Anthropic Adds MCP Tunnels and Self-Hosted Sandboxes to Claude Managed Agents

The most common concern IT teams raise when evaluating agentic AI is not about model quality. It is about data. Specifically, whether the tools and data sources an agent needs can stay inside the corporate perimeter while the agent loop runs somewhere else. Anthropic addressed that objection directly on May 19, shipping two new infrastructure features for Claude Managed Agents: self-hosted sandboxes, now in public beta, and MCP tunnels, available in research preview.

Together, the two features give enterprises a path to running Claude agents on sensitive internal data without routing that data through Anthropic's servers or punching holes in their firewalls. The architecture is a deliberate split: Anthropic keeps the agent orchestration layer, which handles context management, error recovery, and the agent loop itself, while control over tool execution and private network access moves to the customer's own infrastructure.

Self-Hosted Sandboxes

When a Claude Managed Agent executes a tool, the default behavior is to run that execution in an Anthropic-managed sandbox. For many enterprise workflows, that is fine. But for teams working with sensitive files, proprietary code repositories, or internal APIs they cannot expose externally, the managed sandbox creates an obstacle.

Self-hosted sandboxes remove that obstacle by letting companies run the tool-execution environment themselves, or hand it to a managed sandbox provider of their choice. Launch partners include Cloudflare, Daytona, Modal, and Vercel. The agent loop remains on Anthropic's infrastructure. The tool calls, the files the agent reads and writes, the processes it spawns, those happen in the customer's own compute environment. The feature is now in public beta, meaning enterprise teams can enroll without going through a separate access request.

The tradeoff is operational complexity. Running your own sandbox means managing your own compute, keeping the sandbox runtime up to date, and absorbing execution failures that Anthropic's managed environment would normally handle. For companies with platform engineering teams, that tradeoff is usually worth it. For smaller organizations, the managed sandbox will remain the simpler path.

MCP Tunnels

The second feature addresses a different problem: how to connect a Claude agent to an MCP server that lives behind a corporate firewall, without exposing that server to the public internet.

The conventional approach is a VPN or reverse proxy, both of which require inbound firewall rules and create an ongoing surface for network security teams to manage. MCP tunnels take a different approach. You deploy a lightweight gateway inside your private network. That gateway makes a single outbound connection to Anthropic's infrastructure. No inbound ports. No public endpoints. Traffic is encrypted end to end. Once the tunnel is established, the agent can reach any MCP server behind it, giving it access to internal databases, private APIs, corporate knowledge bases, and ticketing systems that would otherwise be unreachable from the cloud.

MCP tunnels are currently in research preview, and unlike the self-hosted sandboxes, access requires a request. Anthropic has not published a general availability timeline.

"MCP tunnels let agents reach MCP servers inside private networks without exposing them to the public internet. A lightweight gateway you deploy makes a single outbound connection — no inbound firewall rules, no public endpoints, traffic encrypted end to end." Anthropic, Claude Managed Agents update, May 2026

Why the Split Architecture Matters

The hybrid model Anthropic has settled on reflects a practical acknowledgment that enterprise AI adoption bottlenecks more often on infrastructure and security review than on model capability. A team that can run tool execution on its own hardware, and reach internal tools through a private tunnel, faces a substantially shorter security review than one that must route everything through an external provider.

The feature set also reflects how Claude Managed Agents have matured since their initial launch. The first release focused on the basics: scheduling agents, giving them tools, letting them run autonomously. This update focuses on the layer below that, the compute and connectivity infrastructure that determines whether an agent can reach the data it needs in a regulated enterprise environment.

Anthropic's Claude Console retains visibility across both self-hosted sandboxes and private tunnels, so operations teams keep a single pane of glass even as compute and connectivity move closer to the customer's own environment. Agent session logs, tool call traces, and error states remain visible in the console regardless of where the sandbox is running.

Practical Next Steps

For teams that have been holding back on Claude Managed Agents specifically because of data residency or firewall concerns, the public beta of self-hosted sandboxes is worth testing now. Integration with Cloudflare Workers and Modal in particular means many engineering teams already have the infrastructure pieces in place. The main work is pointing tool execution at the new sandbox endpoint rather than Anthropic's default.

MCP tunnels require more patience given the research preview gate, but the underlying use case, reaching internal databases and API endpoints without a public reverse proxy, is one of the most frequently cited blockers for enterprise agent deployment. Teams already building on Claude's MCP connector ecosystem and running into private-network access limits should apply for early access.

Both features are part of a broader Anthropic push toward enterprise infrastructure control. For companies that have been waiting for a credible answer to the "where does my data go" question, the May 19 release makes that answer substantially clearer. The orchestration stays with Anthropic. Everything else can stay with you. Learn more about how Claude fits into enterprise workflows on the models overview page.