::
+Services within the same project can communicate directly using hostnames and internal ports. No additional configuration required.
+**Example:** Connect to your `api` service on port 3000:
+```
+http://api:3000
+```
+**Key points:**
+- Use service hostname as the address
+- Use HTTP (not HTTPS) for internal communication
+- Access internal ports defined in your service configuration
+- Communication is automatically isolated from other projects
+### Environment Variables
+Zerops automatically creates environment variables to help with internal connections between services.
+## VPN Access
+:::tip Complete VPN Setup
+See the [VPN reference guide](/references/networking/vpn).
 :::
-  
-### Port Configuration
-1. Navigate to service detail page in Zerops GUI
-   - For runtime services select **Subdomain & domain & IP access**
-   - For PostgreSQL select **Direct access through IP address**
-2. Configure your port settings:
-   - Either **Setup first access through IPv6** or activate **Unique IPv4 add-on** (if needed)
-   - Choose any port from 10-65435 (except 80 and 443)
-   - Select destination service and internal port
-   - Each public port can be mapped to any internal service port
-   - Multiple public ports can point to the same internal port if needed
-   - Port configurations can be set independently for IPv4 and IPv6
-### Firewall Configuration
-Optionally secure your ports with firewall rules:
-1. Enable firewall for specific ports
-2. Choose policy type:
-   - **Blacklist**: Block specific IPs/ranges
-   - **Whitelist**: Allow only specific IPs/ranges
-3. Configure IP rules:
-   - Single IP format affects only the specific IP
-   - IP range format affects all IPs in that CIDR range
- 
+Connect securely to your project's internal network from your local machine:
+```bash
+# Connect to your project
+zcli vpn up 
+# Access services using internal hostnames
+curl http://api:3000/health
+# Disconnect when done
+zcli vpn down
+```
+## Public Access
+:::tip Complete Public Access Setup
+See the [Public access reference guide](/references/networking/public-access).
+:::
+Make your services accessible from the internet using one of three methods:
+### Zerops Subdomain
+**Best for:** Development and testing
+- Quick setup with automatic `.zerops.app` subdomains
+- Each service gets its own unique subdomain
+- Automatic SSL certificate management
+- Shared infrastructure (has limitations for production use)
+### Custom Domain
+**Best for:** Production deployments
+- Use your own domain names
+- Better performance with dedicated balancer
+- Full control over SSL and routing
+- Requires DNS configuration
+### Direct Port Access
+**Best for:** Non-HTTP protocols and specialized use cases
+- Direct access to specific ports on your services
+- Supports any protocol (TCP/UDP)
+- Optional firewall configuration
+- Uses your project's IP addresses
+## Next Steps
+- **Internal access setup:** [Internal Access Reference Guide](/references/networking/internal-access)
+- **Public access configuration:** [Public Access Reference Guide](/references/networking/public-access)
+- **VPN setup and troubleshooting:** [VPN Reference Guide](/references/networking/vpn)
+- **Advanced routing and SSL:** [L7 Balancer Configuration Guide](/references/networking/l7-balancer-config)
 
 ----------------------------------------
 
@@ -5163,9 +5084,10 @@ Access the storage CDN URL via the `storageCdnUrl` **project** environment varia
 ### Static Mode
 Ideal for caching and delivering static website assets like HTML, CSS, JavaScript, and images served from your custom domains.
 **Setup process:**
-1. Configure domain access for your service
-2. Ensure your domains are DNS-verified and have active SSL certificates
-3. Enable CDN for the domain group
+1. Configure domain access for your service through the L7 HTTP Balancer section
+2. Access domain settings via the **three dots menu** or **gear icon** next to your domain entry
+3. In the "Project Domain Access Modification" dialog, enable the **"Enable CDN for static files"** toggle
+4. Optionally enable "Automatically install SSL Certificates" if not already configured
 **Accessing content:**
 ```txt
 https://static.cdn.zerops.app/your-domain.com/path/to/file
@@ -5316,219 +5238,6 @@ Remember that only publicly accessible objects will be cached by the CDN. Privat
 
 ----------------------------------------
 
-# Features > Cloudflare
-
-This guide provides step-by-step instructions for configuring Cloudflare to work with your Zerops applications, covering DNS records, proxy settings, SSL/TLS configuration, and common troubleshooting scenarios.
-## Prerequisites
-Before starting, ensure you have:
-- A Cloudflare account
-- A registered domain name
-- Access to your Zerops project with [domain access configured](/features/access#public-access-through-your-domain)
-- Your Zerops IP addresses (IPv4 and/or IPv6) from the Zerops GUI
-## DNS Record Configuration
-Configure your DNS records in Cloudflare using one of these approaches based on your needs:
-### With Cloudflare Proxy
-#### IPv6 only
-```bash
-Type    Name              Content                Proxy status   TTL
-AAAA             Proxied        Auto
-```
-Cloudflare handles IPv4 to IPv6 translation, making your service accessible to both IPv4 and IPv6 users. Uses Zerops' free dedicated IPv6 address.
-:::note
-Do not add a proxied A record with shared IPv4 when using this setup, as it would prevent proper IPv4 traffic routing.
-:::
-#### Dedicated IPv4
-```bash
-Type    Name              Content                Proxy status   TTL
-A              Proxied        Auto
-# Optional
-AAAA             Proxied        Auto
-```
-Uses your dedicated IPv4 address with Cloudflare's proxy features.
-:::tip
-Adding the AAAA record allows visitors with IPv6 support to connect directly via IPv6.
-:::
-#### Shared IPv4 *(not recommended)*
-```bash
-Type    Name              Content                Proxy status  TTL
-AAAA             DNS only      Auto
-A               Proxied       Auto
-```
-:::tip Why Not?
-Creates inconsistent security posture by mixing direct and proxied connections. Consider using IPv6 only or dedicated IPv4 configurations instead.
-:::
-### DNS-Only Configuration (Without Cloudflare Proxy)
-If you prefer direct connections without Cloudflare's proxy features:
-#### Shared IPv4
-```bash
-Type    Name              Content                Proxy status   TTL
-A               DNS only       Auto
-AAAA             DNS only       Auto
-```
-Uses Zerops' free shared IPv4.
-:::note Both A + AAAA Required
-Adding AAAA record is essential for shared IPv4 configuration as it serves as a [security measure](/features/dns#understand-shared-ipv4) to prevent unauthorized domain claims.
-:::
-#### Dedicated IPv4
-```bash
-Type    Name              Content                Proxy status   TTL
-A              DNS only       Auto
-# Optional
-AAAA             DNS only       Auto
-```
-Uses your dedicated IPv4 address.
-:::tip
-Adding the AAAA record allows visitors with IPv6 support to connect directly via IPv6.
-:::
-#### IPv6 only
-```bash
-Type    Name              Content                Proxy status   TTL
-AAAA             DNS only       Auto
-```
-Uses only Zerops' free dedicated IPv6.
-:::note
-This configuration will only work for users with IPv6 connectivity.
-:::
-## Wildcard Domain Configuration
-Zerops supports wildcard domains (`*.`) that allow routing all subdomains to your project.
-### DNS Records for Wildcards
-Configure wildcard domains using either method:
-#### Method A: Direct Wildcard Records
-```bash
-Type   Name              Content               Proxy status       TTL
-A      *.      DNS only/Proxied   Auto
-AAAA   *.      DNS only/Proxied   Auto
-```
-#### Method B: CNAME to Main Domain
-First ensure your main domain has proper A/AAAA records, then add:
-```bash
-Type    Name              Content         Proxy status       TTL
-CNAME   *.      DNS only/Proxied   Auto
-```
-### Certificate Validation for Wildcards
-To enable automatic SSL certificate issuance for wildcard domains:
-```bash
-Type    Name                            Content                     Proxy status   TTL
-CNAME   _acme-challenge.   .zerops.zone   DNS only       Auto
-```
-This CNAME record allows Zerops to handle the DNS-01 challenge required for wildcard SSL certificates.
-### Higher-Level Wildcard Subdomains
-You can also set up higher-level wildcard subdomains like `*..`:
-#### Method A: Direct Configuration
-```bash
-Type   Name                          Content               Proxy status       TTL
-A      *..      DNS only/Proxied   Auto
-AAAA   *..      DNS only/Proxied   Auto
-```
-#### Method B: Using a CNAME Record
-```bash
-Type    Name                          Content                     Proxy status       TTL
-CNAME   *..   .   DNS only/Proxied   Auto
-```
-or
-```bash
-Type    Name                          Content         Proxy status       TTL
-CNAME   *..      DNS only/Proxied   Auto
-```
-For certificate validation with higher-level wildcards:
-```bash
-Type    Name                                        Content                                 Proxy status   TTL
-CNAME   _acme-challenge..   ..zerops.zone   DNS only       Auto
-```
-### Combining Main Domain and Wildcard Domain
-To use both `` and `*.`, specify both variants in your [Zerops configuration](/features/access#configuring-http-routing). Zerops automatically issues a single shared certificate for both the main domain and all its subdomains.
-## Cloudflare SSL/TLS Configuration
-### Essential SSL/TLS Settings
-1. **Set Encryption Mode**
-   - Navigate to **SSL/TLS** → **Overview** in your Cloudflare dashboard
-   - Select **Full (strict)** for production or **Full** for testing
-   - **Never use Flexible mode** - this will cause redirect loops
-2. **Edge Certificates**
-   - Go to **SSL/TLS** → **Edge Certificates**
-   - Ensure **Always Use HTTPS** is enabled for production
-   - Keep **Automatic HTTPS Rewrites** enabled
-### Certificate Validation Configuration
-For proper certificate issuance, especially with Let's Encrypt:
-#### Option A: Simple Setup (Testing/Development)
-- Temporarily disable **Always Use HTTPS** during initial certificate setup
-- Re-enable after certificates are issued
-#### Option B: Production Setup
-Keep **Always Use HTTPS** enabled and create a Configuration Rule:
-1. Go to **Rules** → **Configuration Rules**
-2. Create a new rule with these settings:
-   - **Rule name:** "Allow ACME Challenge"
-   - **Field:** URI Path
-   - **Operator:** starts with
-   - **Value:** `/.well-known/acme-challenge/`
-   - **Action:** Disable **Automatic HTTPS Rewrites**
-This rule allows certificate validation to work while maintaining HTTPS enforcement for all other traffic.
-## Validation and Testing
-### DNS Resolution Testing
-```bash
-# Check IPv4 resolution
-dig A 
-# Check IPv6 resolution
-dig AAAA 
-# Check from specific DNS server
-dig @1.1.1.1 
-```
-### Connectivity Testing
-```bash
-# Basic HTTPS test
-curl -vI https://
-# Test with specific subdomain (for wildcards)
-curl -vI https://api.
-# Test IPv4 specifically
-curl -4 -v https://
-# Test IPv6 specifically
-curl -6 -v https://
-```
-### Cloudflare-Specific Checks
-1. **Verify proxy status** in Cloudflare DNS dashboard (orange cloud = proxied)
-2. **Check SSL/TLS mode** in SSL/TLS → Overview
-3. **Confirm certificate issuance** in SSL/TLS → Edge Certificates
-4. **Test redirect behavior** by accessing `http://` version of your domain
-## Troubleshooting Common Issues
-### SSL Certificate Problems
-**Symptom:** "Too many redirects" or SSL errors
-**Solutions:**
-- Verify SSL/TLS mode is set to **Full** or **Full (strict)**, not **Flexible**
-- Check that both Zerops and Cloudflare have valid certificates
-- Ensure **Always Use HTTPS** is properly configured
-- For new domains, refresh the Cloudflare SSL/TLS page as settings may display incorrectly initially
-**Symptom:** Certificate validation fails for wildcard domains
-**Solutions:**
-- Verify the `_acme-challenge` CNAME record is correctly configured
-- Ensure DNS propagation is complete (check with `dig` command)
-- Check that the CNAME points to `.zerops.zone`
-### DNS Resolution Issues
-**Symptom:** Domain not resolving
-**Solutions:**
-- Confirm DNS records are correctly configured in Cloudflare
-- Verify proxy status matches your intended setup
-- Check for typos in IP addresses
-- Wait for DNS propagation (typically 5-10 minutes)
-**Symptom:** IPv4 traffic not working with IPv6-only setup
-**Solutions:**
-- Ensure Cloudflare proxy is enabled (orange cloud)
-- Verify IPv6 address is correct in AAAA record
-- Confirm no conflicting A record with shared IPv4 exists
-## Security Considerations
-- Always use **Full (strict)** SSL mode for production
-- Enable **HSTS (HTTP Strict Transport Security)** in Cloudflare
-- Consider enabling **Bot Fight Mode** for additional protection
-- Use Cloudflare's **Firewall Rules** to block malicious traffic
-- Regularly monitor SSL certificate expiration dates
-## Getting Help
-If you encounter issues not covered in this guide:
-- Check the [general DNS configuration guide](/features/dns#technical-background) for additional context
-- Review your Zerops service logs for error messages
-- Verify your configuration against Cloudflare's documentation
-- Test with simple curl commands to isolate the problem
-- Contact Zerops support via [email](mailto:support@zerops.io) or reach out on [Discord](https://discord.gg/zeropsio)
-
-----------------------------------------
-
 # Features > Container Vs Vm
 
 Ever wondered why container technologies like Docker took over the development world so quickly? Let's break down the real differences between traditional VMs and containers - and why you might want to use one over the other.
@@ -5728,172 +5437,6 @@ This configuration allows you to:
 
 ----------------------------------------
 
-# Features > Dns
-
-This guide will show you how to configure DNS records and proxy settings to work with your Zerops applications.
-:::important Cloudflare
-If you're using Cloudflare, check out our dedicated [Cloudflare DNS Configuration Guide](/features/cloudflare) for step-by-step instructions specific to Cloudflare's interface and features.
-:::
-## DNS Configuration
-DNS records for Zerops services can be configured in two main ways:
-* **With Proxy**: Routes traffic through proxy services, providing additional security and performance features (recommended for DDoS protection)
-* **Without Proxy (DNS Only)**: Direct connection to your Zerops service's IP address
-DNS allows you to set two records based on IP address type:
-* **A** record for **IPv4** - Zerops offers either a free **shared** IPv4 or a paid **dedicated** IPv4
-* **AAAA** record for **IPv6** - Zerops provides a free **dedicated** IPv6
-### With Proxy
-#### IPv6 only
-```bash
-Type    Name              Content                Proxy status   TTL
-AAAA             Proxied        Auto
-```
-:::note
-Make sure your proxy service supports IPv4 to IPv6 translation for this configuration to work for **both IPv4 and IPv6** users.
-Do not add a proxied A record with shared IPv4 - doing so would prevent the proxy from properly routing IPv4 traffic to your service.
-:::
-#### Dedicated IPv4
-```bash
-Type    Name              Content                Proxy status   TTL
-A              Proxied        Auto
-# Optional
-AAAA             Proxied        Auto
-```
-:::tip
-Adding also AAAA record can be beneficial as visitors with IPv6 support will connect directly via IPv6.
-:::
-#### Shared IPv4 *(valid but NOT recommended)*
-```bash
-Type    Name              Content                Proxy status  TTL
-AAAA             DNS only      Auto
-A               Proxied       Auto
-```
-:::tip Why not?
-It does not make sense to expose your IPv6 address while proxying the shared IPv4. Use [IPv6 only](#ipv6-only) setup instead.
-:::
-### Without Proxy
-#### Shared IPv4
-```bash
-Type    Name              Content                Proxy status   TTL
-AAAA             DNS only       Auto
-A               DNS only       Auto
-```
-:::note Both A + AAAA Required
-Adding AAAA record is essential for shared IPv4 configuration as it serves as a [security measure](#understand-shared-ipv4) to prevent unauthorized domain claims.
-:::
-#### Dedicated IPv4
-```bash
-Type    Name              Content                Proxy status   TTL
-A              DNS only       Auto
-# Optional
-AAAA             DNS only       Auto
-```
-:::tip
-Adding also AAAA record can be beneficial as visitors with IPv6 support will connect directly via IPv6.
-:::
-#### IPv6 only
-```bash
-Type    Name              Content                Proxy status   TTL
-AAAA             DNS only       Auto
-```
-:::note
-This configuration will only work for users with IPv6 connectivity, which may limit your service accessibility.
-:::
-## Wildcard Domain Configuration
-Zerops supports wildcard domains (`*.`) that allow routing all subdomains to your project.
-### DNS Configuration
-#### Method A: Direct configuration of A and AAAA records
-Configure wildcard DNS records following the same patterns described in the [DNS Configuration](#dns-configuration) section, using `*.` in the Name field:
-```bash
-Type   Name              Content               Proxy status       TTL
-A      *.      DNS only/Proxied   Auto
-AAAA   *.      DNS only/Proxied   Auto
-```
-#### Method B: Using a CNAME record
-First configure A and AAAA records for your main domain (``), then set up a CNAME record:
-```bash
-Type    Name              Content         Proxy status       TTL
-CNAME   *.      DNS only/Proxied   Auto
-```
-### Certificate Validation
-For proper HTTPS certificate functionality with wildcard domains, configure:
-```bash
-Type    Name                            Content                     Proxy status   TTL
-CNAME   _acme-challenge.   .zerops.zone   DNS only       Auto
-```
-This record enables Zerops to issue and verify a wildcard certificate for your domain.
-### Higher-Level Wildcard Subdomains
-You can also set up higher-level wildcard subdomains like `*..`:
-#### Method A: Direct configuration
-```bash
-Type   Name                          Content               Proxy status       TTL
-A      *..      DNS only/Proxied   Auto
-AAAA   *..      DNS only/Proxied   Auto
-```
-#### Method B: Using a CNAME record
-```bash
-Type    Name                          Content                     Proxy status       TTL
-CNAME   *..   .   DNS only/Proxied   Auto
-```
-or
-```bash
-Type    Name                          Content         Proxy status       TTL
-CNAME   *..      DNS only/Proxied   Auto
-```
-For certificate validation:
-```bash
-Type    Name                                        Content                                 Proxy status   TTL
-CNAME   _acme-challenge..   ..zerops.zone   DNS only       Auto
-```
-### Combining Main Domain and Wildcard Domain
-To use both `` and `*.`, specify both variants in your [Zerops configuration](/features/access#configuring-http-routing). Zerops automatically issues a single shared certificate for both the main domain and all its subdomains.
-## Validation Steps
-Test your configuration:
-```bash
-# Check DNS resolution
-dig AAAA 
-# Verify connectivity
-curl -vI https://
-# Test IPv4 access
-curl -4 -v https://
-# Test IPv6 access
-curl -6 -v https://
-```
-## Troubleshooting Guide
-1. **DNS Resolution Issues**
-   - Confirm correct record configuration
-   - Verify proxy status settings
-   - Check IPv6 address accuracy
-   - Allow time for DNS propagation (typically 5-10 minutes)
-2. **Connection Problems**
-   - Test both IPv4 and IPv6 connectivity
-   - Check proxy server status if applicable
-   - Confirm port configurations
-3. **Certificate Issues**
-   - Verify proper _acme-challenge CNAME configuration for wildcard domains
-   - Check that DNS records match the domains configured in Zerops
-   - **Provider-specific certificate problems**: Consult your DNS provider's documentation for SSL/TLS configuration requirements
-## Technical Background
-### Understanding Shared IPv4 Addresses {#understand-shared-ipv4}
-Shared IPv4 allows multiple Zerops projects to use the same IPv4 address while maintaining separate routing for each project. Here's how it works:
-1. When a visitor makes a request, it first arrives at the shared IPv4 address
-2. The system looks at the domain name in the request (using SNI - Server Name Indication)
-3. For security, it checks if this domain properly resolves to your project's IPv6 address
-4. Only if IPv6 address matches your project will the traffic be routed correctly
-This is why configuring both A (IPv4) and AAAA (IPv6) records is crucial when using shared IPv4 addresses - the IPv6 record acts as a security key that helps prevent unauthorized use of the shared IPv4 address.
-### Certificate Verification Methods
-When issuing SSL/TLS certificates, different verification methods are used depending on the certificate type:
-#### HTTP-01 vs DNS-01 Verification
-- **Regular certificates** (for a single domain like ``) are typically issued using the **HTTP-01** challenge method. This verification checks that you control the domain by placing a specific file at a specific URL.
-- **Wildcard certificates** (for domains like `*.`) must be issued using the **DNS-01** challenge method. This method requires creating specific TXT records in your DNS configuration.
-### How Zerops Handles Wildcard Certificate Verification
-Zerops simplifies the DNS-01 challenge process:
-1. You create a CNAME record (e.g., `_acme-challenge. CNAME .zerops.zone`)
-2. When a certificate needs to be issued or renewed, Zerops automatically creates the required TXT records on its `zerops.zone` domain
-3. The certificate authority verifies these TXT records through the CNAME redirection
-4. Once verified, the wildcard certificate is issued without requiring manual intervention
-
-----------------------------------------
-
 # Features > Env Variables
 
 Zerops manages environment variables at two scopes: service level and project level. These variables are handled automatically without requiring `.env` files.
@@ -7482,7 +7025,7 @@ Once the deployment completes, let's verify everything works:
 4. Toggle **Enable Zerops Subdomain Access**
 5. Click the generated URL (e.g., `https://app-xxx.prg1.zerops.app`) to view your application
 :::note
-The Zerops subdomain is perfect for testing and development, but for production, you should [set up your own domain](/features/access#public-access-through-your-domain) under **Public Access through Your Domains**.
+The Zerops subdomain is perfect for testing and development, but for production, you should [set up your own domain](/references/networking/public-access#custom-domain-access) under **Public Access through Your Domains**.
 :::
 ### Testing Database Connectivity
 Let's create a quick route to test database connectivity. Add this to your `routes/web.php`:
@@ -7524,7 +7067,7 @@ DB_PASSWORD=[password from Access details]
 Now you can use your favorite database management tool or run artisan commands while working with the database in Zerops - no local PostgreSQL installation needed!
 ## Next Steps
 Now that your Laravel application is running on Zerops, consider:
-1. Setting up a [custom domain](/features/access#public-access-through-your-domain)
+1. Setting up a [custom domain](/references/networking/public-access#custom-domain-access)
 2. Implementing basic CI/CD pipelines with [GitHub](/references/github-integration) or [GitLab](/references/gitlab-integration) integration
 3. Setting up [object storage](/object-storage/overview)
 ## Conclusion
@@ -7912,7 +7455,7 @@ The deployment process takes just a few minutes. Once complete, you'll receive:
 Zerops provides a built-in VPN feature through its CLI tool, enabling seamless local development against remote resources. Here's how to set it up:
 ### Prerequisites
 - Install the [Zerops CLI](/references/cli#get-started) and log in with [personal access token](/references/cli#personal-access-tokens)
-- Install [Wireguard](/references/vpn) on your system
+- Install [Wireguard](/references/networking/vpn) on your system
 ### Setup Steps
 1. Create your own repository from our [GitHub template](https://github.com/zeropsio/recipe-filament) and clone it locally
 2. **Configure VPN Access**
@@ -8078,7 +7621,7 @@ The deployment process takes just a few minutes. Once complete, you'll receive:
 Zerops provides a built-in VPN feature through its CLI tool, enabling seamless local development against remote resources. Here's how to set it up:
 ### Prerequisites
 - Install the [Zerops CLI](/references/cli#get-started) and log in with [personal access token](/references/cli#personal-access-tokens)
-- Install [Wireguard](/references/vpn) on your system
+- Install [Wireguard](/references/networking/vpn) on your system
 ### Setup Steps
 1. Create your own repository from our [GitHub template](https://github.com/zeropsio/recipe-laravel-jetstream) and clone it locally
 2. **Configure VPN Access**
@@ -8237,7 +7780,7 @@ The deployment process takes just a few minutes. Once complete, you'll receive:
 Zerops provides a built-in VPN feature through its CLI tool, enabling seamless local development against remote resources. Here's how to set it up:
 ### Prerequisites
 - Install the [Zerops CLI](/references/cli#get-started) and log in with [personal access token](/references/cli#personal-access-tokens)
-- Install [Wireguard](/references/vpn) on your system
+- Install [Wireguard](/references/networking/vpn) on your system
 ### Setup Steps
 1. Create your own repository from our [GitHub template](https://github.com/zeropsio/recipe-laravel-minimal) and clone it locally
 2. **Configure VPN Access**
@@ -8395,7 +7938,7 @@ The deployment process takes just a few minutes. Once complete, you'll receive:
 Zerops provides a built-in VPN feature through its CLI tool, enabling seamless local development against remote resources. Here's how to set it up:
 ### Prerequisites
 - Install the [Zerops CLI](/references/cli#get-started) and log in with [personal access token](/references/cli#personal-access-tokens)
-- Install [Wireguard](/references/vpn) on your system
+- Install [Wireguard](/references/networking/vpn) on your system
 ### Setup Steps
 1. Create your own repository from our [GitHub template](https://github.com/zeropsio/recipe-filament) and clone it locally
 2. **Configure VPN Access**
@@ -8809,12 +8352,6 @@ Enable `enableSubdomainAccess` to access the Mailpit web interface where you can
 - Monitor email delivery rates and bounce rates
 - Use Mailpit in development to catch and debug emails
 
-----------------------------------------
-
-# Gleam > How To > Access
-
-
-
 ----------------------------------------
 
 # Gleam > How To > Build Pipeline
@@ -9184,7 +8721,7 @@ The os version is fixed and cannot be customised.
 ### ports
 _OPTIONAL._ Specifies one or more internal ports on which your application will listen.
 Projects in Zerops represent a group of one or more services. Services can be of different types (runtime services, databases, message brokers, object storage, etc.). All services of the same project share a **dedicated private network**. To connect to a service within the same project, just use the service hostname and its internal port.
-For example, to connect to a Gleam service with hostname = "app" and port = 3000 from another service of the same project, simply use `app:3000`. Read more about [how to access a Gleam service](/gleam/how-to/access).
+For example, to connect to a Gleam service with hostname = "app" and port = 3000 from another service of the same project, simply use `app:3000`. Read more about [how to access a Gleam service](/references/networking/internal-access#basic-service-communication).
 Each port has following attributes:
 | parameter   | description                                                                                                                                                                                                                                                                                                            |
 | ----------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
@@ -9809,12 +9346,6 @@ In case you haven't found an answer (and also if you have), we and our community
 Have you build something that others might find useful? Don't hesitate to share your knowledge!
 ## Popular Guides
 
-----------------------------------------
-
-# Go > How To > Access
-
-
-
 ----------------------------------------
 
 # Go > How To > Build Pipeline
@@ -10176,7 +9707,7 @@ The os version is fixed and cannot be customised.
 ### ports
 _OPTIONAL._ Specifies one or more internal ports on which your application will listen.
 Projects in Zerops represent a group of one or more services. Services can be of different types (runtime services, databases, message brokers, object storage, etc.). All services of the same project share a **dedicated private network**. To connect to a service within the same project, just use the service hostname and its internal port.
-For example, to connect to a Go service with hostname = "app" and port = 8080 from another service of the same project, simply use `app:8080`. Read more about [how to access a Go service](/go/how-to/access).
+For example, to connect to a Go service with hostname = "app" and port = 8080 from another service of the same project, simply use `app:8080`. Read more about [how to access a Go service](/references/networking/internal-access#basic-service-communication).
 Each port has following attributes:
   
       Parameter
@@ -10905,12 +10436,6 @@ Read more about the build and deploy pipeline
 You get a powerful managed platform with all the best features unlocked for a price that's nearly on par with VPS. You can create as many environments as you need, even one for each developer working on a project, all with the same infrastructure as production, so they can utilize Zerops for their local development. No more "but it works on my machine".
 :::
 
-----------------------------------------
-
-# Java > How To > Access
-
-
-
 ----------------------------------------
 
 # Java > How To > Build Pipeline
@@ -11272,7 +10797,7 @@ The os version is fixed and cannot be customized.
 ### ports
 _OPTIONAL._ Specifies one or more internal ports on which your application will listen.
 Projects in Zerops represent a group of one or more services. Services can be of different types (runtime services, databases, message brokers, object storage, etc.). All services of the same project share a **dedicated private network**. To connect to a service within the same project, just use the service hostname and its internal port.
-For example, to connect to a Java service with hostname = "app" and port = 8080 from another service of the same project, simply use `app:8080`. Read more about [how to access a Java service](/java/how-to/access).
+For example, to connect to a Java service with hostname = "app" and port = 8080 from another service of the same project, simply use `app:8080`. Read more about [how to access a Java service](/references/networking/internal-access#basic-service-communication).
 Each port has following attributes:
   
       Parameter
@@ -12051,14 +11576,14 @@ Due to security reasons Zerops doesn't allow exposing KeyDB service directly to
 ### Start VPN connection
 You can securely connect to KeyDB from your local workspace via Zerops VPN. Zerops VPN client is included into zCLI, the Zerops command-line tool. To start a VPN connection to the selected Zerops project, follow these steps:
 1. [Install & setup zCLI](/references/cli)
-2. [Start the Zerops VPN](/references/vpn#start-vpn)
+2. [Start the Zerops VPN](/references/networking/vpn#start-vpn)
 ### Access KeyDB through VPN
 Once the VPN session is established, you have the secured connection to the project's private network in Zerops. You can access all project services locally by using their hostname. The only difference is that no [environment variables](#use-keydb-environment-variables) are available when connected through VPN. To connect to KeyDB in Zerops you have to copy the [access details](#copy-access-details-from-zerops-gui) manually from Zerops GUI.
 :::caution
 Do not use SSL/TLS protocols when connecting to KeyDB over VPN. Zerops KeyDB is not configured to support these protocols. The security is assured by the VPN.
 :::
 ### Stop VPN connection
-[Stop the Zerops VPN](/references/vpn#stop-vpn) in zCLI.
+[Stop the Zerops VPN](/references/networking/vpn#stop-vpn) in zCLI.
 ### Connect to KeyDB from another Zerops project
 All services of the same project share a **dedicated private network**. You can use the service hostname to connect from one service to another within the same project.
 Different Zerops projects have no special connection. They can communicate with each other only via the internet. If you need to connect to a KeyDB service in a Zerops project from a runtime service in another project, you need to use the [Zerops VPN](#access-keydb-through-vpn). Due to security reasons Zerops doesn't allow exposing KeyDB service directly to the internet.
@@ -12544,14 +12069,14 @@ Due to security reasons Zerops doesn't allow exposing MariaDB service directly t
 ### Start VPN connection
 You can securely connect to MariaDB from your local workspace via Zerops VPN. Zerops VPN client is included into zCLI, the Zerops command-line tool. To start a VPN connection to the selected Zerops project, follow these steps:
 1. [Install & setup zCLI](/references/cli)
-2. [Start the Zerops VPN](/references/vpn#start-vpn)
+2. [Start the Zerops VPN](/references/networking/vpn#start-vpn)
 ### Access MariaDB through VPN
 Once the VPN session is established, you have the secured connection to the project's private network in Zerops. You can access all project services locally by using their hostname. The only difference is that no [environment variables](#use-mariadb-environment-variables) are available when connected through VPN. To connect to MariaDB in Zerops you have to copy the [access details](#copy-access-details-from-zerops-gui) manually from Zerops GUI.
 :::caution
 Do not use SSL/TLS protocols when connecting to MariaDB over VPN. Zerops MariaDB is not configured to support these protocols. The security is assured by the VPN.
 :::
 ### Stop VPN connection
-[Stop the Zerops VPN](/references/vpn#stop-vpn) in zCLI.
+[Stop the Zerops VPN](/references/networking/vpn#stop-vpn) in zCLI.
 ### Connect to MariaDB from another Zerops project
 All services of the same project share a **dedicated private network**. You can use the service hostname to connect from one service to another within the same project.
 Different Zerops projects have no special connection. They can communicate with each other only via the internet. If you need to connect to a MariaDB service in a Zerops project from a runtime service in another project, you need to use the [Zerops VPN](#access-mariadb-through-vpn). Due to security reasons Zerops doesn't allow exposing MariaDB service directly to the internet.
@@ -12926,7 +12451,7 @@ When the import is finished, Adminer will be running as a PHP service in your pr
 By default Adminer service is private and is accessible from your local workstation over VPN.
 You can securely connect to MariaDB from your local workspace via Zerops VPN. Zerops VPN client is included into zCLI, the Zerops command-line tool. To start a VPN connection to the selected Zerops project, follow these steps:
 1. [Install & setup zCLI](/references/cli)
-2. [Start the Zerops VPN](/references/vpn)
+2. [Start the Zerops VPN](/references/networking/vpn)
 3. Type `http://adminer` into your browser
 :::caution
 Do not use https when connecting to Adminer via VPN.
@@ -12960,7 +12485,7 @@ When the import is finished, phpMyAdmin will be running as a PHP service in your
 By default phpMyAdmin service is private and is accessible from your local workstation over VPN.
 You can securely connect to MariaDB from your local workspace via Zerops VPN. Zerops VPN client is included into zCLI, the Zerops command-line tool. To start a VPN connection to the selected Zerops project, follow these steps:
 1. [Install & setup zCLI](/references/cli)
-2. [Start the Zerops VPN](/references/vpn)
+2. [Start the Zerops VPN](/references/networking/vpn)
 3. Type `http://phpmyadmin` into your browser
 :::caution
 Do not use https when connecting to phpMyAdmin via VPN.
@@ -13163,7 +12688,7 @@ The service provides three pre-configured API keys, each with specific access le
 ## Network Architecture & Access
 ### Access Methods
 #### Public HTTPS Access
-When enabled, access via [Zerops subdomain](/features/access#public-access-through-zerops-subdomain).
+When enabled, access via [Zerops subdomain](/references/networking/public-access#zerops-subdomain-access).
 #### Internal Project Access
 Services within the same project can reach Meilisearch directly:
 ```
@@ -13354,12 +12879,6 @@ Answer:
     Zerops provides built-in prerender.io support. Simply set the `PRERENDER_TOKEN` environment variable with your prerender.io service token. See our [prerender.io documentation](/nginx/how-to/env-variables#prerenderio-support) for details.
   
 
-----------------------------------------
-
-# Nginx > How To > Access
-
-
-
 ----------------------------------------
 
 # Nginx > How To > Build Pipeline
@@ -13510,7 +13029,7 @@ If no ports are specified, Zerops adds the port TCP 80 automatically.
 If you want the web server to listen on other port(s) than `:80`, you must [customize](/nginx/how-to/customize-web-server) your web server configuration as well.
 :::
 Projects in Zerops represent a group of one or more services. Services can be of different types (runtime services, databases, message brokers, object storage, etc.). All services of the same project share a **dedicated private network**. To connect to a service within the same project, just use the service hostname and its internal port.
-For example, to connect to a Nginx static service with hostname = "app" and port = 80 from another service of the same project, simply use `app:80`. Read more about [how to access a Nginx static service](/nginx/how-to/access).
+For example, to connect to a Nginx static service with hostname = "app" and port = 80 from another service of the same project, simply use `app:80`. Read more about [how to access a Nginx static service](/references/networking/internal-access#basic-service-communication).
 :::info
 Do not use the port **:443**. All the incoming traffic is terminated on the Zerops internal balancer where the SSL certificate is installed and the request is forwarded to your Nginx static service as a **http://** on the port **:80**.
 :::
@@ -14374,12 +13893,6 @@ Answer:
     Set the environment variable `CI: true` to resolve the problem. This allows the installation to proceed automatically without requiring manual confirmation.
   
 
-----------------------------------------
-
-# Nodejs > How To > Access
-
-
-
 ----------------------------------------
 
 # Nodejs > How To > Build Pipeline
@@ -14749,7 +14262,7 @@ The os version is fixed and cannot be customized.
 ### ports
 _OPTIONAL._ Specifies one or more internal ports on which your application will listen.
 Projects in Zerops represent a group of one or more services. Services can be of different types (runtime services, databases, message brokers, object storage, etc.). All services of the same project share a **dedicated private network**. To connect to a service within the same project, just use the service hostname and its internal port.
-For example, to connect to a Node.js service with hostname = "app" and port = 3000 from another service of the same project, simply use `app:3000`. Read more about [how to access a Node.js service](/nodejs/how-to/access).
+For example, to connect to a Node.js service with hostname = "app" and port = 3000 from another service of the same project, simply use `app:3000`. Read more about [how to access a Node.js service](/references/networking/internal-access#basic-service-communication).
 Each port has following attributes:
   
       Parameter
@@ -15849,12 +15362,6 @@ Don't know how to start or got stuck during the process? You might not be the fi
 In case you haven't found an answer (and also if you have), we and our community are looking forward to hearing from you on Discord.
 Have you build something that others might find useful? Don't hesitate to share your knowledge!
 
-----------------------------------------
-
-# Php > How To > Access
-
-
-
 ----------------------------------------
 
 # Php > How To > Build Pipeline
@@ -16225,7 +15732,7 @@ If no ports are specified, Zerops adds the port TCP 80 automatically.
 If you want the web server to listen on other port(s) than `:80`, you must [customize](/php/how-to/customize-web-server) your web server configuration as well.
 :::
 Projects in Zerops represent a group of one or more services. Services can be of different types (runtime services, databases, message brokers, object storage, etc.). All services of the same project share a **dedicated private network**. To connect to a service within the same project, just use the service hostname and its internal port.
-For example, to connect to a PHP service with hostname = "app" and port = 80 from another service of the same project, simply use `app:80`. Read more about [how to access a PHP service](/php/how-to/access).
+For example, to connect to a PHP service with hostname = "app" and port = 80 from another service of the same project, simply use `app:80`. Read more about [how to access a PHP service](/references/networking/internal-access#basic-service-communication).
 :::info
 Do not use the port **:443**. All the incoming traffic is terminated on the Zerops internal balancer where the SSL certificate is installed and the request is forwarded to your PHP+Nginx / PHP+Apache service as a **http://** on the port **:80**.
 :::
@@ -17198,19 +16705,19 @@ Zerops offers two methods for connecting to your PostgreSQL database from outsid
 ### Method 1: Connect via Zerops VPN
 You can securely connect to PostgreSQL from your local workstation via Zerops VPN:
 1. [Install & set up zCLI](/references/cli)
-2. [Start the Zerops VPN](/references/vpn#start-vpn)
+2. [Start the Zerops VPN](/references/networking/vpn#start-vpn)
 3. Use the connection details from Access Details in the PostgreSQL service detail in Zerops GUI
-4. When finished, [stop the Zerops VPN](/references/vpn#stop-vpn)
+4. When finished, [stop the Zerops VPN](/references/networking/vpn#stop-vpn)
 :::warning Important notes
 * Do not use SSL/TLS protocols when connecting over VPN. Security is provided by the VPN tunnel.
-* If your connection over VPN doesn't work, try adding `.zerops` suffix to the service hostname (e.g., `database1.zerops`). For additional help, check the [VPN troubleshooting page](/references/vpn/troubleshooting).
+* If your connection over VPN doesn't work, try adding `.zerops` suffix to the service hostname (e.g., `database1.zerops`). For additional help, check the [VPN troubleshooting page](/references/networking/vpn#troubleshooting).
 :::
 ### Method 2: Connect via Direct IP Access
 Direct IP Access uses [pgBouncer](https://www.pgbouncer.org/) for connection pooling and TLS termination.
 Internally, port `5432` is available without SSL. Externally, connections are secured with TLS through pgBouncer (port `6432`) before being routed to your PostgreSQL service.
 #### Enable external access
 1. Navigate to your PostgreSQL service in the Zerops GUI and choose the **Public Access through IP Addresses** section
-2. Choose either IPv6 (available by default) or IPv4 (requires the [unique IPv4](/features/access#dedicated-ipv4-address-330-days) add-on)
+2. Choose either IPv6 (available by default) or IPv4 (requires the [unique IPv4](/references/networking/public-access#ipv4-configuration) add-on)
 3. Open one or more ports and point them to your PostgreSQL service (the system will direct them through pgBouncer)
    - Choose any port from 10-65435 (except 80 and 443)
    - Select destination service and internal port
@@ -17537,7 +17044,7 @@ You can install these tools with a simple one-click import in Zerops:
 2. Copy and paste one of the following YAML configurations:
 ### Accessing Management Tools
 After installation, you can access these tools via VPN:
-1. [Start the Zerops VPN](/references/vpn)
+1. [Start the Zerops VPN](/references/networking/vpn)
 2. Type `http://adminerevo` or `http://phpmyadmin` in your browser
 :::tip
 Try `http://adminerevo.zerops` or `http://phpmyadmin.zerops` if you encounter any connection issues.
@@ -17547,7 +17054,7 @@ Do not use https when connecting to management tools via VPN.
 :::
 ## Database Tools on Your Workstation
 You can use various database management tools from your local workstation to connect to your PostgreSQL database in Zerops:
-1. **Establish a secure tunnel** using the [Zerops VPN](/references/vpn) to create an encrypted connection to your Zerops project
+1. **Establish a secure tunnel** using the [Zerops VPN](/references/networking/vpn) to create an encrypted connection to your Zerops project
 2. **Obtain the [connection details](/postgresql/how-to/connect#connection-details)** from Zerops GUI
     - Environment variables are not available through VPN connections
 3. Connect with your **preferred database tool**
@@ -17699,12 +17206,6 @@ In case you haven't found an answer (and also if you have), we and our community
 Have you build something that others might find useful? Don't hesitate to share your knowledge!
 ## Popular Guides
 
-----------------------------------------
-
-# Python > How To > Access
-
-
-
 ----------------------------------------
 
 # Python > How To > Build Pipeline
@@ -18035,7 +17536,7 @@ The os version is fixed and cannot be customised.
 ### ports
 _OPTIONAL._ Specifies one or more internal ports on which your application will listen.
 Projects in Zerops represent a group of one or more services. Services can be of different types (runtime services, databases, message brokers, object storage, etc.). All services of the same project share a **dedicated private network**. To connect to a service within the same project, just use the service hostname and its internal port.
-For example, to connect to a Python service with hostname = "app" and port = 8000 from another service of the same project, simply use `app:8000`. Read more about [how to access a Python service](/python/how-to/access).
+For example, to connect to a Python service with hostname = "app" and port = 8000 from another service of the same project, simply use `app:8000`. Read more about [how to access a Python service](/references/networking/internal-access#basic-service-communication).
 Each port has following attributes:
   
       Parameter
@@ -18745,12 +18246,6 @@ For advanced configurations or custom requirements:
 - Join our [Discord community](https://discord.gg/zeropsio)
 - Contact support via [email](mailto:support@zerops.io)
 
-----------------------------------------
-
-# Rust > How To > Access
-
-
-
 ----------------------------------------
 
 # Rust > How To > Build Pipeline
@@ -19110,7 +18605,7 @@ The os version is fixed and cannot be customised.
 ### ports
 _OPTIONAL._ Specifies one or more internal ports on which your application will listen.
 Projects in Zerops represent a group of one or more services. Services can be of different types (runtime services, databases, message brokers, object storage, etc.). All services of the same project share a **dedicated private network**. To connect to a service within the same project, just use the service hostname and its internal port.
-For example, to connect to a Rust service with hostname = "app" and port = 8080 from another service of the same project, simply use `app:8080`. Read more about [how to access a Rust service](/rust/how-to/access).
+For example, to connect to a Rust service with hostname = "app" and port = 8080 from another service of the same project, simply use `app:8080`. Read more about [how to access a Rust service](/references/networking/internal-access#basic-service-communication).
 Each port has following attributes:
   
       Parameter
@@ -19865,7 +19360,7 @@ export const languages = [
 
 # Shared Storage > How To > Manage
 
-Zerops Shared Storage provides several web interfaces to manage, monitor, and troubleshoot your storage. These interfaces are accessible through the [Zerops VPN](/references/vpn) and offer different capabilities for managing your data and monitoring system performance.
+Zerops Shared Storage provides several web interfaces to manage, monitor, and troubleshoot your storage. These interfaces are accessible through the [Zerops VPN](/references/networking/vpn) and offer different capabilities for managing your data and monitoring system performance.
 ## Access Web Interfaces
 ### Filer UI
 * `http://.zerops:8888`
@@ -20403,7 +19898,7 @@ For enabling HTTPS access:
 2. Or use `enableSubdomainAccess: true` when [importing](/references/import#service-configuration) a Typesense service
 #### Direct Node Access
 Allows to access individual nodes using internal DNS:
-1. **Via [Zerops VPN](/references/vpn)**
+1. **Via [Zerops VPN](/references/networking/vpn)**
 2. **Internal Project Access** - services within the same project can reach nodes directly
 Node addressing patterns:
 ##### Standard format
diff --git a/apps/docs/static/llms.txt b/apps/docs/static/llms.txt
index 745fae7b..64181479 100644
--- a/apps/docs/static/llms.txt
+++ b/apps/docs/static/llms.txt
@@ -9,7 +9,6 @@
 
 ## Optional
 
-- [Bun > How To > Access](https://docs.zerops.io/bun/how-to/access)
 - [Bun > How To > Build Pipeline](https://docs.zerops.io/bun/how-to/build-pipeline)
 - [Bun > How To > Build Process](https://docs.zerops.io/bun/how-to/build-process)
 - [Bun > How To > Controls](https://docs.zerops.io/bun/how-to/controls)
@@ -30,7 +29,6 @@
 - [Company > Branding](https://docs.zerops.io/company/branding)
 - [Company > Payment](https://docs.zerops.io/company/payment)
 - [Company > Pricing](https://docs.zerops.io/company/pricing)
-- [Deno > How To > Access](https://docs.zerops.io/deno/how-to/access)
 - [Deno > How To > Build Pipeline](https://docs.zerops.io/deno/how-to/build-pipeline)
 - [Deno > How To > Build Process](https://docs.zerops.io/deno/how-to/build-process)
 - [Deno > How To > Controls](https://docs.zerops.io/deno/how-to/controls)
@@ -47,7 +45,6 @@
 - [Deno > How To > Upgrade](https://docs.zerops.io/deno/how-to/upgrade)
 - [Deno > Overview](https://docs.zerops.io/deno/overview)
 - [Docker > Overview](https://docs.zerops.io/docker/overview)
-- [Dotnet > How To > Access](https://docs.zerops.io/dotnet/how-to/access)
 - [Dotnet > How To > Build Pipeline](https://docs.zerops.io/dotnet/how-to/build-pipeline)
 - [Dotnet > How To > Build Process](https://docs.zerops.io/dotnet/how-to/build-process)
 - [Dotnet > How To > Controls](https://docs.zerops.io/dotnet/how-to/controls)
@@ -64,7 +61,6 @@
 - [Dotnet > How To > Upgrade](https://docs.zerops.io/dotnet/how-to/upgrade)
 - [Dotnet > Overview](https://docs.zerops.io/dotnet/overview)
 - [Elasticsearch > Overview](https://docs.zerops.io/elasticsearch/overview)
-- [Elixir > How To > Access](https://docs.zerops.io/elixir/how-to/access)
 - [Elixir > How To > Build Pipeline](https://docs.zerops.io/elixir/how-to/build-pipeline)
 - [Elixir > How To > Build Process](https://docs.zerops.io/elixir/how-to/build-process)
 - [Elixir > How To > Controls](https://docs.zerops.io/elixir/how-to/controls)
@@ -84,10 +80,8 @@
 - [Features > Backup](https://docs.zerops.io/features/backup)
 - [Features > Build Cache](https://docs.zerops.io/features/build-cache)
 - [Features > Cdn](https://docs.zerops.io/features/cdn)
-- [Features > Cloudflare](https://docs.zerops.io/features/cloudflare)
 - [Features > Container Vs Vm](https://docs.zerops.io/features/container-vs-vm)
 - [Features > Debug Mode](https://docs.zerops.io/features/debug-mode)
-- [Features > Dns](https://docs.zerops.io/features/dns)
 - [Features > Env Variables](https://docs.zerops.io/features/env-variables)
 - [Features > Infrastructure](https://docs.zerops.io/features/infrastructure)
 - [Features > Pipeline](https://docs.zerops.io/features/pipeline)
@@ -113,7 +107,6 @@
 - [Frameworks > Laravel > Recipes > Twill Prod](https://docs.zerops.io/frameworks/laravel/recipes/twill-prod)
 - [Frameworks > Laravel > Redis](https://docs.zerops.io/frameworks/laravel/redis)
 - [Frameworks > Laravel > Smtp](https://docs.zerops.io/frameworks/laravel/smtp)
-- [Gleam > How To > Access](https://docs.zerops.io/gleam/how-to/access)
 - [Gleam > How To > Build Pipeline](https://docs.zerops.io/gleam/how-to/build-pipeline)
 - [Gleam > How To > Build Process](https://docs.zerops.io/gleam/how-to/build-process)
 - [Gleam > How To > Controls](https://docs.zerops.io/gleam/how-to/controls)
@@ -129,7 +122,6 @@
 - [Gleam > How To > Trigger Pipeline](https://docs.zerops.io/gleam/how-to/trigger-pipeline)
 - [Gleam > How To > Upgrade](https://docs.zerops.io/gleam/how-to/upgrade)
 - [Gleam > Overview](https://docs.zerops.io/gleam/overview)
-- [Go > How To > Access](https://docs.zerops.io/go/how-to/access)
 - [Go > How To > Build Pipeline](https://docs.zerops.io/go/how-to/build-pipeline)
 - [Go > How To > Build Process](https://docs.zerops.io/go/how-to/build-process)
 - [Go > How To > Controls](https://docs.zerops.io/go/how-to/controls)
@@ -148,7 +140,6 @@
 - [Help > Contacts](https://docs.zerops.io/help/contacts)
 - [Help > Faq](https://docs.zerops.io/help/faq)
 - [Homepage](https://docs.zerops.io/homepage)
-- [Java > How To > Access](https://docs.zerops.io/java/how-to/access)
 - [Java > How To > Build Pipeline](https://docs.zerops.io/java/how-to/build-pipeline)
 - [Java > How To > Build Process](https://docs.zerops.io/java/how-to/build-process)
 - [Java > How To > Controls](https://docs.zerops.io/java/how-to/controls)
@@ -186,7 +177,6 @@
 - [Meilisearch > Overview](https://docs.zerops.io/meilisearch/overview)
 - [Nats > Overview](https://docs.zerops.io/nats/overview)
 - [Nginx > Faq](https://docs.zerops.io/nginx/faq)
-- [Nginx > How To > Access](https://docs.zerops.io/nginx/how-to/access)
 - [Nginx > How To > Build Pipeline](https://docs.zerops.io/nginx/how-to/build-pipeline)
 - [Nginx > How To > Controls](https://docs.zerops.io/nginx/how-to/controls)
 - [Nginx > How To > Create](https://docs.zerops.io/nginx/how-to/create)
@@ -203,7 +193,6 @@
 - [Nginx > How To > Upgrade](https://docs.zerops.io/nginx/how-to/upgrade)
 - [Nginx > Overview](https://docs.zerops.io/nginx/overview)
 - [Nodejs > Faq](https://docs.zerops.io/nodejs/faq)
-- [Nodejs > How To > Access](https://docs.zerops.io/nodejs/how-to/access)
 - [Nodejs > How To > Build Pipeline](https://docs.zerops.io/nodejs/how-to/build-pipeline)
 - [Nodejs > How To > Build Process](https://docs.zerops.io/nodejs/how-to/build-process)
 - [Nodejs > How To > Controls](https://docs.zerops.io/nodejs/how-to/controls)
@@ -225,7 +214,6 @@
 - [Object Storage > How To > Delete](https://docs.zerops.io/object-storage/how-to/delete)
 - [Object Storage > How To > Update Bucket](https://docs.zerops.io/object-storage/how-to/update-bucket)
 - [Object Storage > Overview](https://docs.zerops.io/object-storage/overview)
-- [Php > How To > Access](https://docs.zerops.io/php/how-to/access)
 - [Php > How To > Build Pipeline](https://docs.zerops.io/php/how-to/build-pipeline)
 - [Php > How To > Build Process](https://docs.zerops.io/php/how-to/build-process)
 - [Php > How To > Controls](https://docs.zerops.io/php/how-to/controls)
@@ -252,7 +240,6 @@
 - [Postgresql > How To > Manage](https://docs.zerops.io/postgresql/how-to/manage)
 - [Postgresql > How To > Scale](https://docs.zerops.io/postgresql/how-to/scale)
 - [Postgresql > Overview](https://docs.zerops.io/postgresql/overview)
-- [Python > How To > Access](https://docs.zerops.io/python/how-to/access)
 - [Python > How To > Build Pipeline](https://docs.zerops.io/python/how-to/build-pipeline)
 - [Python > How To > Build Process](https://docs.zerops.io/python/how-to/build-process)
 - [Python > How To > Controls](https://docs.zerops.io/python/how-to/controls)
@@ -273,19 +260,22 @@
 - [References > Cli](https://docs.zerops.io/references/cli)
 - [References > Cli > Commands](https://docs.zerops.io/references/cli/commands)
 - [References > Cli > Configuration](https://docs.zerops.io/references/cli/configuration)
-- [References > Firewall](https://docs.zerops.io/references/firewall)
 - [References > Github Integration](https://docs.zerops.io/references/github-integration)
 - [References > Gitlab Integration](https://docs.zerops.io/references/gitlab-integration)
 - [References > Import Yaml > Pre Processor](https://docs.zerops.io/references/import-yaml/pre-processor)
 - [References > Import Yaml > Type List](https://docs.zerops.io/references/import-yaml/type-list)
 - [References > Import](https://docs.zerops.io/references/import)
 - [References > Logging](https://docs.zerops.io/references/logging)
+- [References > Networking > Cloudflare](https://docs.zerops.io/references/networking/cloudflare)
+- [References > Networking > Dns](https://docs.zerops.io/references/networking/dns)
+- [References > Networking > Firewall](https://docs.zerops.io/references/networking/firewall)
+- [References > Networking > Internal Access](https://docs.zerops.io/references/networking/internal-access)
+- [References > Networking > L7 Balancer Config](https://docs.zerops.io/references/networking/l7-balancer-config)
+- [References > Networking > Public Access](https://docs.zerops.io/references/networking/public-access)
+- [References > Networking > Ssh](https://docs.zerops.io/references/networking/ssh)
+- [References > Networking > Vpn](https://docs.zerops.io/references/networking/vpn)
 - [References > Smtp](https://docs.zerops.io/references/smtp)
-- [References > Ssh](https://docs.zerops.io/references/ssh)
-- [References > Vpn](https://docs.zerops.io/references/vpn)
-- [References > Vpn > Troubleshooting](https://docs.zerops.io/references/vpn/troubleshooting)
 - [References > Zsc](https://docs.zerops.io/references/zsc)
-- [Rust > How To > Access](https://docs.zerops.io/rust/how-to/access)
 - [Rust > How To > Build Pipeline](https://docs.zerops.io/rust/how-to/build-pipeline)
 - [Rust > How To > Build Process](https://docs.zerops.io/rust/how-to/build-process)
 - [Rust > How To > Controls](https://docs.zerops.io/rust/how-to/controls)