# Claude Managed Agents: Self-Hosted Sandboxes and MCP Tunnels in Beta > Source: > Published: 2026-06-16 18:11:45+00:00 The enterprise blocker for Claude agents has never been capability. It has been control. Regulated industries need tool execution inside their perimeter, private services unreachable from the public internet, and compliance audit trails that don’t trace back to “we sent your database queries to a third-party cloud.” Anthropic addressed this directly at [Code with Claude London on May 19](https://claude.com/blog/claude-managed-agents-updates): self-hosted sandboxes are now in public beta, and MCP tunnels entered research preview the same day. ## Where Claude Stops and You Take Over The architecture is a deliberate split. The agent loop — orchestration, context management, error recovery, retry logic — stays on Anthropic’s infrastructure. What moves to your side is everything that actually touches your data. With self-hosted sandboxes, tool execution moves to infrastructure you control. With MCP tunnels, private service access stays inside your network. You can use one or both. The agent doesn’t change; only where it runs changes. **Important:** Orchestration metadata still flows through Anthropic. If your compliance requirement is completely air-gapped operation, this architecture doesn’t cover it. If your requirement is that regulated data and tool execution stay inside your perimeter while using a hosted orchestration layer — which covers most HIPAA and GDPR regulated workloads — it likely does. ## Self-Hosted Sandboxes: What Actually Happens When you configure an environment with `config.type = "self_hosted"` , Anthropic treats it as a work queue. When a session is assigned to it, Anthropic enqueues the session as a work item. Your worker process — running on your infrastructure — long-polls that queue using an outbound-only connection. Anthropic never dials into your network. Your worker claims items, executes tool calls locally, and posts results back. Four managed providers work out of the box: Cloudflare Workers, Daytona, Modal, and Vercel. Vercel and Daytona have already published integration guides. For teams running on a VPC, private cloud, or air-gapped environment, there’s a custom sandbox client API. ``` # Set environment variables for your worker export ANTHROPIC_ENVIRONMENT_KEY="your-environment-key" export ANTHROPIC_ENVIRONMENT_ID="your-environment-id" # Add beta header to API calls Anthropic-Beta: managed-agents-2026-04-01 ``` The [environment key](https://platform.claude.com/docs/en/managed-agents/self-hosted-sandboxes) — generated in the Console, not via the API — authenticates the entire worker flow: polling, acknowledging, heartbeats, stopping, and the session event stream. Store it in a secrets manager, not in environment files or sandbox images. Self-hosted sandboxes make sense when your agent needs to reach internal services that aren’t publicly routable, when data can’t leave your network boundary, or when compliance requires your own audit controls over tool execution. They also handle resource-intensive tasks well — image generation, large builds — because you control the runtime and resource sizing. ## MCP Tunnels: Private Services, No Firewall Changes MCP tunnels solve a different problem. Your agent might be fine executing tools in Anthropic’s cloud, but it still needs to call your internal database, your Jira instance, or a private API that has never had a public endpoint. The tunnel works by deploying a lightweight gateway in your network that makes a single outbound connection to Anthropic. No inbound firewall rules. No public endpoints. The inner TLS terminates using a certificate only you hold — the tunnel runs over Cloudflare’s network, but Cloudflare cannot read the payloads. Internal databases, private APIs, knowledge bases, and ticketing systems become tool-callable from the agent without exposing anything to the public internet. MCP tunnels are independent from self-hosted sandboxes. You can combine them — tunnels for private service access, self-hosted sandbox for tool execution — or use either alone, depending on what needs to stay inside your boundary. See the [MCP tunnels overview](https://platform.claude.com/docs/en/agents-and-tools/mcp-tunnels/overview) for the full architecture. One catch: MCP tunnels are still in research preview, not public beta. You need to request access from Anthropic directly. ## OpenAI Did the Same Thing a Week Later On May 27 — eight days after Anthropic’s London announcement — OpenAI launched [Secure MCP Tunnel](https://byteiota.com/openai-secure-mcp-tunnel-private-mcp-servers-no-firewall-changes/). Same principle: outbound-only connection from inside the enterprise, no inbound firewall rules, private MCP servers accessible to the agent. The implementation differs — OpenAI uses a tunnel-client inside your network; Claude’s approach uses a gateway with Cloudflare transport and a customer-held inner TLS certificate — but the architecture converged independently. Both Anthropic and OpenAI landing on outbound-only, customer-held credentials, vendor-run orchestration in the same month is not a coincidence. This is the shape enterprise AI agent connectivity is taking. If your agent stack doesn’t support this model, it won’t land in regulated industries. ## Current Status **Self-hosted sandboxes**: Public beta — available now. Add`Anthropic-Beta: managed-agents-2026-04-01` and configure your environment in the Console. Supports all Claude Managed Agents models up to Opus 4.8.**MCP tunnels**: Research preview — request access through Anthropic docs. Works with both Claude Managed Agents and the Messages API. The infrastructure layer the enterprise AI agent story has been missing is here. Start with self-hosted sandboxes if you have data residency requirements. Request MCP tunnel access if you need private service connectivity. The two work together — and for most regulated deployments, you’ll want both.