Skip to content
Dashboard

Advanced egress firewall filtering for Vercel Sandbox

Copy link to headingGoing beyond IP based rules to host based

Copy link to headingRestrict to specific hosts at creation

import { Sandbox } from '@vercel/sandbox';
const sandbox = await Sandbox.create({
networkPolicy: {
allow: ['ai-gateway.vercel.sh', '*.vercel.com'],
},
});
// Can reach Vercel AI Gateway and Vercel, nothing else
await sandbox.runCommand('node', ['process-data.js']);

Copy link to headingAdjust after initial setup

import { Sandbox } from '@vercel/sandbox';
const sandbox = await Sandbox.create();
// Phase 1: Open network, download everything we need
await sandbox.runCommand('npm', ['install']);
await sandbox.runCommand('aws', ['s3', 'cp', 's3://my-bucket/input-data', './data', '--recursive']);
// Phase 2: Lock down, only the AI gateway is reachable
await sandbox.updateNetworkPolicy({
allow: ['ai-gateway.vercel.sh'],
});
// Run the untrusted / agent-driven workload in isolation
await sandbox.runCommand('node', ['agent.js']);
// Phase 3: Open a narrow hole to post results back
await sandbox.updateNetworkPolicy({
allow: ['my-bucket.s3.amazonaws.com'],
});
await sandbox.runCommand('aws', ['s3', 'cp', './output/results.json', 's3://my-bucket/output/results.json']);
// Phase 4: Lockdown Internet access
await sandbox.updateNetworkPolicy('deny-all');

Ready to deploy?