Skip to main content

Documentation Index

Fetch the complete documentation index at: https://e2b-mishushakov-replace-all-traffic-syntax.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

Every sandbox has access to the internet and can be reached by a public URL.

Controlling internet access

You can control whether a sandbox has access to the internet by using the allowInternetAccess / allow_internet_access parameter when creating a sandbox. By default, internet access is enabled, but you can disable it for security-sensitive workloads. 
import { Sandbox } from 'e2b'

// Create sandbox with internet access enabled (default)
const sandbox = await Sandbox.create({ allowInternetAccess: true })

// Create sandbox without internet access
const isolatedSandbox = await Sandbox.create({ allowInternetAccess: false })
When internet access is disabled, the sandbox cannot make outbound network connections, which provides an additional layer of security for sensitive code execution.
Setting allowInternetAccess / allow_internet_access to a falsy value is equivalent to setting network.denyOut / network.deny_out to ['0.0.0.0/0'] (denying all traffic).

Fine-grained network control

For more granular control over network access, you can use the network configuration option to specify allow and deny lists for outbound traffic.

Allow and deny lists

You can specify IP addresses, CIDR blocks, or domain names that the sandbox is allowed to use: 
import { Sandbox } from 'e2b'

// Deny all traffic except specific IPs
const sandbox = await Sandbox.create({
  network: {
    denyOut: ({ allTraffic }) => [allTraffic], // allTraffic === '0.0.0.0/0'
    allowOut: ['1.1.1.1', '8.8.8.0/24']
  }
})

// Deny specific IPs only
const restrictedSandbox = await Sandbox.create({
  network: {
    denyOut: ['8.8.8.8']
  }
})
The selector callback (({ allTraffic }) => [allTraffic] / lambda ctx: [ctx.all_traffic]) is the recommended way to express “all traffic” (0.0.0.0/0). The ALL_TRAFFIC constant remains exported for backward compatibility.

Domain-based filtering

You can allow traffic to specific domains by specifying hostnames in allowOut / allow_out. When using domain-based filtering, you must deny all other traffic in denyOut / deny_out. Domains are not supported in the deny lists. 
import { Sandbox } from 'e2b'

// Allow only traffic to google.com
const sandbox = await Sandbox.create({
  network: {
    allowOut: ['google.com'],
    denyOut: ({ allTraffic }) => [allTraffic]
  }
})
When any domain is used, the default nameserver 8.8.8.8 is automatically allowed to ensure proper DNS resolution.
You can also use wildcards to allow all subdomains of a domain: 
import { Sandbox } from 'e2b'

// Allow traffic to any subdomain of mydomain.com
const sandbox = await Sandbox.create({
  network: {
    allowOut: ['*.mydomain.com'],
    denyOut: ({ allTraffic }) => [allTraffic]
  }
})
You can combine domain names with IP addresses and CIDR blocks: 
import { Sandbox } from 'e2b'

// Allow traffic to specific domains and IPs
const sandbox = await Sandbox.create({
  network: {
    allowOut: ['api.example.com', '*.github.com', '8.8.8.8'],
    denyOut: ({ allTraffic }) => [allTraffic]
  }
})
Domain-based filtering only works for HTTP traffic on port 80 (via Host header inspection) and TLS traffic on port 443 (via SNI inspection). Traffic on other ports uses CIDR-based filtering only. UDP-based protocols like QUIC/HTTP3 are not supported for domain filtering.

Priority rules

When both allow and deny rules are specified, allow rules always take precedence over deny rules. This means if an IP address is in both lists, it will be allowed. 
import { Sandbox } from 'e2b'

// Even though all traffic is denied, 1.1.1.1 and 8.8.8.8 are explicitly allowed
const sandbox = await Sandbox.create({
  network: {
    denyOut: ({ allTraffic }) => [allTraffic],
    allowOut: ['1.1.1.1', '8.8.8.8']
  }
})

Per-host request transforms

Per-host request transforms are currently in private beta. If you’d like access, please reach out to us at support@e2b.dev.
You can register per-host rules under network.rules to apply transforms (for example, inject HTTP headers) on outbound requests matching a host. Rules are keyed by host and registering one does not grant egress on its own — the host must still be referenced via allowOut / allow_out. The transform.headers object is sent on the wire as-is and injected by the egress proxy on matching HTTP/HTTPS requests. 
import { Sandbox } from 'e2b'

await Sandbox.create({
  network: {
    // Only allow egress to hosts that have rules registered.
    allowOut: ({ rules }) => [...rules.keys()],
    // Deny all other traffic
    denyOut: ({ allTraffic }) => [allTraffic],
    // Register per-host rules
    rules: {
      'api.example.com': [
        {
          transform: {
            headers: { 'X-Header': 'Content' },
          },
        },
      ],
    },
  },
})
In JavaScript, network.rules accepts either a plain object or a Map:
JavaScript & TypeScript
const rules = new Map([
  ['api.example.com', [{ transform: { headers: { 'X-Trace': 'on' } } }]],
])

await Sandbox.create({
  network: { allowOut: ({ rules }) => [...rules.keys()], rules },
})

Updating network settings on a running sandbox

You can update the network configuration of an already running sandbox using updateNetwork (JavaScript) or update_network (Python). This replaces the current egress rules with the provided configuration without restarting the sandbox. 
import { Sandbox } from 'e2b'

const sandbox = await Sandbox.create()

// Tighten egress on the running sandbox: block 8.8.8.8
await sandbox.updateNetwork({
  denyOut: ['8.8.8.8'],
})

// Replace with an allow-list only
await sandbox.updateNetwork({
  denyOut: ({ allTraffic }) => [allTraffic],
  allowOut: ['api.example.com'],
})

// Toggle internet access without recreating the sandbox
await sandbox.updateNetwork({ allowInternetAccess: false })
updateNetwork / update_network replaces the current egress configuration — it does not merge with the existing rules. Calling it with an empty object (updateNetwork({}) / update_network({})) clears all allow and deny rules set at create time.
Create-only options such as allowPublicTraffic / allow_public_traffic, maskRequestHost / mask_request_host and network rules in network.rules cannot be changed after the sandbox is created.

Sandbox public URL

Every sandbox has a public URL that can be used to access running services inside the sandbox. 
import { Sandbox } from 'e2b'

const sandbox = await Sandbox.create()

// You need to always pass a port number to get the host
const host = sandbox.getHost(3000)
console.log(`https://${host}`)
The code above will print something like this: 
https://3000-i62mff4ahtrdfdkyn2esc.e2b.app
The first leftmost part of the host is the port number we passed to the method.

Restricting public access to sandbox URLs

By default, sandbox URLs are publicly accessible. You can restrict access to require authentication using the allowPublicTraffic / allow_public_traffic option: 
import { Sandbox } from 'e2b'

// Create sandbox with restricted public access
const sandbox = await Sandbox.create({
  network: {
    allowPublicTraffic: false
  }
})

// The sandbox has a traffic access token
console.log(sandbox.trafficAccessToken)

// Start a server inside the sandbox
await sandbox.commands.run('python -m http.server 8080', { background: true })

const host = sandbox.getHost(8080)
const url = `https://${host}`

// Request without token will fail with 403
const response1 = await fetch(url)
console.log(response1.status) // 403

// Request with token will succeed
const response2 = await fetch(url, {
  headers: {
    'e2b-traffic-access-token': sandbox.trafficAccessToken
  }
})
console.log(response2.status) // 200
When allowPublicTraffic / allow_public_traffic is set to a falsy value, all requests to the sandbox’s public URLs must include the e2b-traffic-access-token header with the value from sandbox.trafficAccessToken / sandbox.traffic_access_token.

Connecting to a server running inside the sandbox

You can start a server inside the sandbox and connect to it using the approach above. In this example we will start a simple HTTP server that listens on port 3000 and responds with the content of the directory where the server is started. 
import { Sandbox } from 'e2b'

const sandbox = await Sandbox.create()

// Start a simple HTTP server inside the sandbox.
const process = await sandbox.commands.run('python -m http.server 3000', { background: true })
const host = sandbox.getHost(3000)
const url = `https://${host}`
console.log('Server started at:', url)

// Fetch data from the server inside the sandbox.
const response = await fetch(url);
const data = await response.text();
console.log('Response from server inside sandbox:', data);

// Kill the server process inside the sandbox.
await process.kill()
This output will look like this: 
Server started at: https://3000-ip3nfrvajtqu5ktoxugc7.e2b.app
Response from server inside sandbox: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Directory listing for /</title>
</head>
<body>
<h1>Directory listing for /</h1>
<hr>
<ul>
<li><a href=".bash_logout">.bash_logout</a></li>
<li><a href=".bashrc">.bashrc</a></li>
<li><a href=".profile">.profile</a></li>
</ul>
<hr>
</body>
</html>

Masking request host headers

You can customize the Host header that gets sent to services running inside the sandbox using the maskRequestHost / mask_request_host option. This is useful when your application expects a specific host format. 
import { Sandbox } from 'e2b'

// Create sandbox with custom host masking
const sandbox = await Sandbox.create({
  network: {
    maskRequestHost: 'localhost:${PORT}'
  }
})

// The ${PORT} variable will be replaced with the actual port number
// Requests to the sandbox will have Host header set to for example: localhost:8080
The ${PORT} variable in the mask will be automatically replaced with the actual port number of the requested service.