Anthropic’s Claude Managed Agents now support customer‑run sandboxes and encrypted Model Context Protocol tunnels, letting enterprises keep tool execution and data access inside their own security perimeter while still using Anthropic’s orchestration layer.
Anthropic Adds Self‑Hosted Sandboxes and MCP Tunnels to Claude Managed Agents
What’s new
Anthropic has extended the Claude Managed Agents platform with two enterprise‑grade features that arrived this week:
- Self‑hosted sandboxes – a public‑beta offering that lets customers run the tool‑execution part of an agent on infrastructure they control. The sandbox can be hosted directly on a private cloud or via managed providers such as Cloudflare, Daytona, Modal, and Vercel.
- MCP tunnels – a research‑preview capability that creates an outbound, encrypted tunnel from a private Model Context Protocol (MCP) server to Anthropic’s backend. The tunnel removes the need for inbound firewall rules while still exposing internal APIs, databases, or knowledge bases to agents.
Both features keep the orchestration, context handling, and recovery logic in Anthropic’s cloud, but move the actual workload execution and data access into the customer’s network.
Developer experience
Deploying a sandbox
Developers start by selecting a sandbox provider in the Claude Console. The console then generates a lightweight runner package that can be installed on the chosen platform. For example, a Cloudflare microVM sandbox is defined with a wrangler.toml that pins the runtime image and sets zero‑trust networking rules. Once the runner is up, Claude’s Managed Agent can call tools (e.g., image generation, code compilation) and the calls are routed to the sandbox via a secure webhook.
Key developer benefits:
- Network policy control – outbound traffic is the only direction that leaves the perimeter, matching most corporate firewall configurations.
- Audit logging – every tool invocation is logged locally, giving security teams a complete trail before the result is sent back to the agent.
- Resource sizing – teams can allocate CPU/GPU resources that match the workload, avoiding the one‑size‑fits‑all limits of a fully managed service.
Using an MCP tunnel
To expose an internal service, the organization deploys the MCP gateway (a small Docker image) inside its network. The gateway opens a TLS‑encrypted outbound connection to Anthropic’s tunnel endpoint. From the agent’s perspective, the private service appears as a regular MCP endpoint, reachable through the standard Messages API.
Configuration is handled through the Claude Console:
- Register the internal MCP server URL.
- Upload the gateway’s public key.
- Enable the tunnel flag on the agent’s profile.
After the tunnel is active, the agent can query a ticketing system, fetch confidential documents, or run a database query without any public IP exposure. The tunnel automatically reconnects if the network drops, preserving session state.
Trade‑offs to consider
- Latency – because traffic still traverses the public internet (encrypted, but not on‑prem), latency can be slightly higher than a fully internal call. For latency‑sensitive workloads, placing the sandbox in the same VPC as the MCP server minimizes round‑trip time.
- Operational overhead – teams must maintain the sandbox images and the gateway container, including patching and secret rotation. Anthropic provides CI templates for both, but the responsibility stays with the customer.
- Cost model – sandbox usage is billed per‑second compute on the chosen provider, while the tunnel is billed per‑GB of tunneled traffic. This model gives fine‑grained cost control compared with a flat‑rate managed‑execution fee.
Impact on end users
From a user standpoint, the changes are invisible at the UI level; the Claude chat experience remains the same. The real benefit shows up in reliability and compliance:
- Data residency – because files and repositories never leave the corporate network, companies in regulated sectors (finance, healthcare) can meet data‑locality requirements while still leveraging Claude’s reasoning capabilities.
- Faster rollout – security reviews that previously required weeks to approve a managed execution environment can now focus on the sandbox configuration, which is a familiar artifact for most DevOps teams. As Daksh Trehan noted, the compliance bottleneck shifts from the model to the sandbox definition.
- Scalable workloads – teams can spin up a GPU‑enabled Modal sandbox for a heavy‑weight image‑generation request and tear it down immediately after, avoiding the “always‑on” cost of a fully managed agent fleet.
Overall, Anthropic’s approach reflects a broader industry move toward separating orchestration from execution. By giving enterprises the ability to run agents inside their own perimeter, the platform stays attractive for high‑security environments while preserving the convenience of a managed AI service.
For more details, see the official announcement on the Anthropic blog and the technical guide for self‑hosted sandboxes.
Comments
Please log in or register to join the discussion