On May 26, 2026, Anthropic held its first developer conference outside the United States — Code with Claude London — and the most significant announcements were not about new models. They were about infrastructure: self-hosted sandboxes for Claude Managed Agents, now in public beta, and MCP tunnels, now in research preview. Both features address the same root problem that has kept regulated industries from deploying Claude agents in production: tool execution and private data access happening outside the enterprise security perimeter.
The architecture Anthropic landed on is elegant in how it draws the boundary. The agent loop — orchestration, context management, error recovery, retry logic — stays on Anthropic infrastructure. Tool execution and private MCP server access move inside the customer perimeter. You get the benefit of Anthropic running a highly available, managed agent runtime without giving up data residency, audit logging, or network policy enforcement. This guide covers what each feature does, how to set it up, and the production patterns that matter for enterprise deployments.
Why the Previous Architecture Created Enterprise Blockers
Claude Managed Agents before this announcement had a fundamental tension: the agent needed to call tools — execute bash commands, read files, call internal APIs, write to databases — but all of that execution happened on Anthropic infrastructure. For a startup building a coding assistant, this is fine. For a financial services firm, a healthcare provider, or a defense contractor, it creates a list of blockers that no amount of contractual language fully resolves.
Data residency: Files, code, and database contents moving off-perimeter for processing violated data residency requirements in the EU, financial regulations in the US, and data localization laws in markets like India and Brazil.
Audit logging: Tool execution logs resided on Anthropic infrastructure rather than the SIEM and audit systems the security team already manages.
Network policy: Giving an agent access to internal APIs meant either exposing those APIs to the public internet or managing a complex allowlist of Anthropic egress IPs — both operationally expensive and security-unfriendly.
Compute sizing: Long-running builds, image generation, or data processing jobs needed to fit within Anthropic's infrastructure constraints rather than being matched to the customer's own compute resources.
Both new features address these blockers directly, at the architecture level rather than through contractual workarounds.
Self-Hosted Sandboxes: Tool Execution Inside Your Perimeter
A self-hosted sandbox moves the execution environment for Claude Managed Agents from Anthropic infrastructure to an environment you control. Anthropic supports four managed providers out of the box — Cloudflare, Daytona, Modal, and Vercel — plus a custom sandbox client API for teams that need to run on their own infrastructure, a private cloud, or an air-gapped environment.
The split is precise: the agent loop itself — the code that decides what tool to call next, manages the conversation context, handles errors and retries, and tracks the agent's state across steps — continues to run on Anthropic's infrastructure. What moves to your sandbox is tool execution: the actual bash commands, file reads, API calls, and code interpretation that the agent invokes when it acts on the world.
What This Means in Practice
When the agent decides to run git clone https://internal.company.com/repo.git, that command executes inside your sandbox. The file system, the network access, the environment variables, the runtime image — all configured by you. Your network policies apply. Your audit logging captures the execution. The files never leave your perimeter. When the command completes, the result travels back to the Anthropic-hosted agent loop as a tool response — text output, structured JSON, or an error — and the agent continues from there.
For compute-heavy workloads, this also means you can size the execution environment for the task. A coding agent running a full test suite on a large repository can have 16 cores and 64GB of RAM if the task needs it. A lighter research agent can run in a small container. The compute sizing is your decision, not constrained by Anthropic's default allocation.
Setting Up a Self-Hosted Sandbox
The setup flow from the Claude Console (available to organization admins) involves three steps: selecting a sandbox provider, configuring the connection, and enabling it for specific agents or agent workflows.
For a Modal sandbox, the configuration looks approximately like this:
# Deploy a Modal sandbox for Claude Managed Agents
import modal
app = modal.App("claude-agent-sandbox")
# Define the runtime image with your tools pre-installed
sandbox_image = (
modal.Image.debian_slim()
.pip_install(["anthropic", "httpx", "boto3"])
.run_commands(
"apt-get install -y git curl jq",
"curl -fsSL https://deb.nodesource.com/setup_22.x | bash -",
"apt-get install -y nodejs",
)
)
@app.function(
image=sandbox_image,
cpu=4,
memory=16384,
timeout=3600,
secrets=[modal.Secret.from_name("internal-api-keys")],
)
def execute_tool(command: str, working_dir: str) -> dict:
import subprocess
result = subprocess.run(
command,
shell=True,
cwd=working_dir,
capture_output=True,
text=True,
timeout=300,
)
return {
"stdout": result.stdout,
"stderr": result.stderr,
"returncode": result.returncode,
}
The Claude Console sandbox configuration then points at your Modal deployment endpoint. Anthropic handles the API authentication between the agent loop and your sandbox. Your sandbox authenticates with your internal systems using the secrets you configure — those secrets never pass through Anthropic infrastructure.
For teams using Vercel, the setup leverages Vercel's edge runtime for lighter execution tasks, particularly useful for API calls and data transformations that don't need a full OS environment. Cloudflare Workers sandboxes are similarly scoped — fast startup, V8 isolate environment, useful for specific tool categories. Daytona provides a full development environment model, closest to the original Managed Agents execution environment but running on infrastructure you control or provision through Daytona's managed offering.
Custom Sandbox Client
For air-gapped environments or private cloud deployments, Anthropic publishes a custom sandbox client specification. You implement a small HTTP server that exposes a defined API surface — tool execution, file system access, process management — and Claude Managed Agents calls your server for tool execution instead of a managed provider. The server can run on-premises, in a private VPC, or in any environment with outbound HTTPS access to the Anthropic agent loop API.
// Minimal custom sandbox server — Express implementation
import express from 'express'
import { exec } from 'child_process'
import { promisify } from 'util'
import path from 'path'
import fs from 'fs/promises'
const execAsync = promisify(exec)
const app = express()
app.use(express.json())
// Anthropic calls this endpoint for each tool execution
app.post('/execute', async (req, res) => {
const { tool, input, workingDir } = req.body
try {
if (tool === 'bash') {
const { stdout, stderr } = await execAsync(input.command, {
cwd: workingDir ?? process.env.SANDBOX_ROOT,
timeout: 120_000,
env: { ...process.env, ...input.env },
})
return res.json({ output: stdout, error: stderr, exitCode: 0 })
}
if (tool === 'read_file') {
const filePath = path.resolve(workingDir ?? '', input.path)
const content = await fs.readFile(filePath, 'utf-8')
return res.json({ output: content })
}
if (tool === 'write_file') {
const filePath = path.resolve(workingDir ?? '', input.path)
await fs.writeFile(filePath, input.content, 'utf-8')
return res.json({ output: 'File written successfully' })
}
return res.status(400).json({ error: `Unknown tool: ${tool}` })
} catch (err) {
const message = err instanceof Error ? err.message : String(err)
return res.status(500).json({ error: message, exitCode: 1 })
}
})
app.listen(8080, () => {
console.error('[sandbox] Ready on :8080')
})
The sandbox server validates the Authorization header on each request using a shared secret configured in the Claude Console. Anthropic's agent loop attaches this header to every tool execution call. Your server rejects any request without a valid authorization header — so even if the endpoint is reachable from the internet, unauthorized execution is not possible.
MCP Tunnels: Private Network Access Without Inbound Firewall Rules
MCP tunnels solve the second infrastructure problem: how do you give Claude agents access to MCP servers running inside your private network without exposing those servers to the public internet?
The mechanism is a lightweight gateway — a small process you deploy inside your network — that makes a single outbound connection to Anthropic's tunnel infrastructure. No inbound firewall rules. No public IP for the MCP server. No VPN reconfiguration. The tunnel gateway establishes and maintains the outbound connection; the Anthropic agent loop sends MCP requests through the tunnel to your private server.
The security properties of this model are worth being explicit about:
No inbound exposure: Your MCP server has no public-facing endpoint. The only connection it handles comes from the tunnel gateway running on the same network.
End-to-end encryption: Traffic between the Anthropic agent loop and your private MCP server is encrypted end to end. The tunnel gateway does not decrypt and re-encrypt — it forwards encrypted traffic.
Admin-controlled: MCP tunnels are configured and managed from the Claude Console by organization admins. Individual users cannot create tunnels to arbitrary private servers.
Auditable: Every MCP call through a tunnel is logged with the tool name, arguments hash, timestamp, and agent identity on both the Anthropic side and your tunnel gateway logs.
Deploying the Tunnel Gateway
The tunnel gateway is a single binary — available for Linux, macOS, and Windows — that authenticates with the Claude Console using a gateway token generated by an organization admin. Here is the deployment pattern for a production Linux environment:
# Download and install the tunnel gateway
curl -fsSL https://console.anthropic.com/downloads/mcp-tunnel-gateway-linux-amd64 -o /usr/local/bin/mcp-tunnel-gateway
chmod +x /usr/local/bin/mcp-tunnel-gateway
# Create a systemd service for the gateway
cat > /etc/systemd/system/mcp-tunnel-gateway.service <<'EOF'
[Unit]
Description=Claude MCP Tunnel Gateway
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
User=mcp-tunnel
ExecStart=/usr/local/bin/mcp-tunnel-gateway --token-file /etc/mcp-tunnel/gateway-token --mcp-server-url http://localhost:9000/mcp --region us-east-1
Restart=on-failure
RestartSec=5
StandardOutput=journal
StandardError=journal
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable mcp-tunnel-gateway
systemctl start mcp-tunnel-gateway
The --mcp-server-url flag points at your internal MCP server — an address reachable from the machine running the tunnel gateway but not from the public internet. The gateway connects outbound to Anthropic's tunnel infrastructure using the token and starts relaying MCP requests from your agents to your private server.
MCP tunnels work with both Claude Managed Agents and the Claude Messages API. For the Messages API, you reference the tunnel-connected MCP server by its tunnel ID in your tool configuration. For Managed Agents, the tunnel appears as a configured MCP server in the agent's tool access list, indistinguishable from a public MCP server from the agent's perspective.
Use Cases That Become Possible
The combination of self-hosted sandboxes and MCP tunnels removes the blockers that previously ruled out Claude agents for specific enterprise use cases.
Internal code repositories: A coding agent can clone from GitHub Enterprise or an on-premises GitLab instance, run tests, and push changes — all inside the perimeter. The code never leaves the company network for processing.
Production database access: An analytics agent can query a production read replica through an MCP tunnel. The connection credentials stay inside the private network. The agent gets the query results it needs.
ERP and CRM integration: SAP, Salesforce on-premises, or custom internal platforms with no public API become accessible to agents through an MCP server running on the same network. No public endpoint needed.
Regulated data processing: Financial calculations, healthcare data analysis, and legal document processing that cannot leave a jurisdiction can run in a self-hosted sandbox provisioned in the correct geographic region.
Build and test pipelines: Agents running CI workloads — build, test, lint, deploy — execute in a sandbox with access to internal artifact registries, private npm/pip mirrors, and test infrastructure that was previously off-limits.
Availability and Access
Self-hosted sandboxes are in public beta and available to all Claude for Work and Claude API customers. Configuration is available in the Claude Console under Settings → Managed Agents → Sandboxes. The Cloudflare, Modal, and Vercel integrations are one-click configurations; Daytona and custom sandbox clients require manual configuration of the endpoint and authentication token.
MCP tunnels are in research preview — you need to request access through the Claude Console. Anthropic is rolling out access to organizations in regulated industries first, with general availability expected in the coming months. If you are evaluating this for an enterprise deployment, request access early: the research preview period is when Anthropic is actively incorporating feedback on the tunnel protocol and gateway configuration.
What to Verify Before Depending on This in Production
Both features are new and the operational patterns are still being established. A few things worth verifying before treating self-hosted sandboxes or MCP tunnels as production-critical infrastructure:
Tunnel gateway availability: The gateway process must be running and connected for agents to reach private MCP servers. Build your deployment with the same reliability expectations you would apply to any internal service — health checks, automatic restarts via systemd, alerting on disconnection events from the gateway logs.
Sandbox cold start latency: Serverless sandbox providers (Modal, Vercel, Cloudflare) have cold start penalties when a container has not been used recently. For latency-sensitive agent workflows, consider keeping sandboxes warm or choosing a provider with lower cold start times for your runtime size.
Audit log coverage: Verify that your sandbox and tunnel gateway logs are being captured by your SIEM before claiming compliance coverage. The gateway logs every MCP call; the sandbox server (if custom) logs execution on your side. The Anthropic Console shows the agent-side view. You need both to reconstruct a full audit trail.
Both features represent a genuine architecture shift in how Anthropic thinks about enterprise agent infrastructure — from "trust us with your data" to "your data stays with you, we run the intelligence layer." That is the right direction for enterprise adoption, and the implementation at Code with Claude London is more complete than most vendors' equivalent announcements. The setup has real operational weight, but so does any infrastructure that actually solves the compliance blockers rather than papering over them.
For the broader context on running Claude agents in production — tool design, error handling, observability — the agent observability guide covers the patterns that apply regardless of whether you are using self-hosted sandboxes or the default execution environment. The MCP production hardening guide covers the server-side security patterns that complement what MCP tunnels provide at the network layer.
This is authored by Anup Karanjkar, who follows Anthropic's developer platform releases and enterprise infrastructure patterns.
Originally published at wowhow.cloud
Top comments (0)