Network Filtering
Per-sandbox egress allow/deny lists. Block by default, allow what you trust.
Control which hosts a sandbox can reach with a per-sandbox egress policy.
Every sandbox has its own egress policy. By default the policy is
"unrestricted", the VM can reach any host on the public internet.
For agent code that runs untrusted scripts or that should only talk to
specific upstreams, pass network: { allow, deny } at create time.
Allow only what you trust
The most common pattern: deny everything, then allow only the hosts you need.
import { Isorun } from 'isorun'
const isorun = new Isorun()
const sandbox = await isorun.create({
image: 'python:3.12-slim',
network: {
deny: ['0.0.0.0/0'], // block everything
allow: ['api.openai.com', 'pypi.org'], // …except these
},
})
try {
await sandbox.exec('pip install openai') // works
const r = await sandbox.exec('curl -m 2 https://example.com')
console.log(r.exitCode !== 0) // true (blocked)
} finally {
await sandbox.destroy()
}Block specific hosts
For policies where you trust most of the internet but want to block specific upstreams:
const sandbox = await isorun.create({
image: 'python:3.12-slim',
network: { deny: ['169.254.169.254', 'metadata.google.internal'] },
})
try {
await sandbox.exec('curl https://example.com') // works
const r = await sandbox.exec('curl -m 2 http://169.254.169.254/')
console.log(r.exitCode !== 0) // true
} finally {
await sandbox.destroy()
}Rule shape
Rules are matched against the destination of every outbound TCP connection from the sandbox's network interface.
- CIDR ranges:
0.0.0.0/0,10.0.0.0/8,192.168.1.0/24 - IP literals:
1.2.3.4 - Hostnames:
api.openai.com, matched literally against the destination's SNI - Wildcards:
*.openai.commatchesapi.openai.com,cdn.openai.com, etc.
A wildcard like *.openai.com does not match the bare apex openai.com. List the apex separately if you need it.
The order of evaluation: deny rules first, then allow. A connection is permitted iff it matches an allow rule and does not match any deny rule.
How it works
The runner applies egress policy at the host boundary before traffic leaves the sandbox. Requests are checked against the sandbox policy and either allowed or blocked. DNS and hostname checks are kept in sync so domain allowlists stay accurate.
Policy is enforced outside guest code execution. Changes made inside the VM only affect the guest's view and cannot disable runtime egress enforcement.
Enforcement lives at the host boundary, not inside the guest. Code running in the sandbox can't edit iptables, swap the resolver, or otherwise disable the policy.
Combine with named profiles
If your allow list is one of the common patterns (Anthropic, OpenAI,
HuggingFace, etc.), pass networkProfile instead, it's the same
machinery with a friendlier name. See
Network Profiles.
Per-endpoint filtering
For finer-grained control (allow POST /v1/chat/completions but deny
DELETE /v1/admin/...), use Endpoint Rules
together with credential injection.
Next steps
- Network profiles, named allow/deny templates for common workloads.
- Endpoint rules, narrow the credential proxy to specific methods and paths.
- Audit trail, every blocked egress is logged.