#Network Policy
Control network access for sandboxes. Network policies allow you to restrict outbound traffic, block specific domains, or allow only certain endpoints.
Network Modes#
| Mode | Description | Use Case |
|---|---|---|
allow-all | Allow all outbound traffic | Default, unrestricted access |
block-all | Block all outbound traffic | Maximum security, air-gapped environments |
Egress Policy#
Egress fields are interpreted by the selected mode:
| Field | Type | Description |
|---|---|---|
allowed_domains | array | Whitelist of allowed domains. Used only in block-all mode. |
denied_domains | array | Blacklist of blocked domains. Used only in allow-all mode. |
allowed_cidrs | array | Whitelist of allowed IP CIDRs. Used only in block-all mode. |
denied_cidrs | array | Blacklist of blocked IP CIDRs. Used only in allow-all mode. |
allowed_ports | array | Whitelist of allowed destination ports. Used only in block-all mode. |
denied_ports | array | Blacklist of blocked destination ports. Used only in allow-all mode. |
In allow-all mode, traffic is permitted by default and only denied* fields are enforced. In block-all mode, traffic is denied by default and only allowed* fields are enforced.
Get Network Policy#
Retrieve the current network policy for a sandbox.
/api/v1/sandboxes/{id}/network
go// Get current network policy policy, err := sandbox.GetNetworkPolicy(ctx) if err != nil { log.Fatal(err) } fmt.Printf("Mode: %s\n", policy.Mode) if egress, ok := policy.Egress.Get(); ok { fmt.Printf("Allowed domains: %v\n", egress.AllowedDomains) }
Update Network Policy#
Update the network policy for a sandbox.
/api/v1/sandboxes/{id}/network
Request Body#
| Field | Type | Description |
|---|---|---|
mode | string | Network mode: allow-all or block-all |
egress | object | Egress policy rules (optional) |
Allow All Traffic#
Allow all outbound network access (default behavior).
go// Allow all traffic _, err = sandbox.UpdateNetworkPolicy(ctx, apispec.TplSandboxNetworkPolicy{ Mode: apispec.TplSandboxNetworkPolicyModeAllowAll, }) if err != nil { log.Fatal(err) } fmt.Println("Network policy updated: allow-all")
Block All Traffic#
Block all outbound network access.
go// Block all traffic _, err = sandbox.UpdateNetworkPolicy(ctx, apispec.TplSandboxNetworkPolicy{ Mode: apispec.TplSandboxNetworkPolicyModeBlockAll, }) if err != nil { log.Fatal(err) } fmt.Println("Network policy updated: block-all")
Allow Specific Domains#
Block all traffic except for specific allowed domains.
go// Block all except specific domains _, err = sandbox.UpdateNetworkPolicy(ctx, apispec.TplSandboxNetworkPolicy{ Mode: apispec.TplSandboxNetworkPolicyModeBlockAll, Egress: apispec.NewOptNetworkEgressPolicy(apispec.NetworkEgressPolicy{ AllowedDomains: []string{"github.com", "pypi.org", "api.openai.com"}, }), }) if err != nil { log.Fatal(err) } fmt.Println("Network policy updated: only github.com, pypi.org, api.openai.com allowed")
Block Specific Domains#
Allow all traffic except for specific blocked domains.
go// Block specific domains (allow all others) _, err = sandbox.UpdateNetworkPolicy(ctx, apispec.TplSandboxNetworkPolicy{ Mode: apispec.TplSandboxNetworkPolicyModeAllowAll, Egress: apispec.NewOptNetworkEgressPolicy(apispec.NetworkEgressPolicy{ DeniedDomains: []string{"facebook.com", "twitter.com"}, }), }) if err != nil { log.Fatal(err) } fmt.Println("Network policy updated: block facebook.com, twitter.com")
Set Network Policy at Creation#
Configure network policy when claiming a sandbox.
go// Claim sandbox with network policy sandbox, err = client.ClaimSandbox(ctx, "default", sandbox0.WithSandboxHardTTL(600), sandbox0.WithSandboxNetworkPolicy(apispec.TplSandboxNetworkPolicy{ Mode: apispec.TplSandboxNetworkPolicyModeAllowAll, }), ) if err != nil { log.Fatal(err) }
Test Network Connectivity#
Verify network policy by making requests from the sandbox.
go// Test network connectivity const shell = `/bin/curl -s -o /dev/null -w "%{http_code}\n" --max-time 3 https://github.com` resp, err := sandbox.Cmd(ctx, shell) if err != nil { log.Fatal(err) } fmt.Printf("GitHub response before blocking: %s\n", resp.OutputRaw) // Block all traffic _, err = sandbox.UpdateNetworkPolicy(ctx, apispec.TplSandboxNetworkPolicy{ Mode: apispec.TplSandboxNetworkPolicyModeBlockAll, }) if err != nil { log.Fatal(err) } // Test again (should fail) resp, err = sandbox.Cmd(ctx, shell) if err != nil { fmt.Println("Request blocked as expected") } fmt.Printf("GitHub response after blocking: %s\n", resp.OutputRaw)
Next Steps#
Port Exposure
Expose sandbox ports publicly
Webhooks
Receive event notifications
Volumes
Persistent storage for sandboxes