Factory · Network3
Network.none()deny everything, no interface Network.public_only()public internet only (default) Network.allow_all()allow everythingFactory · Rule3
Rule.allow()permit matching traffic Rule.deny()block matching traffic Rule.allow_dns()open plain DNS to gatewayFactory · Destination6
Destination.any()match any destination Destination.ip()match an exact IP Destination.cidr()match an IP range Destination.domain()match an exact domain Destination.domain_suffix()match apex + subdomains Destination.group()match an address groupFactory · PortBinding2
PortBinding.tcp()published TCP port PortBinding.udp()published UDP portTypes
Typical flow
```python from microsandbox import ( Action, DestGroup, Destination, Network, NetworkPolicy, PortBinding, Protocol, Rule, Sandbox, ) policy = NetworkPolicy( # 1. compose a policy default_egress=Action.DENY, rules=( *Rule.allow_dns(), Rule.allow( protocol=Protocol.TCP, port=443, destination=Destination.group(DestGroup.PUBLIC), ), ), ) sb = await Sandbox.create( # 2. wire it into the sandbox "api", image="python", network=Network( policy=policy, ports=(PortBinding.tcp(8080, 80),), ), ) ``` The default policy denies egress except for an implicit allow-public rule, and allows ingress with no rules. See the [defaults rationale](/networking/overview#defaults) for the asymmetry. `Network`, `Rule`, `Destination`, and `PortBinding` are all frozen dataclasses re-exported from `microsandbox`, each carrying class-method or static-method constructors for the common cases. ## Network factory [`Network`](#network) is a frozen dataclass. The presets below return a `Network` for the common policy shapes; construct one directly for custom policies, ports, DNS, or TLS. --- #### Network.none()Returns
Returns
Returns
Parameters
directionDirectionEGRESS.protocolProtocol | Noneportint | str | None443) or range ("8000-9000").destinationstr | NetworkDestination | NoneReturns
Parameters
directionDirectionEGRESS.protocolProtocol | Noneportint | str | Nonedestinationstr | NetworkDestination | NoneReturns
Returns
(udp_rule, tcp_rule) for DestGroup.HOST on port 53.Parameters
ipstrParameters
cidrstr"10.0.0.0/8".Parameters
domainstrParameters
suffixstr".example.com".Parameters
groupDestGroup | strParameters
host_portintguest_portintbindstr127.0.0.1; use 0.0.0.0 for all IPv4 interfaces.Returns
Parameters
host_portintguest_portintbindstr127.0.0.1.Returns
Used by Sandbox.create(network=...)
Frozen dataclass for sandbox network configuration. Use a [class-method preset](#network-factory) for the common cases, or construct directly with custom options. ```python Network( policy: str | NetworkPolicy | None = None, ports: Mapping[int, int] | Sequence[PortBinding] = {}, deny_domains: tuple[str, ...] = (), deny_domain_suffixes: tuple[str, ...] = (), dns: DnsConfig | None = None, tls: TlsConfig | None = None, ipv4_pool: str | None = None, ipv6_pool: str | None = None, max_connections: int | None = None, on_secret_violation: ViolationAction | ViolationPolicy = ViolationAction.BLOCK_AND_LOG, ) ``` | Field | Type | Default | Description | |-------|------|---------|-------------| | policy | `str \| `[`NetworkPolicy`](#networkpolicy)` \| None` | `None` | Preset name (`"none"`, `"public_only"`, `"allow_all"`) or a custom [`NetworkPolicy`](#networkpolicy) | | ports | `Mapping[int, int] \| Sequence[`[`PortBinding`](#portbinding)`]` | `{}` | Port mappings from host to guest. Mapping form binds TCP to `127.0.0.1`; [`PortBinding`](#portbinding) can set an explicit bind address or UDP | | deny_domains | `tuple[str, ...]` | `()` | Deny egress to these exact domains. Each entry adds a `deny Domain("...")` policy rule that fires at DNS resolution (NXDOMAIN), TLS first-flight (SNI), and TCP egress (cache fallback). Prepended onto the policy so it takes precedence over later allow rules | | deny_domain_suffixes | `tuple[str, ...]` | `()` | Deny egress to all subdomains of these suffixes. Adds `deny DomainSuffix("...")` rules; same enforcement layers as `deny_domains` | | dns | [`DnsConfig`](#dnsconfig)` \| None` | `None` | DNS interception configuration | | tls | [`TlsConfig`](#tlsconfig)` \| None` | `None` | TLS interception configuration | | ipv4_pool | `str \| None` | `None` | IPv4 pool used for per-sandbox `/30` guest subnets. Defaults to `172.16.0.0/12` | | ipv6_pool | `str \| None` | `None` | IPv6 pool used for per-sandbox `/64` guest prefixes. Defaults to `fd42:6d73:62::/48` | | max_connections | `int \| None` | `None` | Maximum concurrent connections | | on_secret_violation | [`ViolationAction`](/sdk/python/secrets#violationaction)` \| `[`ViolationPolicy`](/sdk/python/secrets#violationpolicy) | `BLOCK_AND_LOG` | Sandbox-wide action when a secret placeholder reaches a disallowed host | | Class method | Returns | Description | |--------------|---------|-------------| | [none()](#network-none) | [`Network`](#network) | Deny all traffic, no interface | | [public_only()](#network-public_only) | [`Network`](#network) | Public destinations only (default) | | [allow_all()](#network-allow_all) | [`Network`](#network) | Unrestricted access | ### NetworkPolicyUsed by Network(policy=...)
Frozen dataclass: an ordered list of [`Rule`](#rule) values plus two per-direction defaults, evaluated first-match-wins. The defaults are asymmetric to preserve today's behavior: egress falls through to deny (public_only reachability when paired with the implicit allow-public rule); ingress falls through to allow (unfiltered published-port behavior). ```python NetworkPolicy( default_egress: Action = Action.DENY, default_ingress: Action = Action.ALLOW, rules: tuple[Rule, ...] = (), ) ``` | Field | Type | Default | Description | |-------|------|---------|-------------| | default_egress | [`Action`](#action) | `DENY` | Action when no egress-applicable rule matches | | default_ingress | [`Action`](#action) | `ALLOW` | Action when no ingress-applicable rule matches | | rules | `tuple[`[`Rule`](#rule)`, ...]` | `()` | Rules evaluated first-match-wins per direction | ### RuleUsed by NetworkPolicy(rules=...)
Frozen dataclass for a single network policy rule. Prefer the [`Rule.allow()`](#rule-allow) / [`Rule.deny()`](#rule-deny) class methods over the positional constructor. ```python Rule( action: Action, direction: Direction = Direction.EGRESS, destination: str | NetworkDestination | None = None, protocol: Protocol | None = None, port: int | str | None = None, ) ``` | Field | Type | Default | Description | |-------|------|---------|-------------| | action | [`Action`](#action) | - | What to do when this rule matches | | direction | [`Direction`](#direction) | `EGRESS` | Which evaluator considers this rule. `Direction.ANY` matches in either direction | | destination | `str \| `[`NetworkDestination`](#networkdestination)` \| None` | `None` | Target filter. Prefer typed [`Destination`](#destination) helpers; string shorthand also works ([`DestGroup`](#destgroup) values, exact IPs, domains, CIDR ranges, domain suffixes prefixed with `"."`, or `"*"` for any). Domain and suffix strings are validated at sandbox creation; invalid names raise `ValueError` | | protocol | [`Protocol`](#protocol)` \| None` | `None` | Protocol filter | | port | `int \| str \| None` | `None` | Single port (`443`) or range (`"8000-9000"`) | Ingress rules carrying ICMP protocols are rejected at sandbox creation; the host has no inbound ICMP path. Use `Direction.EGRESS` for ICMP allow/deny. | Class method | Returns | Description | |--------------|---------|-------------| | [allow(...)](#rule-allow) | [`Rule`](#rule) | Permit matching traffic | | [deny(...)](#rule-deny) | [`Rule`](#rule) | Block matching traffic | | [allow_dns()](#rule-allow_dns) | `tuple[`[`Rule`](#rule)`, `[`Rule`](#rule)`]` | Open plain DNS to the gateway | ### DestinationReturns NetworkDestination · used by Rule.allow() / Rule.deny()
Factory namespace ([static methods](#destination-factory)) producing typed [`NetworkDestination`](#networkdestination) values. | Method | Returns | Description | |--------|---------|-------------| | [any()](#destination-any) | [`NetworkDestination`](#networkdestination) | Match any destination | | [ip(ip)](#destination-ip) | [`NetworkDestination`](#networkdestination) | Match an exact IPv4 or IPv6 address (`/32` or `/128`) | | [cidr(cidr)](#destination-cidr) | [`NetworkDestination`](#networkdestination) | Match a CIDR range | | [domain(domain)](#destination-domain) | [`NetworkDestination`](#networkdestination) | Match an exact domain | | [domain_suffix(suffix)](#destination-domain_suffix) | [`NetworkDestination`](#networkdestination) | Match the apex domain and all subdomains | | [group(group)](#destination-group) | [`NetworkDestination`](#networkdestination) | Match a [`DestGroup`](#destgroup) value | ### NetworkDestinationProduced by Destination helpers
Frozen dataclass produced by [`Destination`](#destination) helpers. ```python NetworkDestination( kind: Literal["any", "ip", "cidr", "domain", "domain_suffix", "group"], value: str | None = None, ) ``` | Field | Type | Default | Description | |-------|------|---------|-------------| | kind | `Literal["any", "ip", "cidr", "domain", "domain_suffix", "group"]` | - | Destination variant | | value | `str \| None` | `None` | Variant value, omitted for `Destination.any()` | ### PortBindingUsed by Network(ports=...)
Frozen dataclass for a published host-to-guest port with an optional host bind address. Prefer the [`PortBinding.tcp()`](#portbinding-tcp) / [`PortBinding.udp()`](#portbinding-udp) class methods. ```python PortBinding( host_port: int, guest_port: int, bind: str = "127.0.0.1", protocol: PortProtocol = PortProtocol.TCP, ) ``` | Field | Type | Default | Description | |-------|------|---------|-------------| | host_port | `int` | - | Port on the host | | guest_port | `int` | - | Port inside the sandbox | | bind | `str` | `"127.0.0.1"` | Host address to bind. Use `0.0.0.0` for all IPv4 interfaces | | protocol | [`PortProtocol`](#portprotocol) | `TCP` | Published port protocol | | Class method | Returns | Description | |--------------|---------|-------------| | [tcp(host_port, guest_port, *, bind)](#portbinding-tcp) | [`PortBinding`](#portbinding) | A TCP port binding | | [udp(host_port, guest_port, *, bind)](#portbinding-udp) | [`PortBinding`](#portbinding) | A UDP port binding | ### DnsConfigUsed by Network(dns=...)
Frozen dataclass for DNS interception settings. The value type of [`Network.dns`](#network); import it from `microsandbox.types`. ```python DnsConfig( rebind_protection: bool = True, nameservers: tuple[str, ...] = (), query_timeout_ms: int | None = None, ) ``` | Field | Type | Default | Description | |-------|------|---------|-------------| | rebind_protection | `bool` | `True` | Block DNS responses resolving to private IPs | | nameservers | `tuple[str, ...]` | `()` | Nameservers (`IP`, `IP:PORT`, `HOST`, or `HOST:PORT`). Overrides the host's `/etc/resolv.conf` when set. Hostnames are resolved once at startup via the host's OS resolver | | query_timeout_ms | `int \| None` | `None` | Per-DNS-query timeout in milliseconds. Defaults to `5000` | ### TlsConfigUsed by Network(tls=...)
Frozen dataclass for TLS interception settings within [`Network`](#network). ```python TlsConfig( bypass: tuple[str, ...] = (), verify_upstream: bool = True, intercepted_ports: tuple[int, ...] = (443,), block_quic: bool = False, ca_cert: str | None = None, ca_key: str | None = None, ca_cn: str | None = None, ) ``` | Field | Type | Default | Description | |-------|------|---------|-------------| | bypass | `tuple[str, ...]` | `()` | Domains to skip interception. Use for domains with certificate pinning | | verify_upstream | `bool` | `True` | Verify upstream server certificates. Set to `False` only for self-signed servers | | intercepted_ports | `tuple[int, ...]` | `(443,)` | TCP ports where TLS interception is active | | block_quic | `bool` | `False` | Block QUIC/HTTP3 (UDP) on intercepted ports, forcing TCP/TLS fallback | | ca_cert | `str \| None` | `None` | Path to a custom interception CA certificate PEM file | | ca_key | `str \| None` | `None` | Path to a custom interception CA private key PEM file | | ca_cn | `str \| None` | `None` | Common name for the generated interception CA | ### ActionUsed by NetworkPolicy · Rule
String enum (`StrEnum`) for policy actions, so the string values are accepted directly. | Value | Description | |-------|-------------| | `"allow"` | Permit the traffic | | `"deny"` | Drop the traffic silently | ### DirectionUsed by Rule
String enum for traffic direction. | Value | Description | |-------|-------------| | `"egress"` | Traffic leaving the sandbox | | `"ingress"` | Traffic entering the sandbox (via published ports) | | `"any"` | Rule applies in either direction | ### ProtocolUsed by Rule
String enum for network protocols in policy rules. | Value | Description | |-------|-------------| | `"tcp"` | TCP traffic | | `"udp"` | UDP traffic | | `"icmpv4"` | ICMPv4 traffic | | `"icmpv6"` | ICMPv6 traffic | ### PortProtocolUsed by PortBinding
String enum for port-level protocol selection. | Value | Description | |-------|-------------| | `"tcp"` | TCP port | | `"udp"` | UDP port | ### DestGroupUsed by Destination.group()
String enum for well-known destination groups used in [`Destination.group()`](#destination-group) or string-shorthand [`Rule.destination`](#rule). | Value | Description | |-------|-------------| | `"public"` | Complement of the named categories: every address not in any other group | | `"private"` | Private/RFC 1918 addresses + ULA + CGN (`10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16`, `100.64.0.0/10`, `fc00::/7`) | | `"loopback"` | Loopback addresses (`127.0.0.0/8`, `::1`); the **guest's own** loopback, not the host. See the [loopback-vs-host watch-out](/networking/overview#loopback-vs-host-a-common-trap) | | `"link-local"` | Link-local addresses (`169.254.0.0/16`, `fe80::/10`) excluding metadata | | `"metadata"` | Cloud metadata endpoints (`169.254.169.254`) | | `"multicast"` | Multicast addresses (`224.0.0.0/4`, `ff00::/8`) | | `"host"` | The host machine, reached via `host.microsandbox.internal`. This is the right group for "let the sandbox reach my host's localhost", not `"loopback"` |