Anthropic used its first European developer event—Code with Claude London—to ship the two features enterprise teams have been blocking on since Managed Agents launched: self-hosted sandboxes (public beta) that let agent execution run inside your own infrastructure, and MCP tunnels (research preview) that let Claude reach internal MCP servers over outbound-only connections—no firewall changes required. Launch partners include Cloudflare, Vercel, Daytona, and Modal, plus a bring-your-own option.
Where Claude Agents Used to Run, and Where They Run Now
Until today, Claude Managed Agents ran the entire execution loop inside Anthropic's cloud. The agent planned, picked tools, executed code, wrote files, and made outbound network calls from an Anthropic-operated sandbox. That worked for greenfield builds and consumer-facing products. It did not work for banks, hospitals, governments, or anyone whose security team's first question is "where exactly does the code run?"
Self-hosted sandboxes split the loop in two. Anthropic's side keeps the orchestration brain—planning, tool selection, conversation state, the model itself. The customer's side—your cloud, your VPC, your physical infrastructure—runs the sandbox where tools actually execute, files actually land, and outbound calls actually originate. From the agent's perspective nothing changes. From the auditor's perspective, the surface where sensitive data touches code never leaves your control plane.
Four Launch Partners, Four Different Bets
The provider list maps cleanly onto how teams already host workloads:
Cloudflare runs sandboxes on microVMs and lighter-weight isolates across the global edge, with zero-trust secrets injection and customizable egress proxies for auditing or rerouting. Amplitude is already shipping its internal Design Agent on this path. We covered the broader collaboration in Cloudflare Environments for Claude Managed Agents.
Vercel Sandbox combines VM-level security with VPC peering and bring-your-own-cloud, with millisecond startup. The standout feature is credential brokering at the network boundary—the environment key never enters the VM at all. Vercel's firewall injects it on outbound requests scoped to the session. Rogo, an institutional-finance AI platform, is the launch case study.
Daytona targets teams that want managed dev-environment infrastructure as the agent runtime. Modal targets teams already running Python and ML workloads on Modal's serverless GPU platform. Both ship platform-specific worker guides for the self-hosted environment.
For teams whose answer to "what's your sandbox host?" is "ourselves," there's a bring-your-own option with full control over compute, isolation, and the secret store.
MCP Tunnels: Reaching Internal Services Without Punching Holes
The second announcement is smaller in surface area but matters more for how teams ship. MCP tunnels let Claude connect to MCP servers inside your private network over an outbound-only connection—no inbound firewall ports, no IP allowlists for Anthropic, no VPN provisioning. The tunnel runs on Cloudflare as the transport provider.
The status is honest: research preview, request access, no Anthropic SLA. Anthropic's own guidance is to use them in non-critical internal tooling first and not route SLA-bound workflows through a research-preview transport. But the architectural pattern is the one regulated enterprises have been asking for since MCP became a standard—connect Claude to your internal Jira, your internal database, your internal observability stack without rewiring your network.
The Credential Question
Every self-hosted-agent design eventually trips on the same wire: how do you give the sandbox the credentials it needs to do useful work, without ever letting the agent see them in plaintext? The patterns Anthropic and its partners landed on are worth knowing.
Vercel Sandbox implements credential brokering at the infrastructure layer—keys are injected by the platform's firewall on outbound requests, scoped to the session, invisible to the agent runtime. Cloudflare offers zero-trust secrets injection through Workers with customizable egress proxies. For teams running their own sandbox, Anthropic ships the primitives but you're on the hook for the credential proxy. The cleanest implementations come from the managed providers—building your own credential broker is a real engineering project, and the guidance is to lean on Vercel's built-in brokering or stay on cloud-hosted Managed Agents if security engineering capacity is the constraint.
Why It Matters for Web Developers
This is the announcement that turns Claude Managed Agents from a sharp consumer/SMB product into an option that survives an enterprise security review. The agent loop is now compatible with HIPAA, with SOC 2 boundaries, with data-residency rules in the EU and Asia, and with the "nothing sensitive leaves our VPC" guardrail almost every regulated team has written into policy.
For developers building on Claude, the practical impact is that you can start designing agents against production data sources you couldn't touch yesterday. Pair self-hosted sandboxes with MCP tunnels and the agent's reach extends to internal systems—databases, observability tools, ticketing, identity—without anyone in security having to approve a new inbound rule. The bigger story all month has been the labs racing to make the agent harness boring; this is what "boring" looks like when the audience is enterprise.