Deploy Bifrost, the open-source AI gateway, inside restricted networks to run Claude Code with zero data egress, offline-capable infrastructure, and team governance for healthcare, fintech, and government organizations.
Claude Code sends requests directly to public Anthropic API endpoints by default, which creates a hard compliance barrier for teams in healthcare, financial services, and government. These organizations face strict rules prohibiting source code and prompts from leaving controlled network boundaries. Bifrost, an open-source AI gateway built by Maxim AI, sits between Claude Code and model providers and deploys entirely within air-gapped networks without any phone-home, telemetry, or outbound data flows. This guide covers deploying an air-gapped Claude Code setup on Bifrost, from offline installation to team-level governance, for organizations operating under strict compliance requirements.
Why regulated industries block Claude Code's direct API access
Organizations in regulated sectors face a non-negotiable constraint: prompts, completions, and the source code that Claude Code reads cannot cross a controlled network perimeter. When Claude Code calls Anthropic's API directly, every file it reads and every instruction it sends transits external infrastructure, which compliance teams universally block before adoption can proceed.
This regulatory pressure is well established. According to Deloitte's 2025 State of AI in the Enterprise report, 73% of enterprises now cite data privacy and security as their top AI risk concern, and 77% factor a vendor's country of origin into AI purchasing decisions. Penalties under the EU AI Act can reach 7% of global turnover, higher than the ceiling under GDPR. For deeper regulatory context, IBM maintains an overview of data residency requirements across jurisdictions.
An air-gapped AI gateway addresses this by keeping the entire request path inside infrastructure the organization controls. Claude Code sends requests to a local gateway, the gateway forwards them to approved models, and nothing crosses the network boundary without explicit configuration.
Requirements for an air-gapped Claude Code setup
An air-gapped Claude Code setup is a deployment where Claude Code routes all traffic through a self-hosted gateway running inside a network with no internet access. This ensures no prompt, completion, or credential ever leaves the perimeter. Meeting this requirement demands specific capabilities from the gateway layer.
A compliant setup requires:
- Offline deployment: the gateway must install and run without external package fetches or update calls
- Zero data egress: prompts, completions, and code stay inside the network at all times
- No telemetry: the gateway must not emit usage data or perform any phone-home behavior
- Local credential storage: provider keys remain in infrastructure the organization controls
- Access control and audit: per-user permissions and immutable logs for compliance evidence
- High availability: clustering so the gateway is not a single point of failure
Bifrost was designed to satisfy each of these requirements, making it the appropriate choice as the routing layer for Claude Code in restricted environments.
Running Claude Code offline with Bifrost
Bifrost supports four deployment models, with the air-gapped model targeting environments that have no internet connectivity. The enterprise deployment process is straightforward: export the Bifrost Docker image on a connected machine using docker save, transfer the resulting tarball to the air-gapped environment via portable media, and load it into the internal registry. From that point, the gateway operates fully offline with no external dependencies or telemetry.
# On a connected machine
docker save maximhq/bifrost:latest -o bifrost.tar
# Transfer bifrost.tar to the air-gapped environment, then:
docker load -i bifrost.tar
docker run -p 8080:8080 maximhq/bifrost
For production deployments, Bifrost ships as a single Go binary with minimal resource requirements: 2 vCPU and 4GB RAM for a single node. Organizations preferring in-VPC isolation rather than fully disconnected networks can deploy Bifrost inside AWS, GCP, or Azure with complete network isolation and no external dependencies. All LLM traffic remains within private cloud infrastructure. A single Terraform module targets EKS, ECS, GKE, Cloud Run, AKS, and generic Kubernetes, ensuring consistent deployments across platforms.
For production availability, Bifrost supports clustering using a peer-to-peer architecture with a three-node minimum and zero-downtime rolling updates. This design eliminates single points of failure in the Claude Code workflow.
Connecting Claude Code to Bifrost
Once the gateway is running inside the perimeter, Claude Code connects through the Bifrost integration by setting two environment values in settings.json. The recommended approach uses ANTHROPIC_AUTH_TOKEN set to a Bifrost virtual key, which eliminates the need for Anthropic account login or Anthropic credentials since the gateway handles routing and authentication.
Point the base URL at the local gateway and provide the virtual key:
"env": {
"ANTHROPIC_BASE_URL": "http://bifrost.internal:8080/anthropic",
"ANTHROPIC_AUTH_TOKEN": "your-virtual-key",
"ANTHROPIC_DEFAULT_HAIKU_MODEL": "claude-haiku-4-6",
"ANTHROPIC_DEFAULT_SONNET_MODEL": "claude-sonnet-4-6"
}
The global settings.json is located at ~/.claude/settings.json on macOS, Linux, and WSL, with project-specific overrides in .claude/settings.json. Merge the env block into the existing object rather than replacing the file, preserving permissions and other settings.
Claude Code uses three model tiers (Sonnet, Opus, and Haiku), and Bifrost routing rules let organizations map those tiers to any approved model on any configured provider. Inside a regulated environment, that typically means routing to self-hosted models or to an approved enterprise endpoint such as Bedrock, Vertex, or Azure instead of the public Anthropic API. When a model is configured with automatic failover, Bifrost redirects to a healthy provider if a request fails, so a mid-session provider issue does not disrupt long-running coding tasks.
If Claude Code uses MCP-connected tools, the Bifrost MCP gateway centralizes those tool connections through the same gateway, keeping tool execution inside the governed, offline boundary alongside model traffic.
Governance and compliance controls for Claude Code
Routing Claude Code through Bifrost transforms an ungoverned developer tool into a controlled, auditable system. The enterprise deployment model provides the same security stack regardless of deployment location.
Key controls include:
- Virtual keys: Virtual keys are the primary governance entity, carrying per-consumer permissions, budgets, and rate limits. Tagging keys by team or environment makes every Claude Code request attributable.
- RBAC and SSO: Role-based access control with OpenID Connect integration for Okta and Entra ID enforces least-privilege access at the gateway.
- Audit logs: Immutable audit trails record activity for SOC 2 Type II, GDPR, HIPAA, and ISO 27001 compliance evidence.
- Vault support: Secret management integrates with HashiCorp Vault, AWS Secrets Manager, Google Secret Manager, and Azure Key Vault, eliminating provider keys from configuration files.
- Guardrails: Content safety controls detect and block unsafe model outputs with real-time policy enforcement across all connected agents.
- Observability: Built-in monitoring exposes Prometheus metrics and OpenTelemetry traces for every request, with log exports to internal data lakes.
These controls map directly to the requirements that govern AI deployment in government, public sector, healthcare, and life sciences, where network isolation and complete traceability are essential. Organizations evaluating the full picture can review Bifrost Enterprise options for air-gapped, on-premises, and in-VPC configurations.
Frequently asked questions
Can Claude Code run without internet access?
Yes, when it routes through a self-hosted gateway. Claude Code connects to a local Bifrost endpoint, and Bifrost forwards requests to approved models inside the network. As long as those models are reachable internally, the entire workflow operates with no internet connectivity.
Does an air-gapped Bifrost deployment phone home?
No. The air-gapped deployment runs fully offline with no external connections and no telemetry. The Docker image is exported on a connected machine and loaded into an internal registry, after which the gateway has no external dependencies.
How does Claude Code authenticate without an Anthropic account?
Setting ANTHROPIC_AUTH_TOKEN to a Bifrost virtual key removes the Anthropic account requirement. Claude Code sends the token in the Authorization header, and Bifrost uses the virtual key for both routing and authentication.
Which compliance frameworks does this setup support?
Bifrost's audit logging, RBAC, vault integration, and zero-egress deployment are designed to satisfy SOC 2 Type II, GDPR, HIPAA, and ISO 27001 requirements, making it well-suited for regulated industries with strict data residency rules.
Deploy Claude Code where compliance demands it
An air-gapped Claude Code setup gives regulated teams the productivity benefits of a terminal coding agent without surrendering control of their data. By routing Claude Code through Bifrost, prompts and source code stay inside the perimeter, provider access runs through governed virtual keys, and every request is logged for compliance. The same open-source AI gateway scales from a single offline node to a multi-cloud cluster, so the deployment grows alongside the organization rather than against it.
To see how an air-gapped Claude Code setup fits your compliance and infrastructure requirements, book a demo with the Bifrost team.
Top comments (0)