feat: add sandbox network out configuration (#1447)

Author: dobrac

.golangci.yml

@@ -72,16 +72,16 @@ linters:
       forbid:
         - pattern: "^new$"
           msg: "Use &Type{} instead."
-#        - pattern: os\.Getenv
-#          msg: "Add your field to the configuration model instead."
+    #        - pattern: os\.Getenv
+    #          msg: "Add your field to the configuration model instead."
 
     gocritic:
       disabled-checks:
         - appendAssign
     revive:
       enable-all-rules: true
       rules:
-        - { disabled: true, name: add-constant }  # todo: enable this
+        - { disabled: true, name: add-constant } # todo: enable this
         - { disabled: true, name: argument-limit }
         - { disabled: true, name: bare-return }
         - { disabled: true, name: blank-imports }
@@ -96,7 +96,7 @@ linters:
         - { disabled: true, name: early-return }
         - { disabled: true, name: enforce-switch-style }
         - { disabled: true, name: exported }
-        - { disabled: true, name: flag-parameter }   # todo: enable this
+        - { disabled: true, name: flag-parameter } # todo: enable this
         - { disabled: true, name: function-length }
         - { disabled: true, name: function-result-limit }
         - { disabled: true, name: get-return }
@@ -109,24 +109,24 @@ linters:
         - { disabled: true, name: package-comments }
         - { disabled: true, name: unchecked-type-assertion }
         - { disabled: true, name: unexported-naming }
-        - { disabled: true, name: unhandled-error }  #  todo: enable this
-        - { disabled: true, name: unnecessary-format }  # todo: enable this
-        - { disabled: true, name: unnecessary-stmt }  # todo: enable this
+        - { disabled: true, name: unhandled-error } #  todo: enable this
+        - { disabled: true, name: unnecessary-format } # todo: enable this
+        - { disabled: true, name: unnecessary-stmt } # todo: enable this
         - { disabled: true, name: unused-receiver }
-        - { disabled: true, name: use-errors-new }  # todo: enable this
+        - { disabled: true, name: use-errors-new } # todo: enable this
         - { disabled: true, name: var-declaration }
         - { disabled: true, name: var-naming }
 
     staticcheck:
       checks:
         - all
-        - -S1002  # Omit comparison with boolean constant
-        - -SA1019  # TODO: Remove (Using a deprecated function, variable, constant or field)
-        - -ST1000  # Incorrect or missing package comment
-        - -ST1020  # The documentation of an exported function should start with the function’s name
-        - -ST1021  # The documentation of an exported type should start with type’s name
-        - -ST1003  # Poorly chosen identifier
-        - -QF1008  # Omit embedded fields from selector expression
+        - -S1002 # Omit comparison with boolean constant
+        - -SA1019 # TODO: Remove (Using a deprecated function, variable, constant or field)
+        - -ST1000 # Incorrect or missing package comment
+        - -ST1020 # The documentation of an exported function should start with the function’s name
+        - -ST1021 # The documentation of an exported type should start with type’s name
+        - -ST1003 # Poorly chosen identifier
+        - -QF1008 # Omit embedded fields from selector expression
 
 run:
   go: 1.24.7

packages/api/internal/api/spec.gen.go

@@ -13,8 +13,9 @@ import (
 	"go.uber.org/zap"
 
 	"github.com/e2b-dev/infra/packages/api/internal/api"
-	"github.com/e2b-dev/infra/packages/api/internal/db/types"
+	typesteam "github.com/e2b-dev/infra/packages/api/internal/db/types"
 	"github.com/e2b-dev/infra/packages/db/queries"
+	"github.com/e2b-dev/infra/packages/db/types"
 	sbxlogger "github.com/e2b-dev/infra/packages/shared/pkg/logger/sandbox"
 	"github.com/e2b-dev/infra/packages/shared/pkg/telemetry"
 )
@@ -28,7 +29,7 @@ func (a *APIStore) startSandbox(
 	envVars map[string]string,
 	metadata map[string]string,
 	alias string,
-	team *types.Team,
+	team *typesteam.Team,
 	build queries.EnvBuild,
 	requestHeader *http.Header,
 	isResume bool,
@@ -37,6 +38,7 @@ func (a *APIStore) startSandbox(
 	autoPause bool,
 	envdAccessToken *string,
 	allowInternetAccess *bool,
+	network *types.SandboxNetworkConfig,
 	mcp api.Mcp,
 ) (*api.Sandbox, *api.APIError) {
 	startTime := time.Now()
@@ -62,6 +64,7 @@ func (a *APIStore) startSandbox(
 		autoPause,
 		envdAccessToken,
 		allowInternetAccess,
+		network,
 	)
 	if instanceErr != nil {
 		telemetry.ReportError(ctx, "error when creating instance", instanceErr.Err)

packages/api/internal/api/types.gen.go

@@ -154,7 +154,8 @@ func (a *APIStore) PostSandboxesSandboxIDConnect(c *gin.Context, sandboxID api.S
 		autoPause,
 		envdAccessToken,
 		snap.AllowInternetAccess,
-		nil,
+		snap.Config.Network,
+		nil, // mcp
 	)
 	if createErr != nil {
 		zap.L().Error("Failed to resume sandbox", zap.Error(createErr.Err))

packages/api/internal/handlers/sandbox.go

@@ -13,10 +13,11 @@ import (
 
 	"github.com/e2b-dev/infra/packages/api/internal/api"
 	"github.com/e2b-dev/infra/packages/api/internal/auth"
-	"github.com/e2b-dev/infra/packages/api/internal/db/types"
+	typesteam "github.com/e2b-dev/infra/packages/api/internal/db/types"
 	"github.com/e2b-dev/infra/packages/api/internal/middleware/otel/metrics"
 	"github.com/e2b-dev/infra/packages/api/internal/sandbox"
 	"github.com/e2b-dev/infra/packages/api/internal/utils"
+	"github.com/e2b-dev/infra/packages/db/types"
 	"github.com/e2b-dev/infra/packages/shared/pkg/id"
 	"github.com/e2b-dev/infra/packages/shared/pkg/logger"
 	sbxlogger "github.com/e2b-dev/infra/packages/shared/pkg/logger/sandbox"
@@ -43,7 +44,7 @@ func (a *APIStore) PostSandboxes(c *gin.Context) {
 	ctx := c.Request.Context()
 
 	// Get team from context, use TeamContextKey
-	teamInfo := c.Value(auth.TeamContextKey).(*types.Team)
+	teamInfo := c.Value(auth.TeamContextKey).(*typesteam.Team)
 
 	c.Set("teamID", teamInfo.Team.ID.String())
 
@@ -157,6 +158,16 @@ func (a *APIStore) PostSandboxes(c *gin.Context) {
 
 	allowInternetAccess := body.AllowInternetAccess
 
+	var network *types.SandboxNetworkConfig
+	if body.Network != nil {
+		network = &types.SandboxNetworkConfig{
+			Egress: &types.SandboxNetworkEgressConfig{
+				AllowedAddresses: sharedUtils.DerefOrDefault(body.Network.AllowOut, nil),
+				DeniedAddresses:  sharedUtils.DerefOrDefault(body.Network.DenyOut, nil),
+			},
+		}
+	}
+
 	sbx, createErr := a.startSandbox(
 		ctx,
 		sandboxID,
@@ -173,6 +184,7 @@ func (a *APIStore) PostSandboxes(c *gin.Context) {
 		autoPause,
 		envdAccessToken,
 		allowInternetAccess,
+		network,
 		mcp,
 	)
 	if createErr != nil {

packages/api/internal/handlers/sandbox_connect.go

@@ -153,7 +153,8 @@ func (a *APIStore) PostSandboxesSandboxIDResume(c *gin.Context, sandboxID api.Sa
 		autoPause,
 		envdAccessToken,
 		snap.AllowInternetAccess,
-		nil,
+		snap.Config.Network,
+		nil, // mcp
 	)
 	if createErr != nil {
 		zap.L().Error("Failed to resume sandbox", zap.Error(createErr.Err))

packages/api/internal/handlers/sandbox_create.go

@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
+	"strings"
 	"time"
 
 	"go.opentelemetry.io/otel/attribute"
@@ -13,25 +14,64 @@ import (
 	"google.golang.org/protobuf/types/known/timestamppb"
 
 	"github.com/e2b-dev/infra/packages/api/internal/api"
-	"github.com/e2b-dev/infra/packages/api/internal/db/types"
+	teamtypes "github.com/e2b-dev/infra/packages/api/internal/db/types"
 	"github.com/e2b-dev/infra/packages/api/internal/orchestrator/nodemanager"
 	"github.com/e2b-dev/infra/packages/api/internal/orchestrator/placement"
 	"github.com/e2b-dev/infra/packages/api/internal/sandbox"
 	"github.com/e2b-dev/infra/packages/api/internal/utils"
 	"github.com/e2b-dev/infra/packages/db/queries"
+	"github.com/e2b-dev/infra/packages/db/types"
 	"github.com/e2b-dev/infra/packages/shared/pkg/consts"
 	"github.com/e2b-dev/infra/packages/shared/pkg/grpc/orchestrator"
 	"github.com/e2b-dev/infra/packages/shared/pkg/logger"
 	"github.com/e2b-dev/infra/packages/shared/pkg/telemetry"
 	ut "github.com/e2b-dev/infra/packages/shared/pkg/utils"
 )
 
+const internetBlockCIDR = "0.0.0.0/0"
+
+// Convert a list of string addresses to the SetData type
+func addressStringsToCIDRs(addressStrings []string) []string {
+	data := make([]string, 0, len(addressStrings))
+
+	for _, addressString := range addressStrings {
+		if !strings.Contains(addressString, "/") {
+			addressString += "/32"
+		}
+		data = append(data, addressString)
+	}
+
+	return data
+}
+
+// buildNetworkConfig constructs the orchestrator network configuration from the input parameters
+func buildNetworkConfig(network *types.SandboxNetworkConfig, allowInternetAccess *bool) *orchestrator.SandboxNetworkConfig {
+	orchNetwork := &orchestrator.SandboxNetworkConfig{
+		Egress: &orchestrator.SandboxNetworkEgressConfig{},
+	}
+
+	// Copy network configuration if provided
+	if network != nil && network.Egress != nil {
+		orchNetwork.Egress.AllowedCidrs = addressStringsToCIDRs(network.Egress.AllowedAddresses)
+		orchNetwork.Egress.DeniedCidrs = addressStringsToCIDRs(network.Egress.DeniedAddresses)
+	}
+
+	// Handle the case where internet access is explicitly disabled
+	// This should be applied after copying the network config to preserve allowed addresses
+	if allowInternetAccess != nil && !*allowInternetAccess {
+		// Block all internet access - this overrides any other blocked addresses
+		orchNetwork.Egress.DeniedCidrs = []string{internetBlockCIDR}
+	}
+
+	return orchNetwork
+}
+
 func (o *Orchestrator) CreateSandbox(
 	ctx context.Context,
 	sandboxID,
 	executionID,
 	alias string,
-	team *types.Team,
+	team *teamtypes.Team,
 	build queries.EnvBuild,
 	metadata map[string]string,
 	envVars map[string]string,
@@ -44,6 +84,7 @@ func (o *Orchestrator) CreateSandbox(
 	autoPause bool,
 	envdAuthToken *string,
 	allowInternetAccess *bool,
+	network *types.SandboxNetworkConfig,
 ) (sbx sandbox.Sandbox, apiErr *api.APIError) {
 	ctx, childSpan := tracer.Start(ctx, "create-sandbox")
 	defer childSpan.End()
@@ -138,6 +179,8 @@ func (o *Orchestrator) CreateSandbox(
 		sbxDomain = cluster.SandboxDomain
 	}
 
+	sbxNetwork := buildNetworkConfig(network, allowInternetAccess)
+
 	sbxRequest := &orchestrator.SandboxCreateRequest{
 		Sandbox: &orchestrator.SandboxConfig{
 			BaseTemplateId:      baseTemplateID,
@@ -160,6 +203,7 @@ func (o *Orchestrator) CreateSandbox(
 			Snapshot:            isResume,
 			AutoPause:           autoPause,
 			AllowInternetAccess: allowInternetAccess,
+			Network:             sbxNetwork,
 			TotalDiskSizeMb:     ut.FromPtr(build.TotalDiskSizeMb),
 		},
 		StartTime: timestamppb.New(startTime),
@@ -237,6 +281,7 @@ func (o *Orchestrator) CreateSandbox(
 		allowInternetAccess,
 		baseTemplateID,
 		sbxDomain,
+		network,
 	)
 
 	o.sandboxStore.Add(ctx, sbx, true)

packages/api/internal/handlers/sandbox_resume.go

@@ -10,6 +10,7 @@ import (
 
 	"github.com/e2b-dev/infra/packages/api/internal/sandbox"
 	"github.com/e2b-dev/infra/packages/api/internal/utils"
+	"github.com/e2b-dev/infra/packages/db/types"
 	"github.com/e2b-dev/infra/packages/shared/pkg/consts"
 )
 
@@ -46,6 +47,13 @@ func (n *Node) GetSandboxes(ctx context.Context) ([]sandbox.Sandbox, error) {
 			return nil, fmt.Errorf("failed to parse build ID '%s' for job: %w", config.GetBuildId(), parseErr)
 		}
 
+		network := &types.SandboxNetworkConfig{
+			Egress: &types.SandboxNetworkEgressConfig{
+				AllowedAddresses: config.GetNetwork().GetEgress().GetAllowedCidrs(),
+				DeniedAddresses:  config.GetNetwork().GetEgress().GetDeniedCidrs(),
+			},
+		}
+
 		sandboxesInfo = append(
 			sandboxesInfo,
 			sandbox.NewSandbox(
@@ -73,6 +81,7 @@ func (n *Node) GetSandboxes(ctx context.Context) ([]sandbox.Sandbox, error) {
 				config.AllowInternetAccess, //nolint:protogetter // we need the nil check too
 				config.GetBaseTemplateId(),
 				n.SandboxDomain,
+				network,
 			),
 		)
 	}

packages/api/internal/orchestrator/create_instance.go

@@ -43,6 +43,10 @@ func (o *Orchestrator) pauseSandbox(ctx context.Context, node *nodemanager.Node,
 		EnvdSecured:         sbx.EnvdAccessToken != nil,
 		AllowInternetAccess: sbx.AllowInternetAccess,
 		AutoPause:           sbx.AutoPause,
+		Config: &types.PausedSandboxConfig{
+			Version: types.PausedSandboxConfigVersion,
+			Network: sbx.Network,
+		},
 	}
 
 	envBuild, err := o.dbClient.NewSnapshotBuild(