# Anthropic's MCP tunnels and self-hosted sandboxes: keeping agents inside your perimeter > Source: > Published: 2026-05-20 22:10:06+00:00 Anthropic has quietly shipped two new infrastructure features for Claude agents: MCP tunnels and self-hosted sandboxes. Neither is about making Claude smarter. Both are about making it safe to deploy inside a real enterprise security perimeter. They solve different problems. You might need one, the other, or both. MCP tunnels let Claude connect to MCP servers running in your private network — without opening inbound firewall ports or exposing services to the public internet. The mechanism is an outbound-only connection (via Cloudflare as the transport layer) that carries three independent layers of encryption: mutual TLS between Anthropic and the tunnel edge, inner TLS between Anthropic's backend and your proxy, and OAuth authentication on each individual MCP server. Crucially, Cloudflare can see connection metadata — timing, byte volume, your subdomain — but cannot read MCP request or response payloads because the proxy terminates inner TLS using a certificate only you hold. Each private MCP server you expose gets a hostname under your tunnel domain (e.g. docs. ). You attach those hostnames to Managed Agent sessions in the Console or pass them to the Messages API via the MCP connector. "Traffic flows over an outbound-only connection, so you don't need to open inbound firewall ports, expose services to the public internet, or allowlist Anthropic's IP ranges on your origin." — Anthropic docs Self-hosted sandboxes solve a separate problem: where the agent's code actually runs. By default, Claude Managed Agents execute tools inside Anthropic-managed cloud containers. Self-hosted sandboxes move tool execution into infrastructure you control — but keep the orchestration on Anthropic's side. The agent's code, filesystem, and network egress never leave your environment. The architecture is a small "environment worker" process you run on your own infrastructure. It polls a work queue maintained by Anthropic, claims sessions, downloads agent skills, executes tool calls locally, and posts results back. Pre-built workers exist for Cloudflare, Daytona, Modal, and Vercel. The CLI and SDK include helpers for both always-on pollers and webhook-triggered architectures. These are independent controls: A cloud-hosted agent session can use tunnels to reach private MCP servers. A self-hosted session can use either tunnelled or public MCP servers. Use both when you need execution and tool access to stay inside your boundary. The target audience is obvious: regulated industries (finance, healthcare, government) where data residency, network isolation, and audit controls are non-negotiable — and where "we run your agent in our cloud" simply won't fly with infosec. mcp_servers array the same way as any other remote MCP server.Both features are in Research Preview (beta). Access isn't automatic — you'll need to request it. Source: The New Stack | MCP tunnels docs | Self-hosted sandboxes docs ✏️ Drafted with KewBot (AI), edited and approved by Drew.