Claude Code: Self-Hosted Sandboxes and MCP Tunnels for Managed Agents
Claude CodeAt the Code with Claude London event on May 19, 2026, Anthropic announced two infrastructure features for Claude Managed Agents: self-hosted sandboxes (public beta) and MCP tunnels (research preview). Self-hosted sandboxes allow enterprises to run Claude Code's agent tool execution inside their own infrastructure β keeping sensitive files, repositories, and services inside their security perimeter β while the orchestration loop remains on Anthropic's platform. MCP tunnels extend this control to private networks, enabling Claude agents to reach internal databases, proprietary APIs, and ticketing systems through an end-to-end encrypted outbound connection, with no inbound firewall rules or public endpoints required.
Sources & Mentions
5 external resources covering this update
Anthropic adds self-hosted sandboxes and MCP tunnels to Claude Managed Agents
The Decoder
Anthropic enhances Claude Managed Agents with two new privacy and security features
9to5Mac
Anthropic debuts MCP tunnels and self-hosted sandboxes to lock down AI agent infrastructure
The New Stack
Anthropic Introduces MCP Tunnels for Private Agent Access to Internal Systems
InfoQ
Announcing Claude Managed Agents on Cloudflare
Cloudflare Blog
Claude Managed Agents Gains Infrastructure Portability: Self-Hosted Sandboxes and MCP Tunnels
Anthropic used its Code with Claude London event on May 19, 2026 to announce a significant shift in how enterprises can deploy Claude Code agents: tool execution can now be decoupled from Anthropic's own infrastructure and moved into environments that organizations fully control. The announcement introduced two complementary capabilities β self-hosted sandboxes, available in public beta, and MCP tunnels, available in research preview β both aimed squarely at enterprise compliance and data residency requirements.
Decoupling the Brain from the Hands
The architectural principle underlying both features is what Anthropic describes as separating the agent's "brain" from its "hands." The orchestration loop β context management, error handling, memory, and decision-making β continues to run on Anthropic's infrastructure. What moves is the execution layer: the sandbox where agents actually run code, manipulate files, call tools, and interact with external services. This design lets enterprises satisfy data governance requirements without rebuilding the entire agent stack.
Self-Hosted Sandboxes
With self-hosted sandboxes, organizations can configure Claude Code's agent execution environment to run entirely within their own perimeter. Sensitive repositories, internal packages, and proprietary services never leave the enterprise's network. Existing security tooling, network policies, and audit logging remain in effect because the execution environment is one the organization already manages. Teams also gain control over compute sizing and the runtime image β a meaningful advantage for CPU- and memory-intensive workloads such as large builds, image generation, or parallel test suites.
Organizations that prefer not to build and maintain custom sandbox infrastructure can use one of four certified managed providers:
- Cloudflare β V8 isolates and microVMs with zero-trust secrets injection and customizable egress proxies
- Daytona β Fully composable, long-running, and stateful machines with SSH and preview URL access
- Modal β Cloud-native AI workload platform with sub-second cold starts and concurrent sandbox scaling
- Vercel β VM-grade isolation with VPC peering and millisecond startup times
Customer deployments announced alongside the feature include Amplitude (using Cloudflare for observability and control over its Design Agent), Clay (using Daytona for flexible filesystem access in its Sculptor GTM agent), Rogo (using Vercel for secure proprietary data handling), and Mason (using Modal to enforce enterprise security boundaries).
Self-hosted sandboxes launched in public beta on May 19. Note that the feature is not yet available for Claude Platform deployments on AWS Bedrock, and Memory is not yet supported in self-hosted sessions.
MCP Tunnels
MCP tunnels address a different gap: connecting Claude agents to Model Context Protocol servers that live inside private networks without making those servers publicly reachable. Internal databases, proprietary knowledge bases, legacy APIs, and ticketing systems can now become callable tools for Claude Code agents without any change to firewall rules or network topology.
Technically, MCP tunnels work through a lightweight gateway the organization deploys on-premises. That gateway opens a single outbound, end-to-end encrypted connection to Anthropic's platform. Because no inbound ports need to be opened and no public endpoints need to be created, the security footprint is minimal. Configuration is managed through Claude Console workspace settings.
MCP tunnels launched in research preview and require access request via claude.com before getting started. Anthropic has signaled broader availability is planned following the preview period.
Significance for Claude Code Users
For teams running Claude Code at enterprise scale, both features address the most common objections to adopting cloud-based AI agents: data sovereignty, compliance audit requirements, and the risk of sensitive code leaving the corporate perimeter. By allowing the execution environment and private tool access to stay inside enterprise boundaries while the managed orchestration layer handles reliability and scalability, Anthropic is positioning Claude Managed Agents as a viable option for heavily regulated industries β financial services, healthcare, and government β that previously could not use cloud-hosted agent infrastructure at all.