Typical flow
NetworkPolicy, Rule, Destination, and PortRange each merge a value-type interface with a factory namespace under one name, all re-exported from microsandbox.
NetworkPolicy
ANetworkPolicy is an ordered rule list plus two per-direction defaults, evaluated first-match-wins. The presets below construct common shapes directly; for anything custom, start from builder() or write a literal and pass it to NetworkBuilder.policy().
Rule order matters
The first matching rule wins, so a broad rule placed before a narrow one swallows it:Shadow detection
NetworkPolicyBuilder.build() walks the rules and warns when a rule is fully covered by an earlier one in the same direction. Only cidr and group destinations are checked; domain coverage depends on runtime DNS and is skipped. Builds still succeed; the warning surfaces as a host-side tracing::warn! from the Rust core:
Rule.allowEgress(...) etc. do not run through the builder and skip this check.
NetworkPolicy.builder()
Example
Example
NetworkPolicyBuilder. Equivalent to new NetworkPolicyBuilder(). String inputs (.ip(), .cidr(), .domain(), .domainSuffix()) are stored raw and parsed at build(), so the chain stays clean and the first parse or validation failure surfaces there.
Returns
NetworkPolicy.none()
exec and fs still work since they use the host-guest channel, not the network.
NetworkPolicy.allowAll()
NetworkPolicy.publicOnly()
NetworkPolicy.nonLocal()
Rule, Destination, PortRange
Factories for the building blocks of a policy literal.Rule values pair a Destination with a direction and action; Destination and PortRange construct the matchers.
Rule.allowEgress()
Example
Example
egress. Empty protocols and ports mean “any”.
Parameters
destinationDestinationRule.denyEgress()
egress.
Parameters
destinationDestinationRule.allowIngress()
ingress.
Parameters
destinationDestinationRule.denyIngress()
ingress.
Parameters
destinationDestinationRule.allowAny()
any (matches in either direction).
Parameters
destinationDestinationRule.denyAny()
any (matches in either direction).
Parameters
destinationDestinationRule.allowDns()
Example
Example
Destination.group("host") tcp/853 allow rule if needed (and pair with TLS interception).
Destination.any()
Destination.cidr()
Parameters
cidrstring“10.0.0.0/8”.Destination.domain()
Parameters
domainstringDestination.domainSuffix()
Parameters
suffixstringDestination.group()
Parameters
groupDestinationGroupPortRange.single()
start and end are set to the same value.
Parameters
portnumberPortRange.range()
Parameters
startnumberendnumberNetworkBuilder
Passed to the callback you giveSandboxBuilder.network(...). Every setter returns the same builder. The runtime serializes the accumulated config when the sandbox is created.
.policy()
Example
Example
NetworkPolicy literal or factory result, or a NetworkPolicyBuilder (routed through the native bridge so lazy parse/validation errors surface at this call site).
Parameters
policyNetworkPolicy.port()
127.0.0.1.
Parameters
hostnumberguestnumber.portBind()
0.0.0.0.
Parameters
bindstringhostnumberguestnumber.portUdp()
127.0.0.1.
Parameters
hostnumberguestnumber.portUdpBind()
Parameters
bindstringhostnumberguestnumber.dns()
Example
Example
DnsBuilder.
Parameters
configureDnsBuilder.tls()
TlsBuilder.
Parameters
configureTlsBuilder.trustHostCAs()
false. Opt in for corporate MITM proxies (Cloudflare Warp Zero Trust, Zscaler, Netskope, etc.) whose gateway CA is installed on the host but unknown to the guest’s stock Mozilla bundle.
Parameters
enabledboolean.maxConnections()
Parameters
maxnumber.ipv4Pool()
/30 guest subnets. Defaults to 172.16.0.0/12.
Parameters
poolstring.ipv6Pool()
/64 guest prefixes. Defaults to fd42:6d73:62::/48.
Parameters
poolstring.interface()
Example
Example
InterfaceOverridesBuilder exposes .mac(), .mtu(), .ipv4(), and .ipv6().
Parameters
configureInterfaceOverridesBuilder.enabled()
false, no network interface is created.
Parameters
enabledboolean.onSecretViolation()
Example
Example
ViolationActionBuilder.
Parameters
configureViolationActionBuilder.secret()
SecretBuilder.
Parameters
configureSecretBuilder.secretEnv()
Parameters
envVarstring= or NUL).valuestringplaceholderstringallowedHoststring.secretEnvSimple()
Example
Example
$MSB_<envVar>, so it is the terse counterpart to secretEnv() when you do not need a custom placeholder. The full secret API also lives on the secrets page.
Parameters
envVarstring= or NUL).valuestringallowedHoststring.build()
NetworkConfig. The native bridge returns snake_case serde output, which the wrapper remaps to camelCase keys before handing back a plain JS object. Inside SandboxBuilder.network(...) the runtime calls this for you; call it directly only when you want to inspect or persist the resolved config.
Returns
NetworkPolicyBuilder
Fluent builder forNetworkPolicy. The closure passed to .rule() / .egress() / .ingress() / .any() receives a RuleBuilder; state setters and rule-adders chain freely. The first parse / validation failure surfaces from build().
.defaultDeny()
defaultEgress and defaultIngress to "deny".
.defaultAllow()
defaultEgress and defaultIngress to "allow".
.defaultEgress()
Parameters
action”allow” | “deny”.defaultIngress()
Parameters
action”allow” | “deny”.egress()
rule() with direction pre-set to egress.
Parameters
configureRuleBuilder.ingress()
rule() with direction pre-set to ingress.
Parameters
configureRuleBuilder.any()
rule() with direction pre-set to any. Rules committed inside apply in both directions.
Parameters
configureRuleBuilder.rule()
.egress(), .ingress(), or .any() before any rule-adder.
Parameters
configureRuleBuilder.build()
NetworkPolicy. Lazily parses every recorded .ip() / .cidr() / .domain() / .domainSuffix() input, validates direction-set and ICMP-egress-only invariants, and emits a host-side warning for each shadowed rule pair.
Returns
RuleBuilder
Per-rule-batch builder. Lives only inside the callback passed to.rule() / .egress() / .ingress() / .any() on a NetworkPolicyBuilder. State setters and rule-adders interleave freely; state accumulates eagerly across the callback and is not reset between adders:
.rule() / .egress() callbacks for rules that need different state.
Direction setters
Last-write-wins. ICMP rule-adders are egress-only at build time..egress()
egress for subsequent rule-adders.
.ingress()
ingress for subsequent rule-adders.
.any()
any for subsequent rule-adders. Rules committed after this apply in both directions.
Protocol setters
Protocols accumulate as a set; duplicates dedupe..tcp()
tcp to the protocols set.
.udp()
udp to the protocols set.
.icmpv4()
icmpv4 to the protocols set. Egress-only; an ICMP rule on an ingress or any direction fails build.
.icmpv6()
icmpv6 to the protocols set. Egress-only; same rules as icmpv4().
Port setters
Ports accumulate as a set; duplicates dedupe. Always guest-side (egress destination port / ingress listening port)..port()
Parameters
portnumber0..=65535..portRange()
lo > hi records an error surfaced at build() time.
Parameters
lonumberhinumber.ports()
port() once per element.
Parameters
portsnumber[]Group rule-adders
Each adder commits one rule using the current state and the named destination group..allowPublic()
public group (complement of named categories: every IP not in any other group).
.denyPublic()
public group.
.allowPrivate()
private group (RFC1918 + ULA + CGN).
.denyPrivate()
private group.
.allowLoopback()
loopback group (127.0.0.0/8, ::1). The guest’s own loopback, not the host. To reach a service on the host’s localhost, use allowHost() instead. See the loopback-vs-host watch-out.
.denyLoopback()
loopback group.
.allowLinkLocal()
link-local group (169.254.0.0/16, fe80::/10). Excludes the metadata IP 169.254.169.254.
.denyLinkLocal()
link-local group.
.allowMeta()
metadata group (169.254.169.254). Dangerous on cloud hosts (exposes IAM credentials).
.denyMeta()
metadata group.
.allowMulticast()
multicast group (224.0.0.0/4, ff00::/8).
.denyMulticast()
multicast group.
.allowHost()
host group: per-sandbox gateway IPs that back host.microsandbox.internal. This is the right shortcut for “let the sandbox reach my host’s localhost”, not allowLoopback().
.denyHost()
host group.
Composite rule-adders
.allowLocal()
loopback + link-local + host. Each uses the callback’s current state. metadata is intentionally not included; opt in via allowMeta() separately.
.denyLocal()
loopback + link-local + host. metadata is intentionally not included.
Domain rule-adders
Singular forms add one rule; plural forms add one rule per element..allowDomain()
Destination::Domain allow rule.
Parameters
namestring.denyDomain()
Destination::Domain deny rule.
Parameters
namestring.allowDomains()
Destination::Domain allow rule per name.
Parameters
namesstring[].denyDomains()
Destination::Domain deny rule per name.
Parameters
namesstring[].allowDomainSuffix()
Destination::DomainSuffix allow rule. Matches the apex and any subdomain.
Parameters
suffixstring.denyDomainSuffix()
Destination::DomainSuffix deny rule. Matches the apex and any subdomain.
Parameters
suffixstring.allowDomainSuffixes()
Destination::DomainSuffix allow rule per suffix.
Parameters
suffixesstring[].denyDomainSuffixes()
Destination::DomainSuffix deny rule per suffix.
Parameters
suffixesstring[]Explicit-destination rule-adders
.allow() / .deny() open a RuleDestinationBuilder callback. Exactly one destination call commits the rule.
.allow()
allow.
Parameters
configureRuleDestinationBuilder.deny()
deny.
Parameters
configureRuleDestinationBuilderRuleDestinationBuilder
Returned byRuleBuilder.allow(d => ...) / .deny(d => ...). Exactly one destination call commits the rule; dropping without a destination call silently does nothing.
.ip()
Destination::Cidr of the IP as /32 or /128.
Parameters
ipstring.cidr()
Destination::Cidr.
Parameters
cidrstring.domain()
Destination::Domain.
Parameters
domainstring.domainSuffix()
Destination::DomainSuffix.
Parameters
suffixstring.group()
Destination::Group. group is a DestinationGroup string.
Parameters
groupDestinationGroup.any()
Destination::Any.
DnsBuilder
Builder for DNS interception settings. Used inNetworkBuilder.dns(d => ...). Owns rebind protection, nameserver pinning, and the per-query timeout.
.rebindProtection()
Parameters
enabledboolean.nameservers()
Parameters
serversstring[]IP, IP:PORT, HOST, or HOST:PORT..queryTimeoutMs()
Parameters
msnumberTlsBuilder
Builder for TLS interception settings. Used inNetworkBuilder.tls(t => ...).
.bypass()
"*.internal.corp"). Use for domains with certificate pinning.
Parameters
patternstring.verifyUpstream()
true. Set to false only for self-signed servers.
Parameters
verifyboolean.verifyUpstreamFor()
pattern. Pattern syntax matches bypass(): exact hosts and *.suffix wildcards are supported. Setting verify to false is the proxy-side equivalent of curl -k for matching hosts; TLS interception still runs.
.interceptedPorts()
[443].
Parameters
portsnumber[].blockQuic()
Parameters
blockboolean.interceptCaCert()
Parameters
pathstring.interceptCaKey()
Parameters
pathstring.upstreamCaCert()
Parameters
pathstring.upstreamCaCertFor()
pattern. Pattern syntax matches bypass(): exact hosts and *.suffix wildcards are supported.
ViolationActionBuilder
Configures the action taken when a secret would be sent to a disallowed host. Used inNetworkBuilder.onSecretViolation(v => ...). Passthrough host calls accumulate; when passthrough hosts are configured, non-matching hosts use the default secret-violation action.
.block()
.blockAndLog()
.blockAndTerminate()
.passthroughHost()
Parameters
hoststring.passthroughHostPattern()
Parameters
patternstring.passthroughAllHosts()
iUnderstand flag must be true to acknowledge the broad scope.
Parameters
iUnderstandbooleantrue to opt in.Types
NetworkConfig
Returned by NetworkBuilder.build()
Built network configuration produced byNetworkBuilder.build(). Keys are camelCased from the Rust serde output.
| Field | Type | Description |
|---|---|---|
| enabled | boolean | Master enable flag |
| ports | readonly PublishedPort[] | Port publishings |
| policy | NetworkPolicy | null | Active policy |
| dns | DnsConfig | null | DNS interception |
| tls | TlsConfig | null | TLS interception |
| secrets | readonly SecretEntry[] | Secret entries |
| secretViolation | ViolationAction | null | Action on disallowed secret use |
| maxConnections | number | null | Maximum concurrent connections |
| interface | { ipv4Pool?, ipv6Pool?, ipv4Address?, ipv6Address?, mac?, mtu? } | Optional interface overrides |
| trustHostCAs | boolean | Ship host CAs into the guest |
NetworkPolicy
Used by NetworkBuilder.policy() · returned by NetworkPolicy factories
Ordered rule list with per-direction defaults. First-match-wins is evaluated independently for egress and ingress.Rule
Used by NetworkPolicy.rules · built via Rule factories
A single ordered policy rule.Action
Used by Rule.action · NetworkPolicy defaults
Action taken on a matching rule (or the per-direction default).Direction
Used by Rule.direction
Direction the rule applies to.Destination
Used by Rule.destination · built via Destination factories
Destination filter. An internally-tagged union; use theDestination factory for constructors.
DestinationGroup
Used by Destination.group() · RuleDestinationBuilder.group()
Predefined address group keyword. The runtime constantDestinationGroups lists all values.
| Value | Description |
|---|---|
'public' | Public internet (everything not in another group) |
'loopback' | Guest’s own 127.0.0.0/8 / ::1 |
'private' | RFC1918 LAN ranges (+ ULA + CGN) |
'link-local' | 169.254.0.0/16 / fe80::/10 |
'metadata' | Cloud metadata endpoint (169.254.169.254) |
'multicast' | 224.0.0.0/4 / ff00::/8 |
'host' | The host machine, reached via host.microsandbox.internal |
Protocol
Used by Rule.protocols
Transport protocol filter. EmptyRule.protocols means “any protocol”.
PortRange
Used by Rule.ports · built via PortRange factories
Inclusive port range. Always interpreted as the guest-side port.PublishedPort
Used by NetworkConfig.ports
A published port mapping from the guest to the host.DnsConfig
Used by NetworkConfig.dns
DNS interception configuration.| Field | Type | Description |
|---|---|---|
| nameservers | readonly string[] | Upstream nameservers |
| rebindProtection | boolean | null | DNS rebinding protection toggle |
| queryTimeoutMs | number | null | Per-query timeout |
TlsConfig
Used by NetworkConfig.tls
TLS interception configuration.| Field | Type | Description |
|---|---|---|
| bypass | readonly string[] | Bypass globs (e.g. "*.googleapis.com") |
| verifyUpstream | boolean | null | Verify upstream certs |
| interceptedPorts | readonly number[] | Intercepted TCP ports |
| blockQuic | boolean | null | Block QUIC on intercepted ports |
| upstreamCaCertPaths | readonly string[] | Extra trust roots for upstream verification |
| scopedUpstreamCaCerts | readonly ScopedUpstreamCaCert[] | Host-scoped extra trust roots for upstream verification |
| scopedVerifyUpstream | readonly ScopedVerifyUpstream[] | Host-scoped upstream certificate verification overrides |
| interceptCaCertPath | string | null | Custom intercept CA cert (PEM) |
| interceptCaKeyPath | string | null | Custom intercept CA key (PEM) |
ScopedUpstreamCaCert
| Field | Type | Description |
|---|---|---|
| pattern | string | Exact host or *.suffix wildcard |
| path | string | CA bundle path trusted for matching upstream hosts |
ScopedVerifyUpstream
| Field | Type | Description |
|---|---|---|
| pattern | string | Exact host or *.suffix wildcard |
| verify | boolean | Whether to verify certificates for matching upstream hosts |
InterfaceOverridesBuilder
Used by NetworkBuilder.interface()
Builder for per-sandbox network interface overrides.| Method | Description |
|---|---|
.mac(mac) | Set the interface MAC address |
.mtu(mtu) | Set the interface MTU |
.ipv4(address) | Pin a fixed IPv4 address |
.ipv6(address) | Pin a fixed IPv6 address |