Skip to main content
Every sandbox has access to the internet and can be reached by a public URL.

Controlling internet access

You can control whether a sandbox has access to the internet by using the allowInternetAccess parameter when creating a sandbox. By default, internet access is enabled (true), but you can disable it for security-sensitive workloads. 
import { Sandbox } from '@e2b/code-interpreter'

// Create sandbox with internet access enabled (default)
const sandbox = await Sandbox.create({ allowInternetAccess: true })

// Create sandbox without internet access
const isolatedSandbox = await Sandbox.create({ allowInternetAccess: false })
When internet access is disabled, the sandbox cannot make outbound network connections, which provides an additional layer of security for sensitive code execution.
Setting allowInternetAccess to false is equivalent to setting network.denyOut to ['0.0.0.0/0'] (denying all traffic).

Fine-grained network control

For more granular control over network access, you can use the network configuration option to specify allow and deny lists for outbound traffic.

Allow and deny lists

You can specify IP addresses or CIDR blocks that the sandbox can or cannot connect to: 
import { Sandbox, ALL_TRAFFIC } from '@e2b/code-interpreter'

// Deny all traffic except specific IPs
const sandbox = await Sandbox.create({
  network: {
    denyOut: [ALL_TRAFFIC],
    allowOut: ['1.1.1.1', '8.8.8.0/24']
  }
})

// Deny specific IPs only
const restrictedSandbox = await Sandbox.create({
  network: {
    denyOut: ['8.8.8.8']
  }
})

Priority rules

When both allowOut and denyOut are specified, allow rules always take precedence over deny rules. This means if an IP address is in both lists, it will be allowed. 
import { Sandbox, ALL_TRAFFIC } from '@e2b/code-interpreter'

// Even though ALL_TRAFFIC is denied, 1.1.1.1 and 8.8.8.8 are explicitly allowed
const sandbox = await Sandbox.create({
  network: {
    denyOut: [ALL_TRAFFIC],
    allowOut: ['1.1.1.1', '8.8.8.8']
  }
})

ALL_TRAFFIC helper

The ALL_TRAFFIC constant represents the CIDR range 0.0.0.0/0, which matches all IP addresses. Use it to easily deny or allow all network traffic: 
import { Sandbox, ALL_TRAFFIC } from '@e2b/code-interpreter'

// Deny all outbound traffic
const sandbox = await Sandbox.create({
  network: {
    denyOut: [ALL_TRAFFIC]
  }
})

Sandbox public URL

Every sandbox has a public URL that can be used to access running services inside the sandbox. 
import { Sandbox } from '@e2b/code-interpreter'

const sandbox = await Sandbox.create()

// You need to always pass a port number to get the host
const host = sandbox.getHost(3000)
console.log(`https://${host}`)
The code above will print something like this: 
https://3000-i62mff4ahtrdfdkyn2esc.e2b.app
The first leftmost part of the host is the port number we passed to the method.

Restricting public access to sandbox URLs

By default, sandbox URLs are publicly accessible. You can restrict access to require authentication using the allowPublicTraffic option: 
import { Sandbox } from '@e2b/code-interpreter'

// Create sandbox with restricted public access
const sandbox = await Sandbox.create({
  network: {
    allowPublicTraffic: false
  }
})

// The sandbox has a traffic access token
console.log(sandbox.trafficAccessToken)

// Start a server inside the sandbox
await sandbox.commands.run('python -m http.server 8080', { background: true })

const host = sandbox.getHost(8080)
const url = `https://${host}`

// Request without token will fail with 403
const response1 = await fetch(url)
console.log(response1.status) // 403

// Request with token will succeed
const response2 = await fetch(url, {
  headers: {
    'e2b-traffic-access-token': sandbox.trafficAccessToken
  }
})
console.log(response2.status) // 200
When allowPublicTraffic is set to false, all requests to the sandbox’s public URLs must include the e2b-traffic-access-token header with the value from sandbox.trafficAccessToken.

Connecting to a server running inside the sandbox

You can start a server inside the sandbox and connect to it using the approach above. In this example we will start a simple HTTP server that listens on port 3000 and responds with the content of the directory where the server is started. 
import { Sandbox } from '@e2b/code-interpreter'

const sandbox = await Sandbox.create()

// Start a simple HTTP server inside the sandbox.
const process = await sandbox.commands.run('python -m http.server 3000', { background: true })
const host = sandbox.getHost(3000)
const url = `https://${host}`
console.log('Server started at:', url)

// Fetch data from the server inside the sandbox.
const response = await fetch(url);
const data = await response.text();
console.log('Response from server inside sandbox:', data);

// Kill the server process inside the sandbox.
await process.kill()
This output will look like this: 
Server started at: https://3000-ip3nfrvajtqu5ktoxugc7.e2b.app
Response from server inside sandbox: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Directory listing for /</title>
</head>
<body>
<h1>Directory listing for /</h1>
<hr>
<ul>
<li><a href=".bash_logout">.bash_logout</a></li>
<li><a href=".bashrc">.bashrc</a></li>
<li><a href=".profile">.profile</a></li>
</ul>
<hr>
</body>
</html>

Masking request host headers

You can customize the Host header that gets sent to services running inside the sandbox using the maskRequestHost option. This is useful when your application expects a specific host format. 
import { Sandbox } from '@e2b/code-interpreter'

// Create sandbox with custom host masking
const sandbox = await Sandbox.create({
  network: {
    maskRequestHost: 'localhost:${PORT}'
  }
})

// The ${PORT} variable will be replaced with the actual port number
// Requests to the sandbox will have Host header set to for example: localhost:8080
The ${PORT} variable in the mask will be automatically replaced with the actual port number of the requested service.