You can control whether a sandbox has access to the internet by using the allowInternetAccess parameter when creating a sandbox. By default, internet access is enabled (true), but you can disable it for security-sensitive workloads.
import { Sandbox } from 'e2b'// Create sandbox with internet access enabled (default)const sandbox = await Sandbox.create({ allowInternetAccess: true })// Create sandbox without internet accessconst isolatedSandbox = await Sandbox.create({ allowInternetAccess: false })
from e2b import Sandbox# Create sandbox with internet access enabled (default)sandbox = Sandbox.create(allow_internet_access=True)# Create sandbox without internet accessisolated_sandbox = Sandbox.create(allow_internet_access=False)
When internet access is disabled, the sandbox cannot make outbound network connections, which provides an additional layer of security for sensitive code execution.
Setting allowInternetAccess to false is equivalent to setting network.denyOut to ['0.0.0.0/0'] (denying all traffic).
You can allow traffic to specific domains by specifying hostnames in allow out. When using domain-based filtering, you must include ALL_TRAFFIC in deny out to block all other traffic. Domains are not supported in the deny out list.
import { Sandbox, ALL_TRAFFIC } from 'e2b'// Allow only traffic to google.comconst sandbox = await Sandbox.create({ network: { allowOut: ['google.com'], denyOut: [ALL_TRAFFIC] }})
from e2b import Sandbox, ALL_TRAFFIC# Allow only traffic to google.comsandbox = Sandbox.create( network={ "allow_out": ["google.com"], "deny_out": [ALL_TRAFFIC] })
When any domain is used, the default nameserver 8.8.8.8 is automatically allowed to ensure proper DNS resolution.
You can also use wildcards to allow all subdomains of a domain:
import { Sandbox, ALL_TRAFFIC } from 'e2b'// Allow traffic to any subdomain of mydomain.comconst sandbox = await Sandbox.create({ network: { allowOut: ['*.mydomain.com'], denyOut: [ALL_TRAFFIC] }})
from e2b import Sandbox, ALL_TRAFFIC# Allow traffic to any subdomain of mydomain.comsandbox = Sandbox.create( network={ "allow_out": ["*.mydomain.com"], "deny_out": [ALL_TRAFFIC] })
You can combine domain names with IP addresses and CIDR blocks:
import { Sandbox, ALL_TRAFFIC } from 'e2b'// Allow traffic to specific domains and IPsconst sandbox = await Sandbox.create({ network: { allowOut: ['api.example.com', '*.github.com', '8.8.8.8'], denyOut: [ALL_TRAFFIC] }})
from e2b import Sandbox, ALL_TRAFFIC# Allow traffic to specific domains and IPssandbox = Sandbox.create( network={ "allow_out": ["api.example.com", "*.github.com", "8.8.8.8"], "deny_out": [ALL_TRAFFIC] })
Domain-based filtering only works for HTTP traffic on port 80 (via Host header inspection) and TLS traffic on port 443 (via SNI inspection). Traffic on other ports uses CIDR-based filtering only. UDP-based protocols like QUIC/HTTP3 are not supported for domain filtering.
When both allow out and deny out are specified, allow rules always take precedence over deny rules. This means if an IP address is in both lists, it will be allowed.
import { Sandbox, ALL_TRAFFIC } from 'e2b'// Even though ALL_TRAFFIC is denied, 1.1.1.1 and 8.8.8.8 are explicitly allowedconst sandbox = await Sandbox.create({ network: { denyOut: [ALL_TRAFFIC], allowOut: ['1.1.1.1', '8.8.8.8'] }})
from e2b import Sandbox, ALL_TRAFFIC# Even though ALL_TRAFFIC is denied, 1.1.1.1 and 8.8.8.8 are explicitly allowedsandbox = Sandbox.create( network={ "deny_out": [ALL_TRAFFIC], "allow_out": ["1.1.1.1", "8.8.8.8"] })
Every sandbox has a public URL that can be used to access running services inside the sandbox.
import { Sandbox } from 'e2b'const sandbox = await Sandbox.create()// You need to always pass a port number to get the hostconst host = sandbox.getHost(3000)console.log(`https://${host}`)
from e2b import Sandboxsandbox = Sandbox.create()# You need to always pass a port number to get the hosthost = sandbox.get_host(3000)print(f'https://{host}')
The code above will print something like this:
https://3000-i62mff4ahtrdfdkyn2esc.e2b.app
https://3000-i62mff4ahtrdfdkyn2esc.e2b.app
The first leftmost part of the host is the port number we passed to the method.
By default, sandbox URLs are publicly accessible. You can restrict access to require authentication using the allowPublicTraffic option:
import { Sandbox } from 'e2b'// Create sandbox with restricted public accessconst sandbox = await Sandbox.create({ network: { allowPublicTraffic: false }})// The sandbox has a traffic access tokenconsole.log(sandbox.trafficAccessToken)// Start a server inside the sandboxawait sandbox.commands.run('python -m http.server 8080', { background: true })const host = sandbox.getHost(8080)const url = `https://${host}`// Request without token will fail with 403const response1 = await fetch(url)console.log(response1.status) // 403// Request with token will succeedconst response2 = await fetch(url, { headers: { 'e2b-traffic-access-token': sandbox.trafficAccessToken }})console.log(response2.status) // 200
import requestsfrom e2b import Sandbox# Create sandbox with restricted public accesssandbox = Sandbox.create( network={ "allow_public_traffic": False })# The sandbox has a traffic access tokenprint(sandbox.traffic_access_token)# Start a server inside the sandboxsandbox.commands.run("python -m http.server 8080", background=True)host = sandbox.get_host(8080)url = f"https://{host}"# Request without token will fail with 403response1 = requests.get(url)print(response1.status_code) # 403# Request with token will succeedresponse2 = requests.get(url, headers={ 'e2b-traffic-access-token': sandbox.traffic_access_token})print(response2.status_code) # 200
When allowPublicTraffic is set to false, all requests to the sandbox’s public URLs must include the e2b-traffic-access-token header with the value from sandbox.trafficAccessToken.
You can start a server inside the sandbox and connect to it using the approach above.In this example we will start a simple HTTP server that listens on port 3000 and responds with the content of the directory where the server is started.
import { Sandbox } from 'e2b'const sandbox = await Sandbox.create()// Start a simple HTTP server inside the sandbox.const process = await sandbox.commands.run('python -m http.server 3000', { background: true })const host = sandbox.getHost(3000)const url = `https://${host}`console.log('Server started at:', url)// Fetch data from the server inside the sandbox.const response = await fetch(url);const data = await response.text();console.log('Response from server inside sandbox:', data);// Kill the server process inside the sandbox.await process.kill()
import requestsfrom e2b import Sandboxsandbox = Sandbox.create()# Start a simple HTTP server inside the sandbox.process = sandbox.commands.run("python -m http.server 3000", background=True)host = sandbox.get_host(3000)url = f"https://{host}"print('Server started at:', url)# Fetch data from the server inside the sandbox.response = requests.get(url)data = response.textprint('Response from server inside sandbox:', data)# Kill the server process inside the sandbox.process.kill()
This output will look like this:
Server started at: https://3000-ip3nfrvajtqu5ktoxugc7.e2b.appResponse from server inside sandbox: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><title>Directory listing for /</title></head><body><h1>Directory listing for /</h1><hr><ul><li><a href=".bash_logout">.bash_logout</a></li><li><a href=".bashrc">.bashrc</a></li><li><a href=".profile">.profile</a></li></ul><hr></body></html>
Server started at: https://3000-ip3nfrvajtqu5ktoxugc7.e2b.appResponse from server inside sandbox: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><title>Directory listing for /</title></head><body><h1>Directory listing for /</h1><hr><ul><li><a href=".bash_logout">.bash_logout</a></li><li><a href=".bashrc">.bashrc</a></li><li><a href=".profile">.profile</a></li></ul><hr></body></html>
You can customize the Host header that gets sent to services running inside the sandbox using the maskRequestHost option. This is useful when your application expects a specific host format.
import { Sandbox } from 'e2b'// Create sandbox with custom host maskingconst sandbox = await Sandbox.create({ network: { maskRequestHost: 'localhost:${PORT}' }})// The ${PORT} variable will be replaced with the actual port number// Requests to the sandbox will have Host header set to for example: localhost:8080
from e2b import Sandbox# Create sandbox with custom host maskingsandbox = Sandbox.create( network={ "mask_request_host": "localhost:${PORT}" })# The ${PORT} variable will be replaced with the actual port number# Requests to the sandbox will have Host header set to for example: localhost:8080
The ${PORT} variable in the mask will be automatically replaced with the actual port number of the requested service.