Egress Policies
Egress policies control what outbound network connections a sandbox can make. When running untrusted code, restrict egress to prevent data exfiltration and unauthorized access.
Why egress matters
AI agents and user-submitted code should not have unrestricted internet access. Egress policies let you:
- Block all outbound traffic by default
- Allow specific domains (e.g.,
api.openai.com) - Permit package managers (pip, apt, npm) while blocking everything else
- Control HTTP vs HTTPS independently
- Define CIDR-based allow lists for private networks
Setting a session egress policy
Apply egress rules to the current session:
from instavm import InstaVM
client = InstaVM('your_api_key')
client.egress.set_session(
allow_package_managers=True,
allow_http=False,
allow_https=True,
allowed_domains=["api.openai.com", "huggingface.co"],
allowed_cidrs=["10.0.0.0/8"]
)
Policy options
| Parameter | Type | Description |
|---|---|---|
allow_package_managers | bool | Allow pip, apt, npm to reach their registries |
allow_http | bool | Allow outbound HTTP (port 80) |
allow_https | bool | Allow outbound HTTPS (port 443) |
allowed_domains | list[str] | Specific domains the sandbox can reach |
allowed_cidrs | list[str] | CIDR ranges for private network access |
Setting a VM egress policy
Apply egress rules to a specific VM (persists across sessions):
client.egress.set_vm(
vm_id="vm_abc123",
allow_package_managers=True,
allow_https=True,
allow_http=False,
allowed_domains=["api.example.com"]
)
Reading the current policy
# Session policy
policy = client.egress.get_session()
# VM policy
policy = client.egress.get_vm(vm_id="vm_abc123")
print(f"HTTPS: {policy.get('allow_https')}")
print(f"Domains: {policy.get('allowed_domains', [])}")
Common patterns
AI agent sandbox
Allow only the LLM API and package managers:
client.egress.set_session(
allow_package_managers=True,
allow_https=True,
allow_http=False,
allowed_domains=["api.openai.com", "api.anthropic.com"]
)
Fully isolated
Block all network access:
client.egress.set_session(
allow_package_managers=False,
allow_https=False,
allow_http=False,
allowed_domains=[],
allowed_cidrs=[]
)
Internal network only
Allow access to private services:
client.egress.set_session(
allow_package_managers=False,
allow_https=False,
allow_http=False,
allowed_cidrs=["10.0.0.0/8", "172.16.0.0/12"]
)
Session vs VM policies
- Session policies apply to the current session only. When the session ends, the policy is gone.
- VM policies persist across sessions on the same VM. Use VM policies for long-lived VMs.
If both are set, the more restrictive policy wins.
Next steps
- Sessions -- session lifecycle and management
- Python SDK: Egress & Networking -- full SDK reference
- REST API: Egress -- API endpoints