Skip to main content
Sandboxes support public-cloud network controls for disabling internet access entirely and denying specific outbound destinations.

Internet Access

By default, sandboxes have internet access enabled. Disable it for untrusted code: 
from tensorlake.sandbox import SandboxClient

client = SandboxClient()

sandbox = client.create(
    allow_internet_access=False
)
In a verified public-cloud test, a sandbox created with allow_internet_access=False failed DNS resolution for https://example.com, confirming that outbound internet access was disabled.
allow_out is not documented here because it did not behave as a working public-cloud allowlist in verification against the current CLI and API. Use allow_internet_access=False for full isolation, or deny_out to block specific destinations while keeping general internet access enabled.

Block Specific Destinations

sandbox = client.create(
    deny_out=["example.com"]
)
In a verified public-cloud request, deny_out=["example.com"] blocked https://example.com while https://api.openai.com/v1/models still returned 401, confirming outbound connectivity was still available for destinations that were not denied.

Network Configuration Summary

ParameterTypeDefaultDescription
allow_internet_accessboolTrueEnable or disable all internet access
deny_outlist[str][]Denied outbound destinations

Examples

Fully Isolated Sandbox

sandbox = client.create(
    allow_internet_access=False
)

Block a Specific Domain

sandbox = client.create(
    deny_out=["example.com"]
)

Learn More

Lifecycle

Sandbox states, resources, and timeouts.

Commands

Run commands and inspect stdout/stderr inside a sandbox.