Securing AI Agent Infrastructure: A Practical Guide to Anthropic's Self-Hosted Sandboxes and MCP Tunnels

Overview

In the rapidly evolving world of AI agents, security and control remain top concerns for organizations deploying automated reasoning systems. Anthropic’s latest offerings—self-hosted sandboxes and MCP tunnels—provide a robust layer of isolation and connectivity for Claude Managed Agents. These tools allow you to run agent operations on your own infrastructure while maintaining a secure gateway to private networks. This guide walks you through everything you need to know to implement these features effectively.

Rather than relying solely on Anthropic’s cloud, self-hosted sandboxes shift tool execution to your environment—or to a managed service provider like Cloudflare, Daytona, Modal, or Vercel. Meanwhile, MCP tunnels enable agents to communicate with MCP servers inside your private network without exposing them to the public internet. Together, they give you data privacy compliance, runtime control, and security over your AI agent infrastructure.

Prerequisites

Before diving into the implementation, ensure you have the following:

• An active Anthropic account with access to Claude Managed Agents (the hosted secure infrastructure layer).
• Permissions to configure workspace settings in the Claude Console (system administrator role recommended).
• For self-hosted sandboxes: a target environment such as a cloud VM, Kubernetes cluster, or a service from a supported MSP (e.g., Daytona, Modal).
• For MCP tunnels: an MCP server running inside your private network (must be reachable from a gateway host).
• Basic familiarity with network routing, API token management, and configuration files.
• Optional but helpful: experience with containerization (Docker) or Infrastructure-as-Code tools.

Step-by-Step Implementation Guide

Setting Up Self-Hosted Sandboxes

Self-hosted sandboxes isolate the agent’s tool execution from Anthropic’s infrastructure. Follow these steps to configure one:

1. Select your infrastructure provider. You can run the sandbox on your own servers or leverage a managed service. Choose the option that best fits your security and compliance requirements.
2. Deploy the sandbox runtime. Most providers offer a pre-built image or script. For example, using Daytona you might run:
   daytona create --image anthropic-sandbox:latest --name my-ai-sandbox
3. Configure the sandbox environment. Mount external file stores, install required packages, and set environment variables. Example in a Docker-based setup:
   docker run -d --name agent-sandbox -v /data:/mnt/data -e API_KEY= anthropic/sandbox:latest
4. Update your agent configuration. In the Claude Console, navigate to your agent’s settings. Under “Infrastructure,” change the sandbox type to self-hosted. Provide the endpoint URL or connection details for your sandbox.
5. Swap authentication tokens. The managed agent uses cloud-managed API tokens by default. Replace them with local authentication keys for your sandbox infrastructure. This is typically a one-time configuration change.
6. Test the integration. Trigger a simple agent action (e.g., a file read command) to verify the sandbox executes tools correctly. Monitor logs in your infrastructure for any errors.

The agent loop—the continuous cycle of perception, reasoning, orchestration, context management, and error recovery—remains on Anthropic’s side. Only tool execution moves to your environment, preserving the reliability you expect while giving you full control.

Deploying MCP Tunnels

MCP (Model Context Protocol) is the industry-standard method for connecting agents to tools and data sources. MCP tunnels provide a secure, lightweight gateway that makes a single outbound connection from inside your private network to Anthropic’s cloud. This eliminates the need to expose your MCP servers publicly.

1. Identify your target MCP server. Ensure the server is running and accessible from the machine that will host the tunnel gateway (typically a small VM or container inside your network).
2. Deploy the gateway. Anthropic provides a lightweight gateway binary. Download and run it with the MCP server address and a tunnel token from the Claude Console:
   ./mcp-tunnel-gateway --mcp-server localhost:50051 --token TUNNEL_TOKEN_123
3. Configure workspace settings. In the Claude Console, go to your workspace settings. Under “Network,” add a new tunnel entry. Specify the gateway’s public endpoint (if any) or the outbound connection identifier generated by the gateway.
4. Authorize the connection. As a system administrator, approve the new tunnel connection. The console will display the tunnel status as “active” once the gateway successfully establishes the single outbound link.
5. Confirm agent connectivity. Your Claude Managed Agent can now query the MCP server through the tunnel. No code changes are needed—your existing agent configuration continues to use the same MCP endpoints.

Remember: neither self-hosted sandboxes nor MCP tunnels require changes to existing Claude Managed Agents integrations. Switching between Anthropic’s infrastructure and your own is a matter of updating configuration values, not rewriting agent logic.

Common Mistakes

• Forgetting to update authentication tokens. Using cloud-managed API tokens in a self-hosted sandbox will result in authorization failures. Always generate and apply local keys for your infrastructure.
• Misconfiguring network routing in MCP tunnels. Ensure the gateway can reach the MCP server inside your network. Firewalls or NAT rules that block internal traffic will cause the tunnel to fail. Test connectivity before deploying to production.
• Exposing MCP servers inadvertently. The whole point of tunnels is to avoid public exposure. If you accidentally configure the gateway to accept incoming connections from the internet, you risk data leaks. Verify that only outbound connections are allowed.
• Overlooking sandbox isolation boundaries. A sandbox protects your internal network from malicious agent scripts, but it doesn’t protect the sandbox itself from the agent. Make sure your sandbox does not have unrestricted access to sensitive systems.
• Neglecting to test the agent loop. The agent loop stays on Anthropic’s side, but network latency can affect perception and error recovery. Run load tests to ensure acceptable performance, especially if your sandbox is in a different region.

Summary

Anthropic’s self-hosted sandboxes and MCP tunnels empower you to build secure, compliant AI agent workflows without sacrificing control. By running tool execution on your own infrastructure and connecting to private MCP servers via a lightweight tunnel, you gain data privacy, runtime governance, and peace of mind. The implementation involves straightforward configuration changes—no code rewrites needed. Pay careful attention to token swapping, network routing, and isolation boundaries, and you’ll have a production-ready agent infrastructure that balances power with protection.