Egress Policies
Egress policies control what outbound network connections a sandbox can make. When running untrusted code, restrict egress to prevent data exfiltration and unauthorized access.
Why egress matters
AI agents and user-submitted code should not have unrestricted internet access. Egress policies let you:
- Block all outbound traffic by default
- Allow specific domains (e.g.,
api.openai.com) - Permit package managers (pip, apt, npm) while blocking everything else
- Control HTTP vs HTTPS independently
- Define CIDR-based allow lists for private networks
Setting a session egress policy
Apply egress rules to the current session:
- Python
- JavaScript
from instavm import InstaVM
client = InstaVM('your_api_key')
client.egress.set_session(
allow_package_managers=True,
allow_http=False,
allow_https=True,
allowed_domains=["api.openai.com", "huggingface.co"],
allowed_cidrs=["10.0.0.0/8"]
)
import { InstaVM } from 'instavm';
const client = new InstaVM('your_api_key');
await client.egress.setSession({
allow_package_managers: true,
allow_http: false,
allow_https: true,
allowed_domains: ['api.openai.com', 'huggingface.co'],
allowed_cidrs: ['10.0.0.0/8'],
});
Policy options
| Parameter | Type | Description |
|---|---|---|
allow_package_managers | bool | Allow pip, apt, npm to reach their registries |
allow_http | bool | Allow outbound HTTP (port 80) |
allow_https | bool | Allow outbound HTTPS (port 443) |
allowed_domains | list[str] | Specific domains the sandbox can reach |
allowed_cidrs | list[str] | CIDR ranges for private network access |
Setting a VM egress policy
Apply egress rules to a specific VM (persists across sessions):
- Python
- JavaScript
client.egress.set_vm(
vm_id="vm_abc123",
allow_package_managers=True,
allow_https=True,
allow_http=False,
allowed_domains=["api.example.com"]
)
await client.egress.setVm({
vm_id: 'vm_abc123',
allow_package_managers: true,
allow_https: true,
allow_http: false,
allowed_domains: ['api.example.com'],
});
Reading the current policy
- Python
- JavaScript
# Session policy
policy = client.egress.get_session()
# VM policy
policy = client.egress.get_vm(vm_id="vm_abc123")
print(f"HTTPS: {policy.get('allow_https')}")
print(f"Domains: {policy.get('allowed_domains', [])}")
// Session policy
const sessionPolicy = await client.egress.getSession();
// VM policy
const vmPolicy = await client.egress.getVm('vm_abc123');
console.log(`HTTPS: ${vmPolicy.allow_https}`);
console.log(`Domains: ${vmPolicy.allowed_domains || []}`);
Common patterns
AI agent sandbox
Allow only the LLM API and package managers:
- Python
- JavaScript
client.egress.set_session(
allow_package_managers=True,
allow_https=True,
allow_http=False,
allowed_domains=["api.openai.com", "api.anthropic.com"]
)
await client.egress.setSession({
allow_package_managers: true,
allow_https: true,
allow_http: false,
allowed_domains: ['api.openai.com', 'api.anthropic.com'],
});
Fully isolated
Block all network access:
- Python
- JavaScript
client.egress.set_session(
allow_package_managers=False,
allow_https=False,
allow_http=False,
allowed_domains=[],
allowed_cidrs=[]
)
await client.egress.setSession({
allow_package_managers: false,
allow_https: false,
allow_http: false,
allowed_domains: [],
allowed_cidrs: [],
});
Internal network only
Allow access to private services:
- Python
- JavaScript
client.egress.set_session(
allow_package_managers=False,
allow_https=False,
allow_http=False,
allowed_cidrs=["10.0.0.0/8", "172.16.0.0/12"]
)
await client.egress.setSession({
allow_package_managers: false,
allow_https: false,
allow_http: false,
allowed_cidrs: ['10.0.0.0/8', '172.16.0.0/12'],
});
Session vs VM policies
- Session policies apply to the current session only. When the session ends, the policy is gone.
- VM policies persist across sessions on the same VM. Use VM policies for long-lived VMs.
If both are set, the more restrictive policy wins.
Next steps
- Sessions -- session lifecycle and management
- Python SDK: Egress & Networking -- full SDK reference
- REST API: Egress -- API endpoints