This is a pure text transformation task — no skill applies. I'll convert the HTML directly.
Claude Can Now Reach Your Internal DB — MCP Tunnels Launch
On May 19, at Code with Claude London, Anthropic unveiled two new security features for Managed Agents. There's now a way to wire agents into internal systems without poking a hole in your firewall.
Tags: MCP Tunnels · Self-Hosted Sandboxes · research preview · 2026.05.19 · Code with Claude
Both features shipped together
Anthropic added two new security features to Claude Managed Agents: MCP Tunnels and Self-Hosted Sandboxes. They were announced as a pair on the same day, and both push in the same direction — stronger enterprise security and privacy.
| Before (public) | After (private) | |
|---|---|---|
| MCP server | must be exposed publicly | stays private |
| Tool execution | on Anthropic infra | on customer infra |
| Firewall | needs inbound rules | one outbound only |
| Routing | agent → routed over public internet | inside your network + your own infra |
The two ship at different stages, though. Self-Hosted Sandboxes is in public beta; MCP Tunnels is a limited research preview, so it requires requesting access.
MCP Tunnels: how to call an agent inside the firewall
In one line, MCP Tunnels lets Claude call your internal MCP server without putting it on the public internet. You deploy a lightweight gateway inside your network, and that gateway opens a single encrypted outbound connection toward Anthropic.
The old burden (until 2026.05.18): "To use an internal DB, ticketing, or KB as an agent tool, you needed a public endpoint."
That meant adding inbound firewall rules, the risk of exposing auth and credentials, and rounds of security-team review. The tighter the security gate — think finance or healthcare — the more often PoCs stalled there.
With Tunnels, you don't need to add inbound firewall rules. Allowing a single outbound connection is enough. Internal databases, private APIs, knowledge bases, and ticketing systems become agent tools as-is. Per VentureBeat's reporting, the core value is that credentials never cross the public internet.
Self-Hosted Sandboxes: only tool execution moves to your infra
Self-Hosted Sandboxes is a split architecture. The agent loop (orchestration, context, error recovery) stays on Anthropic's infra, while only tool execution moves to customer infra. Sensitive files, packages, and services never leave your network.
Launch partners (4 at release):
- Cloudflare — microVM + zero-trust networking, outbound traffic control (trust boundary and traffic control angle)
- Daytona — long-running stateful environments, SSH / preview URL access (for workflows that need to keep state)
- Modal — AI-workload focused, CPU/GPU scale allocation (compute-heavy work like long builds and image gen)
- Vercel — sandbox isolation + VPC peering + credential injection (credential injection at the network boundary)
You control the resource sizing and the runtime image. For compute-heavy tasks like long builds or image generation, you can directly allocate the CPU, memory, and capacity you need.
The numbers at a glance
- 2 new features — Tunnels + Sandboxes
- 4 sandbox partners — Cloudflare / Daytona / Modal / Vercel
- MCP Tunnels status — research preview (apply for access)
- Self-Hosted Sandboxes status — public beta (available now)
Existing Managed Agents integration code doesn't need to change. Anthropic says a single config change lets you move between Anthropic infra and customer infra. In other words, there's no new SDK call or separate migration procedure.
What changes for teams on the ground
The tighter your data-exfiltration gate — think finance or healthcare — the more these two features matter. PoCs that used to die in security review now reach the starting line with one outbound connection and a config change.
Good fit: Workflows where an internal DB, issue tracker, or KB has to become an agent tool. Compliance environments where data must not leave the network.
Caveat: Tunnels is a limited research preview, so it requires requesting access. General availability, pricing, and plans aren't separately spelled out on the official page.
"What kept the agent stuck wasn't model capability — it was one line of firewall. Turning that line into a single outbound connection is the heart of this announcement."
— Eddie · 2026.05.21
This isn't an update to the model — it's an update to the boundary. I expect more teams to take a fresh look at whether they can bring this in-house.
Sources & References
Official announcement:
Coverage:
- 9to5Mac — Anthropic enhances Claude Managed Agents with two new privacy and security features (2026.05.19)
- The New Stack — Anthropic debuts MCP tunnels and self-hosted sandboxes to lock down AI agent infrastructure
- InfoQ — Anthropic Introduces MCP Tunnels for Private Agent Access to Internal Systems
- VentureBeat — Securing AI agent credentials with MCP tunnels
Disclaimer: A roundup of an external announcement. No ads, no affiliates. Figures and statuses reflect the announcement date and may change later.
Original with full infographics and visual structure: https://jessinvestment.com/claude-can-now-reach-your-internal-database-mcp-tunnels-launch/
Top comments (0)