Network Profiles
Network profiles are pre-built allow/deny lists for common
configurations. Pass network_profile= at sandbox creation to apply
one without having to assemble the rules yourself.
Available profiles
| Profile | Description | Mode |
|---|---|---|
unrestricted | No filtering — sandbox can reach any host | Allow-all |
locked-down | Air-gapped — no external network at all | Deny-all |
claude-code | Anthropic API + PyPI + npm + GitHub + crates.io | Allow-list |
openai | OpenAI API + PyPI + npm + GitHub | Allow-list |
data-science | HuggingFace + PyPI + GitHub + S3 + GCS + conda | Allow-list |
web-dev | npm + jsDelivr + cdnjs + Google Fonts + GitHub | Allow-list |
from isorun import Sandbox
# Locked-down — sandbox can't reach anything outside the runner.with Sandbox("python", network_profile="locked-down") as sb: out = sb.exec("curl -m 2 https://example.com") assert out.exit_code != 0 # connection blocked
# Claude-code profile — agent can reach Anthropic + package registries.with Sandbox("python", network_profile="claude-code") as sb: sb.exec("pip install anthropic") # works sb.exec("curl https://api.anthropic.com/v1/models -H 'x-api-key: ...'") # works out = sb.exec("curl -m 2 https://random-site.com") assert out.exit_code != 0 # blockedMixing with explicit allow/deny
network_profile and the allow= / deny= keyword args are
mutually exclusive — pick one. If a profile is almost what you
want, copy its rules and tweak.
Profile internals
Profiles are server-side; the SDK just passes the name. The runner’s
egress enforcer (built on nfqueue + per-VM iptables) blocks all
outbound traffic from the sandbox’s TAP device that doesn’t match the
allow list. DNS for allow-listed hostnames is resolved at policy
install time and refreshed on connection setup.
See Network Filtering for the raw allow/deny list shape and Endpoint Rules for per-method/per-path filtering.