Skip to main content
See Networking for conceptual overview and TLS Interception for TLS proxy details.

Network

Frozen dataclass for sandbox network configuration. Use the class method presets for common cases, or construct directly with custom options. 
Network(
    policy: str | NetworkPolicy | None = None,
    ports: Mapping[int, int] = {},
    block_domains: tuple[str, ...] = (),
    block_domain_suffixes: tuple[str, ...] = (),
    dns_rebind_protection: bool = True,
    tls: TlsConfig | None = None,
    max_connections: int | None = None,
)
FieldTypeDefaultDescription
policystr | NetworkPolicy | NoneNonePreset name or custom NetworkPolicy
portsMapping[int, int]{}Port mappings from host to guest
block_domainstuple[str, ...]()Block DNS for exact domains (returns NXDOMAIN)
block_domain_suffixestuple[str, ...]()Block DNS for all subdomains of a suffix
dns_rebind_protectionboolTrueBlock DNS responses resolving to private IPs
tlsTlsConfig | NoneNoneTLS interception configuration
max_connectionsint | NoneNoneMaximum concurrent connections

Network.none()

@classmethod
def none() -> Network
Deny all traffic. No network interface is created — the guest is fully offline. exec and fs still work since they use the host-guest channel, not the network. Returns
TypeDescription
NetworkFully airgapped network configuration

Network.public_only()

@classmethod
def public_only() -> Network
Block private address ranges and cloud metadata endpoints. Allow everything else. This is the default policy. Returns
TypeDescription
NetworkPublic-only network configuration

Network.allow_all()

@classmethod
def allow_all() -> Network
Unrestricted network access, including to private addresses and the host machine. Returns
TypeDescription
NetworkUnrestricted network configuration

Types

NetworkPolicy

Frozen dataclass for a custom network policy with rules. 
NetworkPolicy(
    default_action: Action = Action.ALLOW,
    rules: tuple[Rule, ...] = (),
)
FieldTypeDefaultDescription
default_actionActionAction.ALLOWAction when no rule matches
rulestuple[Rule, ...]()Custom rules evaluated first-match-wins

Rule

Frozen dataclass for a single network policy rule. 
Rule(
    action: Action,
    direction: Direction = Direction.EGRESS,
    destination: str | None = None,
    protocol: Protocol | None = None,
    port: int | str | None = None,
)
FieldTypeDefaultDescription
actionAction-What to do when this rule matches
directionDirectionDirection.EGRESSTraffic direction
destinationstr | NoneNoneTarget filter: a DestGroup value, domain, CIDR range, domain suffix (prefixed with "."), or "*" for any
protocolProtocol | NoneNoneProtocol filter
portint | str | NoneNoneSingle port (443) or range ("8000-9000")

Rule.allow()

@classmethod
def allow(
    *,
    direction: Direction = Direction.EGRESS,
    protocol: Protocol | None = None,
    port: int | str | None = None,
    destination: str | None = None,
) -> Rule
Create a rule that permits matching traffic. Parameters
ParameterTypeDefaultDescription
directionDirectionDirection.EGRESSTraffic direction
protocolProtocol | NoneNoneProtocol filter
portint | str | NoneNonePort or port range
destinationstr | NoneNoneDestination filter
Returns
TypeDescription
RuleAn allow rule

Rule.deny()

@classmethod
def deny(
    *,
    direction: Direction = Direction.EGRESS,
    protocol: Protocol | None = None,
    port: int | str | None = None,
    destination: str | None = None,
) -> Rule
Create a rule that blocks matching traffic. Parameters
ParameterTypeDefaultDescription
directionDirectionDirection.EGRESSTraffic direction
protocolProtocol | NoneNoneProtocol filter
portint | str | NoneNonePort or port range
destinationstr | NoneNoneDestination filter
Returns
TypeDescription
RuleA deny rule

TlsConfig

Frozen dataclass for TLS interception settings within Network. 
TlsConfig(
    bypass: tuple[str, ...] = (),
    verify_upstream: bool = True,
    intercepted_ports: tuple[int, ...] = (443,),
    block_quic: bool = False,
    ca_cert: str | None = None,
    ca_key: str | None = None,
    ca_cn: str | None = None,
)
FieldTypeDefaultDescription
bypasstuple[str, ...]()Domains to skip interception. Use for domains with certificate pinning.
verify_upstreamboolTrueVerify upstream server certificates. Set to False only for self-signed servers.
intercepted_portstuple[int, ...](443,)TCP ports where TLS interception is active
block_quicboolFalseBlock QUIC/HTTP3 (UDP) on intercepted ports, forcing TCP/TLS fallback
ca_certstr | NoneNonePath to a custom interception CA certificate PEM file
ca_keystr | NoneNonePath to a custom interception CA private key PEM file
ca_cnstr | NoneNoneCommon name for the generated interception CA

Action

String enum (StrEnum) for policy actions.
ValueDescription
"allow"Permit the traffic
"deny"Drop the traffic silently

Direction

String enum for traffic direction.
ValueDescription
"egress"Traffic leaving the sandbox
"ingress"Traffic entering the sandbox (via published ports)

Protocol

String enum for network protocols in policy rules.
ValueDescription
"tcp"TCP traffic
"udp"UDP traffic
"icmpv4"ICMPv4 traffic
"icmpv6"ICMPv6 traffic

PortProtocol

String enum for port-level protocol selection.
ValueDescription
"tcp"TCP port
"udp"UDP port

DestGroup

String enum for well-known destination groups used in Rule.destination.
ValueDescription
"loopback"Loopback addresses (127.0.0.0/8, ::1)
"private"Private/RFC 1918 addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
"link-local"Link-local addresses (169.254.0.0/16, fe80::/10)
"metadata"Cloud metadata endpoints (169.254.169.254)
"multicast"Multicast addresses (224.0.0.0/4, ff00::/8)