Anthropic MCP Tunnels Put Enterprise Agent Tools Inside the Private Perimeter

By Vatsal Shah · 2026-05-25 · AI Agents

What Happened

On May 19, 2026, at the Code with Claude developer conference in London, Anthropic announced a dual-pronged security and integration upgrade for its enterprise AI ecosystem: Model Context Protocol (MCP) Tunnels (released in research preview) and Self-Hosted Sandboxes (released in public beta). These security layers are designed specifically for Claude Managed Agents, Anthropic's orchestration runtime launched earlier this year.

For months, enterprise platform teams attempting to deploy autonomous agents faced a structural gridlock. To perform useful work, agents require direct integration with internal databases, private git repositories, corporate APIs, and local file systems. However, exposing these resources to a public cloud LLM typically meant creating public API endpoints or opening inbound ports in corporate firewalls.

Anthropic's release addresses this challenge directly. MCP tunnels establish an outbound-only connection from the customer's private environment to Anthropic's hosted Claude instance, allowing secure bi-directional tool communication. Simultaneously, the self-hosted sandbox framework allows developers to execute LLM-generated code within isolated containers running on their own infrastructure, utilizing integrations with virtualization partners like Cloudflare, Daytona, Modal, and Vercel.

Why It Matters

As an engineering leader, I have watched dozens of enterprise agent pilots die in compliance reviews. The issue is rarely the capability of the model; it is almost always the risk profile of the runtime. When an agent decides to write code, execute a database query, or update a Jira ticket, it must run a command. Traditionally, this meant giving a third-party API direct access to internal endpoints.

The introduction of MCP tunnels shifts the security paradigm from inbound access control to outbound policy containment. By utilizing the Model Context Protocol, enterprises can define granular schemas that specify exactly which tools are exposed, what parameters are allowed, and under what conditions. The host system establishes an outbound-only tunnel to Anthropic. When Claude wants to call a tool, the request is pushed down this established tunnel, executed locally, and returned. Anthropic's servers never initiate a connection into your infrastructure.

This architecture mitigates three critical security vectors:

1. Elimination of Inbound Firewall Holes: Security teams do not need to configure complex IP whitelisting or open public-facing endpoints.
2. Data Residency Compliance: Regulated data stays within the boundary of the customer's private cloud or VPC; only the specific tool responses are sent back through the tunnel.
3. Blast Radius Control: By matching the outbound tunnel with self-hosted sandboxes, any shell execution or system modification triggered by Claude's code-writing capabilities is confined to a disposable, local container, eliminating the risk of lateral network movement.

Sandboxing the Agent: Self-Hosted vs. Hosted Environments

While MCP tunnels manage the connectivity plane, sandboxes govern the execution plane. When Claude Managed Agents write and run Python or JavaScript to analyze data, the runtime must be isolated. Anthropic has historically provided hosted sandboxes, but for enterprises with strict compliance requirements, sending raw data to an external container registry is unacceptable.

Self-hosted sandboxes allow the customer to dictate the virtualization layer. Whether running on micro-virtual machines (MicroVMs) or ephemeral Docker instances, developers maintain absolute control over memory limits, CPU allocations, network interfaces, and kernel policies.

The following comparison table breaks down the key tradeoffs between Anthropic's fully hosted sandboxes and the newly released self-hosted sandbox architecture:

Under the Hood: Outbound-Only Tunnels vs. Inbound Exposure

To understand how MCP tunnels prevent malicious intercept, we must review the connection protocol. The Model Context Protocol uses Server-Sent Events (SSE) as its default transport layer for HTTP-based communication, falling back to standard JSON-RPC over stdio for local integrations.

In a traditional setup, when Claude runs in the cloud, it must reach your local server. This requires exposing an HTTP listener:

[Claude (Cloud)]  -- (HTTP POST Request) -->  [Enterprise Firewall (Open Port 443)]  -->  [Local MCP Server]

This model is a CISO's nightmare. Every open port is an invitation for DDoS attacks, port scanning, and exploit attempts.

MCP tunnels resolve this by initiating an outbound-only WebSocket or SSE connection from inside the secure network. The local client contacts Anthropic's gateway, establishing a persistent channel:

[Local MCP Server]  -- (Outbound Connection) -->  [Anthropic Gateway (Cloud)]

When Claude wishes to run a tool, Anthropic's gateway serializes the request and pushes it down the established outbound stream. The local client executes the request and sends the response back over the same connection. The port on your firewall remains closed to the public internet.

Partner Execution Plane: Cloudflare, Daytona, Modal, and Vercel

Rather than building custom virtualization hypervisors from scratch, Anthropic has opened the self-hosted sandbox protocol to the modern web infrastructure ecosystem. Four core partners provide pre-configured runtimes for executing agent tasks:

• Cloudflare Workers & Hyperdrive: Cloudflare integration allows Claude to run isolated code segments inside Cloudflare's global edge network. By utilizing Cloudflare Workers, code executes in lightweight V8 isolates with cold start times under 5 milliseconds.
• Daytona: Daytona provides container-based workspaces specifically tuned for developers. When Claude requests a sandbox environment, Daytona spins up a isolated Linux container, provisions dependencies, mounts git branches, and tears down the workspace upon completion.
• Modal: For heavy computational workloads—such as model fine-tuning or vector search indexing—Modal provides a serverless execution grid. It allows agents to offload tasks to dynamic CPU/GPU instances without managing persistent server pools.
• Vercel: Vercel leverages its edge functions and serverless framework to support frontend-focused agents, enabling Claude to build, test, and preview UI components in real-time within sandboxed preview environments.

Technical Implementation: Deploying a Secure Outbound MCP Server

To deploy a secure outbound tunnel connection, platform teams can run a lightweight Node.js wrapper that establishes a persistent channel. Below is a production-ready example of a local MCP server utilizing Node.js and the official Model Context Protocol SDK to expose a secure tool and route it via an outbound stream.

import { Server } from "@modelcontextprotocol/sdk/server/index.js";
import { SSEServerTransport } from "@modelcontextprotocol/sdk/server/sse.js";
import express from "express";

// Initialize the local MCP Server
const server = new Server({
  name: "enterprise-secure-gateway",
  version: "1.0.0"
}, {
  capabilities: {
    tools: {}
  }
});

// Define a secure tool that remains completely local
server.setRequestHandler(
  async (request) => {
    if (request.method === "tools/list") {
      return {
        tools: [{
          name: "fetch_internal_metrics",
          description: "Fetches system performance indices from private database. Never exposed to public web.",
          inputSchema: {
            type: "object",
            properties: {
              metricType: { type: "string" }
            },
            required: ["metricType"]
          }
        }]
      };
    }
    
    if (request.method === "tools/call") {
      const { name, arguments: args } = request.params;
      if (name === "fetch_internal_metrics") {
        // Query database locally (remains within private boundary)
        const metrics = await queryLocalDatabase(args.metricType);
        return {
          content: [{
            type: "text",
            text: JSON.stringify(metrics)
          }]
        };
      }
    }
  }
);

// express wrapper to handle outbound SSE registration
const app = express();
let transport;

app.get("/sse", async (req, res) => {
  // Establish outbound SSE channel
  transport = new SSEServerTransport("/message", res);
  await server.connect(transport);
});

app.post("/message", async (req, res) => {
  if (transport) {
    await transport.handleMessage(req, res);
  } else {
    res.sendStatus(400);
  }
});

app.listen(3010, () => {
  console.log("Local MCP Server ready on port 3010");
});

To run this in production under a secure zero-trust model, launch the Node process with experimental permissions, locking down file system and child process capabilities:

# Execute with strict sandboxing enabled on Node v24+
node --experimental-permission --allow-fs-read="/app" --allow-net="api.anthropic.com" index.js

Pitfalls & Enterprise Security Anti-Patterns

While outbound tunnels protect your perimeter from inbound intrusions, they introduce new failure modes if deployed without governance:

• The Broad-Scope Trap: Exposing generic shell execution tools (e.g., execute_command) inside your MCP server completely bypasses the security benefits of the tunnel. If Claude is compromised via prompt injection, an attacker can send commands through the tunnel to execute native code on your host server. Always build single-purpose, highly constrained tools.
• Stale Token Architecture: Outbound tunnels authenticate to the Anthropic platform using long-lived API keys. If these keys are checked into source code or exposed via environment logs, unauthorized agents can connect to your internal endpoints. Implement dynamic token rotation using a secret manager.
• Implicit Trust in Outputs: Tunnels transmit structured JSON data. Never assume that the output returned by a local tool is safe to render directly in user-facing UIs. Implement schema validation at both ends of the tunnel.

Implications for the Model Context Protocol (MCP) Ecosystem

The timing of this security announcement is not accidental. The standardization of MCP is moving rapidly. Following Anthropic's donation of the protocol to the Linux Foundation, MCP is evolving from a single-vendor framework into an industry-wide open standard supported by major tech players.

By solving the outbound firewall and sandboxing problems, Anthropic is positioning MCP as the default enterprise integration pattern. Organizations can now build a single library of internal MCP servers and share them securely across different agent runtimes, whether hosted by Anthropic, Vercel, or local instances. This reduces integration debt and accelerates the transition from simple chat assistants to autonomous agentic swarms.

What to Watch Next

As you align your engineering roadmap, watch for three key developments in this space:

1. Enterprise VPC Integrations (AWS PrivateLink / Azure Private Link): While MCP tunnels currently route over the public internet (encrypted via TLS), Anthropic is expected to announce direct VPC peering support, allowing tunnels to run entirely within cloud backbones.
2. Standardized Sandboxing APIs: The partnership with Daytona and Modal indicates a push towards universal container configurations. Expect a standard sandbox.json format to declare memory, CPU, and library requirements for agent runs.
3. Registry-Level Auditing: As public MCP registries (like Smithery) grow, expect major cyber security compliance suites to introduce automated vulnerability scanning for third-party MCP servers, ensuring hallucinated dependencies are blocked before they route traffic.

Source

• Anthropic MCP Tunnels and Sandboxes - The New Stack
• Anthropic Enhances Claude Managed Agents - 9to5Mac