Anthropic's MCP tunnels and self-hosted sandboxes: keeping agents inside your perimeter

Anthropic has released two new infrastructure features for Claude agents: MCP tunnels and self-hosted sandboxes, both designed to enhance security for enterprise deployments. MCP tunnels allow Claude to connect to private network servers via outbound-only connections with three layers of encryption, eliminating the need to open firewall ports, while self-hosted sandboxes let organizations run agent tool execution on their own infrastructure. These features, currently in beta and requiring access requests, target regulated industries like finance and healthcare that require data residency, network isolation, and audit controls.

Anthropic has quietly shipped two new infrastructure features for Claude agents: MCP tunnels and self-hosted sandboxes. Neither is about making Claude smarter. Both are about making it safe to deploy inside a real enterprise security perimeter. They solve different problems. You might need one, the other, or both. MCP tunnels let Claude connect to MCP servers running in your private network — without opening inbound firewall ports or exposing services to the public internet. The mechanism is an outbound-only connection via Cloudflare as the transport layer that carries three independent layers of encryption: mutual TLS between Anthropic and the tunnel edge, inner TLS between Anthropic's backend and your proxy, and OAuth authentication on each individual MCP server. Crucially, Cloudflare can see connection metadata — timing, byte volume, your subdomain — but cannot read MCP request or response payloads because the proxy terminates inner TLS using a certificate only you hold. Each private MCP server you expose gets a hostname under your tunnel domain e.g. docs.<your-tunnel-domain . You attach those hostnames to Managed Agent sessions in the Console or pass them to the Messages API via the MCP connector. "Traffic flows over an outbound-only connection, so you don't need to open inbound firewall ports, expose services to the public internet, or allowlist Anthropic's IP ranges on your origin." — Anthropic docs Self-hosted sandboxes solve a separate problem: where the agent's code actually runs. By default, Claude Managed Agents execute tools inside Anthropic-managed cloud containers. Self-hosted sandboxes move tool execution into infrastructure you control — but keep the orchestration on Anthropic's side. The agent's code, filesystem, and network egress never leave your environment. The architecture is a small "environment worker" process you run on your own infrastructure. It polls a work queue maintained by Anthropic, claims sessions, downloads agent skills, executes tool calls locally, and posts results back. Pre-built workers exist for Cloudflare, Daytona, Modal, and Vercel. The CLI and SDK include helpers for both always-on pollers and webhook-triggered architectures. These are independent controls: A cloud-hosted agent session can use tunnels to reach private MCP servers. A self-hosted session can use either tunnelled or public MCP servers. Use both when you need execution and tool access to stay inside your boundary. The target audience is obvious: regulated industries finance, healthcare, government where data residency, network isolation, and audit controls are non-negotiable — and where "we run your agent in our cloud" simply won't fly with infosec. mcp servers array the same way as any other remote MCP server.Both features are in Research Preview beta . Access isn't automatic — you'll need to request it. Source: The New Stack | MCP tunnels docs | Self-hosted sandboxes docs ✏️ Drafted with KewBot AI , edited and approved by Drew.