Skip to main content
See Networking for conceptual overview and TLS Interception for TLS proxy details.

NetworkPolicy

Static factory for creating preset network policies.

NetworkPolicy.allowAll()

static allowAll(): NetworkConfig
Unrestricted network access, including to private addresses and the host machine. Returns
TypeDescription
NetworkConfigNetwork configuration

NetworkPolicy.none()

static none(): NetworkConfig
Deny all traffic. No network interface is created - the guest is fully offline. exec and fs still work since they use the host-guest channel, not the network. Returns
TypeDescription
NetworkConfigNetwork configuration

NetworkPolicy.publicOnly()

static publicOnly(): NetworkConfig
Block private address ranges and cloud metadata endpoints. Allow everything else. This is the default policy. Returns
TypeDescription
NetworkConfigNetwork configuration

Types

NetworkConfig

Network configuration object passed as SandboxConfig.network. Use NetworkPolicy presets for common cases, or build a custom configuration with rules.
FieldTypeDefaultDescription
blockDomains?Array<string>[]Block DNS for exact domains (returns NXDOMAIN)
blockDomainSuffixes?Array<string>[]Block DNS for all subdomains of a suffix
defaultAction?PolicyAction'allow'Action when no rule matches
dnsRebindProtection?booleantrueBlock DNS responses resolving to private IPs
maxConnections?number-Maximum concurrent connections
policy?string-Preset name (set automatically by NetworkPolicy.*())
rules?Array<PolicyRule>[]Custom rules evaluated first-match-wins
tls?TlsConfig-TLS interception configuration

PolicyAction

ValueDescription
'allow'Permit the traffic
'deny'Drop the traffic silently

PolicyDirection

ValueDescription
'inbound'Traffic entering the sandbox (via published ports)
'outbound'Traffic leaving the sandbox

PolicyProtocol

ValueDescription
'icmpv4'ICMPv4 traffic
'icmpv6'ICMPv6 traffic
'tcp'TCP traffic
'udp'UDP traffic

PolicyRule

A single network policy rule.
FieldTypeDescription
actionPolicyActionWhat to do when this rule matches
destination?stringTarget filter: 'any', 'private', 'loopback', 'metadata', 'multicast', 'link-local', or a CIDR like '10.0.0.0/8'
direction?PolicyDirectionTraffic direction
port?stringSingle port ("443") or range ("8000-9000")
protocol?PolicyProtocolProtocol filter

TlsConfig

TLS interception settings within NetworkConfig.
FieldTypeDefaultDescription
blockQuic?booleantrueBlock QUIC/HTTP3 (UDP) on intercepted ports, forcing TCP/TLS fallback
bypass?Array<string>[]Domains to skip interception. Supports *.suffix wildcards. Use for domains with certificate pinning.
interceptCaCert?string-Path to a custom interception CA certificate PEM file
interceptCaKey?string-Path to a custom interception CA private key PEM file
interceptedPorts?Array<number>[443]TCP ports where TLS interception is active
upstreamCaCert?Array<string>[]Paths to additional trusted CA PEM files for upstream verification
verifyUpstream?booleantrueVerify upstream server certificates. Set to false only for self-signed servers.