MCP Tunnels-04

Self-hosted sandboxes solve the issue of where tool execution runs.

Most of the systems enterprises care about are private: internal databases, private APIs, knowledge bases, ticketing systems, and internal documentation.

Getting an AI agent to reach any of these without creating a security hole has been a pain point.

How MCP Tunnels Work

You deploy a lightweight gateway inside your private network.

From the agent’s perspective, your internal MCP server is just a tool it can call. From your security team’s perspective, nothing has changed about your network configuration.

The idea is about the direction of the connection:

Inbound connections require opening firewall rules and exposing services

Outbound connections don’t — the tunnel is initiated from inside your perimeter, no inbound firewall changes are needed.

MCP tunnels are managed from workspace settings inside the Claude Console at platform.claude.com.

It’s currently in research preview, which means you need to request access rather than enabling it directly.

This update addresses the reason most engineering teams haven’t deployed Claude agents in production.

Self-hosted sandboxes and MCP tunnels don’t fully remove Anthropic.

The agent loop — orchestration, context management, error recovery: still runs on Anthropic’s infrastructure. A fully on-premises deployment isn’t what’s on offer here.

But for the majority of production teams, this is the threshold that is needed.

Both features are live on the Claude Platform at platform.claude.com. To set up:

Read the self-hosted sandboxes docs

Follow the cookbooks on GitHub for provider-specific setup with Cloudflare, Daytona, Modal, or Vercel

Deploy your first agent in the Claude Console