Claude MCP Tunnels & Self-Hosted Sandboxes: Enterprise Security Guide (May 2026)
Anthropic just shipped MCP tunnels and self-hosted sandboxes for Claude Managed Agents. Here's what they do, why enterprises need them, and how to set them up.
Claude MCP Tunnels & Self-Hosted Sandboxes: What Enterprises Need to Know
On May 19, 2026, Anthropic shipped two quietly significant additions to Claude Managed Agents: MCP tunnels (research preview) and self-hosted sandboxes (public beta). Together they solve the #1 blocker that's kept security-conscious enterprises from running Claude agents against their internal systems: you no longer have to expose anything to the public internet.
If your team has been watching Claude Managed Agents from the sidelines because your infosec team won't allow outbound tool calls to cloud-hosted agents, read on. The architecture just changed.
What Were the Security Problems Before?
Claude Managed Agents launched in April 2026 with impressive orchestration capabilities — managed sessions, built-in sandboxing, multiagent delegation, memory, and retry logic all handled by Anthropic's infrastructure. But for large enterprises, two gaps made it hard to adopt in regulated or security-sensitive contexts:
Problem 1: Tool execution ran on Anthropic's infrastructure. If your agent needed to query an internal database, call a private API, or interact with an on-prem knowledge base, you faced a choice: expose those systems publicly, or don't use Managed Agents. Problem 2: MCP servers had to be public. The MCP connector catalog works beautifully for SaaS tools (GitHub, Slack, Linear). But if you want Claude to call an internal ticketing system, a private SQL database, or a proprietary data warehouse, those MCP servers couldn't live safely behind your firewall — until now.Both problems are addressed in yesterday's update.
MCP Tunnels: Connect Private Networks Without Opening Firewall Ports
MCP tunnels let your Claude Managed Agents sessions reach MCP servers running inside your private network without any inbound firewall rules, no public endpoints, and no IP allowlisting on your end.
Here's how the architecture works:
cloudflared) inside your networkThe practical result: your internal database, private REST API, on-prem knowledge base, or self-hosted ticketing system can become a tool Claude can call — without your network team having to open a single inbound port.
What You Can Connect With MCP Tunnels
The use cases are broad. Any internal system that exposes an MCP server interface becomes available:
- Internal databases — PostgreSQL, MySQL, Oracle behind your firewall
- Private APIs — internal microservices, proprietary data platforms
- On-prem knowledge bases — Confluence behind SSO, SharePoint, internal wikis
- Legacy ticketing systems — Jira Server, ServiceNow instances not on the public internet
- Proprietary data warehouses — Redshift, Snowflake on private VPCs
MCP tunnels is currently in research preview — you'll need to request access from the Claude Platform.
Setting Up MCP Tunnels: Step-by-Step
From the official docs, the setup flow is:
Step 1: Deploy the cloudflared gateway in your private networkThe tunnel agent (cloudflared) runs on your infrastructure and initiates the outbound connection. No inbound rules needed.
bash# Install cloudflared on your internal server
brew install cloudflare/cloudflare/cloudflared # macOS
# or use the appropriate installer for Linux/Windows
# Authenticate and configure the tunnel
cloudflared tunnel login
cloudflared tunnel create claude-mcp-tunnelAnthropic's routing component (the "Proxy") terminates inner TLS and routes each request to the correct upstream MCP server based on hostname. You configure a subdomain per MCP server:
yaml# tunnel-config.yml
tunnel: <your-tunnel-id>
credentials-file: /path/to/.cloudflared/<tunnel-id>.json
ingress:
- hostname: internal-db.yourdomain.com
service: http://localhost:3001 # your MCP server for internal DB
- hostname: private-api.yourdomain.com
service: http://localhost:3002 # your MCP server for private API
- service: http_status:404In the Claude Console → Managed Agents → Sessions, create or edit a session. Click + MCP Server, open the dropdown, and tunnels registered to your workspace appear at the top of the list (above the public connector catalog). Select the tunnel and supply the subdomain that routes to the specific MCP server you want.
Step 4: Use it in your agentOnce configured, your agent calls private tools exactly like any MCP tool — no special syntax, no different handling. The tunnel is transparent at the API level.
Self-Hosted Sandboxes: Run Tool Execution on Your Infrastructure
The second feature ships as a public beta and is arguably even bigger for regulated industries.
The Architecture Shift
With the default Managed Agents setup, Claude's orchestration layer and tool execution both run on Anthropic's infrastructure. Self-hosted sandboxes splits these:
- Orchestration stays on Anthropic — the agent loop, context management, error recovery, and retry logic remain managed
- Tool execution moves to your infrastructure — the actual code execution, file system operations, and tool calls happen in a sandbox you control
This split matters enormously for compliance requirements around data residency, audit logging, network policies, and runtime configuration.
Supported Sandbox Providers
You can run the execution sandbox on your own bare-metal or cloud infrastructure, or delegate the compute/isolation layer to supported managed providers:
| Provider | Best For |
|---|---|
| Cloudflare Workers | Edge compute, global distribution |
| Daytona | Dev environments, code execution |
| Modal | GPU workloads, ML inference |
| Vercel | Serverless, Node.js tooling |
| Your own infra | Full control, custom compliance needs |
Why This Matters for Regulated Industries
For teams in financial services, healthcare, legal, or government, self-hosted sandboxes change the compliance calculus:
- Data residency: Tool execution (and thus the data it touches) stays in your chosen region or on-prem
- Audit logs: Your sandbox, your logging — feed directly into your SIEM
- Network policies: The sandbox operates under your existing network rules, not Anthropic's
- Runtime controls: Pin runtimes, restrict package installs, enforce security policies at the OS level
A healthcare company running Claude against patient records can now ensure that data never leaves their VPC during tool execution. A financial firm needing SOC 2 Type II audit trails for every agent action can route all tool execution through their own logging infrastructure.
What This Means for Enterprise Claude Adoption
Taken together — MCP tunnels + self-hosted sandboxes — these two features complete the enterprise security story for Claude Managed Agents. The remaining architecture looks like this:
Your Private Network Anthropic Infrastructure
───────────────────── ────────────────────────
Internal DB (MCP server) Agent Loop & Orchestration
↕ encrypted tunnel ↕ ↕ calls tools ↕
cloudflared gateway ←→ Tunnel Edge / Proxy
↕
Self-Hosted Sandbox
(Cloudflare/Daytona/Modal/yours)
↳ tool execution happens here
↳ audit logs → your SIEM
↳ data stays in your VPCThe orchestration brain lives with Anthropic (where the model reliability, retry logic, and memory management live). The sensitive parts — what data gets touched and where code runs — stay under your control.
How to Get Access
Self-Hosted Sandboxes are in public beta — you can enable them today from the Claude Platform without a waitlist. Navigate to Managed Agents → Settings → Sandbox Configuration in the Claude Console. MCP Tunnels are in research preview. You'll need to request access via the Claude Platform. Given the enterprise focus of this feature, Anthropic appears to be onboarding teams manually in the early phase.Both features are available to Claude Teams and Enterprise plan customers.
Key Takeaways
- MCP tunnels let Claude agents call private MCP servers inside your corporate network via outbound-only encrypted connections — no inbound firewall rules required
- Self-hosted sandboxes move tool execution to infrastructure you control (your own servers or managed providers like Cloudflare, Daytona, Modal, or Vercel)
- Together they address the two biggest enterprise blockers: data staying inside your perimeter, and not exposing internal systems publicly
- Self-hosted sandboxes are public beta now; MCP tunnels are research preview (request access)
- Both require Teams or Enterprise plan
These features position Claude Managed Agents as a serious option for regulated industries that previously couldn't consider cloud-hosted AI agents for anything touching sensitive internal data.
Next Steps
If you're building with Claude agents in an enterprise context, the next logical steps are:
Want to go deeper on building secure Claude agents? Our Claude Managed Agents guide covers the full platform from scratch, and our MCP server build tutorial walks you through wrapping internal systems as MCP servers your agents can call.
If you're studying for the Claude Certified Architect (CCA) exam, agent security architecture — including sandboxing models and private network access patterns — is increasingly represented in the exam blueprint. Understanding MCP tunnels isn't just operationally useful; it's exam-relevant.
Sources: Anthropic official blog · The New Stack · InfoQ · 9to5Mac · Claude Platform Docs
Ready to Start Practicing?
300+ scenario-based practice questions covering all 5 CCA domains. Detailed explanations for every answer.
Free CCA Study Kit
Get domain cheat sheets, anti-pattern flashcards, and weekly exam tips. No spam, unsubscribe anytime.