consultance.ai · enterprise AI

Enterprise AI Perimeter Setup Guide

Install it yourself. The two features that keep a Claude agent inside your network, with the exact commands: self-hosted sandboxes (tool execution on your infrastructure) and MCP tunnels (the agent reaches your internal systems over one outbound, encrypted connection, no public endpoint). Independent. They stack.

Read this first. These move tool execution and internal-system access inside your boundary. The agent loop (orchestration, context, model reasoning) still runs on Anthropic's infrastructure — this is not local model hosting. Status: self-hosted sandboxes = public beta, MCP tunnels = research preview (request access). Not GA. A vendor cert is not your compliance: Anthropic carries SOC 2 Type II, ISO 27001, ISO 42001, HIPAA; your deployment compliance is still your controls.

Self-hosted sandboxes: public betaMCP tunnels: research previewNot on Claude Platform on AWS yet

Part 1 — Self-hosted sandboxes

Anthropic keeps orchestration. An environment worker you run on your own infrastructure claims each session from a work queue, downloads the agent's skills, runs tool calls locally, and posts results back. The agent's code, filesystem, and network egress never leave your environment.

Step 1 — Create a self-hosted environment

In the Console: Workspace > Environments > New > Self-hosted. Or via CLI:

ant beta:environments create \
  --name self-hosted \
  --config '{"type": "self_hosted"}'

Or via API:

curl -sS --fail-with-body https://api.anthropic.com/v1/environments \
  -H "x-api-key: $ANTHROPIC_API_KEY" \
  -H "anthropic-version: 2023-06-01" \
  -H "anthropic-beta: managed-agents-2026-04-01" \
  -H "content-type: application/json" \
  -d '{"name": "self-hosted", "config": {"type": "self_hosted"}}'

Step 2 — Generate the environment key

In the Console, open the environment, click Generate environment key. On the worker host:

export ANTHROPIC_ENVIRONMENT_KEY="sk-ant-oat01-..."
export ANTHROPIC_ENVIRONMENT_ID="env_..."

Step 3 — Install the ant CLI on the worker machine

VERSION=1.9.1
OS=$(uname -s | tr '[:upper:]' '[:lower:]')
ARCH=$(uname -m | sed -e 's/x86_64/amd64/' -e 's/aarch64/arm64/')
curl -fsSL "https://github.com/anthropics/anthropic-cli/releases/download/v${VERSION}/ant_${VERSION}_${OS}_${ARCH}.tar.gz" \
  | sudo tar -xz -C /usr/local/bin ant

Step 4 — Run the worker

ant beta:worker poll --workdir "/workspace"

It claims sessions, downloads skills to /workspace/skills/<name>/, runs tool calls, posts results. Exits cleanly on SIGTERM/SIGINT, draining in-flight calls.

Step 5 — Container per session (stronger isolation)

For a fresh filesystem, resource limits, and network controls per session, build an image with ant and ant beta:worker run as entrypoint:

FROM your-base-image
ARG ANT_VERSION=1.9.1
ARG TARGETARCH
RUN ARCH=$([ "$TARGETARCH" = "arm64" ] && echo arm64 || echo amd64) && \
    curl -fsSL "https://github.com/anthropics/anthropic-cli/releases/download/v${ANT_VERSION}/ant_${ANT_VERSION}_linux_${ARCH}.tar.gz" \
      | tar -xz -C /usr/local/bin ant
WORKDIR /workspace
VOLUME /mnt/session/outputs
ENTRYPOINT ["ant", "beta:worker", "run"]

Then point the poller at a per-session spawn script:

ant beta:worker poll --on-work ./spawn.sh

Step 6 — Start a session targeting the environment

ant beta:sessions create --agent "$AGENT_ID" --environment-id "$ENVIRONMENT_ID"

SDK option

The Python / TypeScript / Go SDKs ship EnvironmentWorker (always-on .run() or single .handle_item()), plus a webhook pattern that wakes on the session.status_run_started event. SDK helpers require /bin/bash; the TS SDK also needs unzip, tar, Node 22+.

Managed sandbox providers (if you do not want bare metal)

Cloudflare — microVMs at scale, zero-trust secrets injection, customizable proxies
Daytona — stateful, long-running composable computers
Modal — sub-second startup, GPU/CPU on demand
Vercel — millisecond startup, VPC peering

Filesystem contract

/workspace — working dir + skills download (change with --workdir, update the agent system prompt if you do)
/mnt/session/outputs — agent writes final outputs here; mount a host dir to retrieve them

Part 2 — MCP tunnels

Your agent reaches MCP servers inside your private network (internal databases, private APIs, knowledge bases, ticketing) as tools. You deploy a lightweight gateway that makes a single outbound connection to Anthropic. No inbound firewall rules, no public endpoints, traffic encrypted end to end.

Request research-preview access. Works in both Managed Agents and the Messages API.
Configure in the Console — MCP tunnels are managed from workspace settings by organization admins.
Deploy the lightweight gateway inside your network, next to the MCP servers it fronts. It opens the single outbound connection; you open no inbound ports.
Register your internal MCP servers as tools through the tunnel. A session in Anthropic's cloud containers OR in your self-hosted sandbox can both reach them.

Combine the two when you want execution AND tool access inside your boundary: self-hosted sandbox for where code runs, MCP tunnel for how Anthropic reaches your internal servers.

Part 3 — Operations + security guardrails

Monitor the queue from your ops tooling (authenticate with your org API key, not on the worker host):

curl -sS "https://api.anthropic.com/v1/environments/$ANTHROPIC_ENVIRONMENT_ID/work/stats" \
  -H "x-api-key: $ANTHROPIC_API_KEY" \
  -H "anthropic-beta: managed-agents-2026-04-01" \
  -H "anthropic-version: 2023-06-01"

Watch depth (backlog), pending (in-flight), workers_polling (liveness).

Hard rules, do not skip.

Never set ANTHROPIC_API_KEY on the worker host. It is an org-scoped credential and tool calls running there could read it. The worker authenticates with the scoped environment key only. Ops/monitoring calls run from a separate host.
You own the network policy on the sandbox. Lock egress to only what the agent needs.
You own RBAC and least privilege on whatever the MCP tunnel exposes. A tunnel to your DB means the agent can reach your DB. Scope it to the minimum.
You own the audit trail. Log what the agent touched in a way that survives, for your auditor.
Container-per-session when sessions touch sensitive or separable data.
Note: Memory is not yet supported with self-hosted sandboxes.

The honest ceiling

This keeps your data, tool execution, and internal-system access inside your perimeter. It does not move the model itself in-house, it is preview/beta, and it does not grant you a compliance certification. What it does is answer the one question that killed most regulated AI pilots: where does the data live. The answer is now "inside your boundary." That is the part that was missing.

If you want this wired into your actual stack (gateway placement, egress policy, RBAC scoping, audit logging, container isolation), that is implementation work. Reply "wire it" and we will send a 30-minute slot.

Sources: Anthropic Managed Agents docs (self-hosted sandboxes, MCP tunnels overview, security model), Claude Console. Informational, not legal or compliance advice. Verify preview/beta status and feature eligibility against current Anthropic docs before production use.

consultance.ai