Jonathon's AI Wiki

Managed Agents — Self-Hosted Sandboxes + MCP Tunnels (London 2026)

7 min read

Source: Code with Claude London 2026 — Opening Keynote (YouTube 6amLO7I9xdg), Layer 2 (Angela Jiang + Caitlyn Burke). May 21 2026.

The two Cloud Managed Agents primitives launched at the London keynote. Self-hosted sandboxes — execute Managed Agent work in the customer’s own infrastructure (Daytona, Cloudflare, Vercel, Modal supported first-class). MCP tunnels — let Managed Agents reach internal MCP servers that stay behind the customer’s firewall, over a secure tunnel through tunnel.anthropic.com rather than public-internet exposure. Both configured in the Claude Developer Console. Together they answer the two most-cited enterprise blockers from the pre-launch Managed Agents research: credentials/security/access (~50% of devs) and infra control. The Counter live demo wired both into a Slack-collaborative growth agent.

Key Takeaways

Self-hosted sandboxes

  • What it is. When a Managed Agent needs to execute work (writing files, running code, running builds), the work executes on a sandbox the customer controls — in the customer’s own cloud account — rather than on Anthropic-hosted infrastructure.
  • First-class providers at launch. Daytona, Cloudflare, Vercel, Modal. “Super easy integration” with each. Anthropic-hosted sandboxes remain available — self-hosted is opt-in per environment.
  • Architecture pattern: work-item queue. Managed Agent emits a work item → customer’s chosen provider picks it up → provider spins a sandbox inside the customer’s own account → sandbox executes → results stream back to the agent through the observability layer. The agent loop stays on Anthropic; tool execution moves customer-side.
  • What this unlocks. Data residency (sandbox lives in the customer’s region). Compliance (code never leaves the customer’s perimeter beyond the agent loop). Credential isolation (provider creds, secrets, API tokens stay in the customer’s account). Cost ownership (sandbox runtime billed by the customer’s provider).
  • Configuration surface. Per-environment toggle in the Managed Agent config. The agent definition itself (model, prompt, tools, skills) is unchanged — only the environment switches.
  • Mental model relative to Managed Agents generally. Same agent / environment / session decomposition. The environment now carries “self-hosted on X” as a first-class field.

MCP tunnels

  • What it is. A secure, gateway-mediated channel that lets Cloud Managed Agents call MCP servers hosted on the customer’s private network — without exposing those MCP servers on the public internet.
  • Architecture pattern. Customer stands up a gateway inside their own private network → establishes an outbound secure connection to Anthropic → Managed Agent calls reach the MCP server via a URL hosted on tunnel.anthropic.com (e.g., https://tunnel.anthropic.com/<tunnel-id>/<mcp-path>).
  • What stays internal. The MCP server itself. The data it serves. The credentials it uses. No inbound port is opened on the customer’s firewall.
  • What this unlocks. Agentic access to internal data warehouses, feature-flag services, ticketing systems, SSO-protected APIs — anything the company runs internally but doesn’t want public.
  • Comparison to public MCP servers. A public MCP server URL (e.g., https://slack.com/mcp/...) is reachable on the open internet. Tunneled MCP URLs are routed via Anthropic’s edge into the customer’s gateway and back. The MCP protocol is unchanged; only the network path differs.
  • Configuration surface. Create / manage tunnels directly in the Claude Developer Console. Each tunnel has its own ID and policy.

Counter (live demo) — both features in one workflow

Fictional commerce SaaS, “Counter,” running a growth-experiment loop on merchant onboarding. The Growthbot Managed Agent:

  • Operates in Slack (public MCP server) — proactively announces “there’s a clear winner in the most recent experiment.”
  • Reads experiment data from Counter’s internal data warehouse via an MCP tunneltunnel.anthropic.com/<id>/data-warehouse.
  • Calls Counter’s feature-flag service via another MCP tunneltunnel.anthropic.com/<id>/feature-flags — and set_flag_winner on the experiment.
  • Opens a cleanup PR to remove the losing variant — code execution happens on Counter’s self-hosted Vercel sandbox, not on Anthropic infrastructure.
  • Screenshots the old + new variant to attach to the PR.
  • Proactively surfaces a 46% drop-off elsewhere in the funnel — data computed via the MCP-tunneled data warehouse — and asks “do you want me to start on that?”

Each of those four behaviors maps directly to an enterprise security requirement: external collaboration (Slack), internal-data isolation (MCP tunnel to warehouse), internal-control isolation (MCP tunnel to feature flags), and execution isolation (self-hosted sandbox). The agent doesn’t see the boundaries — the customer’s infra does.

Implementation

Tool/Service: Claude Managed Agents — self-hosted sandboxes + MCP tunnels. Setup: Claude Developer Console — both surface as configuration objects. Cost: Sandbox runtime billed by the customer’s provider (Daytona/Cloudflare/Vercel/Modal). MCP tunnel infrastructure billing not addressed in the keynote — see Open Questions. Standard Managed Agents tokens + session-running-state per-hour pricing still applies (see Managed Agents for the dual-axis cost model). Integration notes: The agent definition (model, prompt, tools, skills) does not change when switching to self-hosted sandbox or tunneled MCP. The environment object carries the configuration. This lets a single agent definition target different sandbox + tunnel configurations across environments (dev → staging → prod) without code changes.

Try It

  1. Pick the most-internal MCP server you currently want an agent to call but can’t expose. Stand up a gateway in your private network. Establish a tunnel via the Claude Developer Console. Reconfigure the agent to call the tunneled URL. Verify the original MCP server has no public inbound traffic after the switch.
  2. Pick a self-hosted sandbox provider you already use. If you’re already on Vercel for hosting, deploying the sandbox to your existing Vercel account is the lowest-friction path. Daytona is the closest analog if you want isolated dev environments. Modal if you want bespoke ML workloads. Cloudflare Workers for edge-light agents.
  3. Replicate the Growthbot Counter pattern. Pick an internal data source + an internal control plane + an external collaboration surface (Slack/email/Discord). Wire all three through the matching channel (tunnel/tunnel/public MCP). Measure end-to-end latency, error rates, and (most importantly) the diff in security-review effort vs the same agent running entirely on Anthropic-hosted infra.
  4. Audit credential exposure before and after. The biggest unlock is that credentials and data never leave the customer’s perimeter. Verify this on a target system — confirm the agent has no direct access to the credentials it would need outside the tunnel/sandbox.

Open Questions

  • Pricing for the tunnel layer. Does Anthropic charge per-tunnel, per-message-through-the-tunnel, or include tunneling in the standard Managed Agents per-session-hour fee? The keynote doesn’t say. Worth checking the published pricing page once available.
  • Latency cost of the tunnel hop. A tunneled MCP call routes via Anthropic’s edge. The added round-trip is implementation-specific but bounded — quantifying it for the most-common provider regions would help planners.
  • Sandbox-provider parity. Are all four first-class providers truly parity at launch, or do some carry feature gaps (e.g., longer-running sessions, image execution, GPU sandboxes)? Worth a benchmark.
  • Outbound-only vs bidirectional. The transcript describes the gateway establishing a connection to Anthropic — implies outbound-only from the customer side (safer). Confirm this is the only mode (or what bidirectional mode would look like).
  • Failure isolation. What happens to a Managed Agent session if the customer’s sandbox provider has an outage? Does the session retry, fall back to Anthropic-hosted, or fail hard? Behavioral contract not in the keynote.
  • Compliance certifications. SOC 2 / HIPAA / FedRAMP scope when sandbox runs on customer infra — does the agent-loop side need a separate audit boundary? This unblocks the regulated-industry buyers Counter was a proxy for.

Graph View

Backlinks