Sandbox Model
Each sandbox is an ephemeral cloud VM provisioned exclusively for your workload. This page describes how sandboxes are isolated and how network traffic is handled.
Compute Isolation
Every sandbox runs in its own dedicated virtual machine. Sandboxes cannot communicate with each other or with Iron.sh infrastructure. The file system is destroyed when the sandbox is torn down, so no data persists between runs unless you explicitly copy it out.
Network Isolation
All outbound traffic from a sandbox is routed through a network bridge that Iron.sh controls. The bridge sits between the sandbox and the internet and is responsible for observing and enforcing egress rules.
Traffic Rules
| Traffic Type | Default Behavior |
|---|---|
| Inbound SSH (TCP 22) | Allowed via bridge from host to VM |
| Outbound SSH (TCP 22) | Allowed only to manually whitelisted IP ranges 1 |
| ICMP (ping) | Allowed |
| HTTPS / other TCP | Allowed or blocked based on egress rules |
| All other traffic | Blocked |
Egress Observation
The bridge inspects the hostname of every outbound connection attempt and records it in the egress audit log. This is how irons audit egress is able to show you every domain your workload has tried to reach, along with whether it was allowed or denied:
irons audit egress --vm my-sandbox --followBecause enforcement happens at the bridge level — outside the VM — a compromised workload cannot bypass egress controls by manipulating software inside the sandbox.
Egress Modes
Egress rules can operate in two modes:
| Mode | Behavior |
|---|---|
warn | All outbound connections are permitted, but violations are logged |
enforce | Outbound connections to non-allowlisted domains are blocked |
Use warn mode when you’re first profiling a workload to discover which domains it reaches. Switch to enforce once you’ve built a precise allowlist.
irons egress mode warn # observe without blocking
irons egress mode enforce # enforce the allowlistAllowlisting Hosts
Egress rules are host-based. You can allowlist a hostname, a raw IP address, or a CIDR range using the CLI:
irons egress add --host api.github.com
irons egress add --host pypi.org
irons egress add --host 203.0.113.42
irons egress add --cidr 10.0.0.0/8Default Egress Rules
Every VM starts with a built-in allowlist of hosts and CIDR ranges that covers the registries, package managers, and services most workloads need. The defaults are organized into the following groups:
| Group | What’s covered |
|---|---|
| GitHub | github.com, ghcr.io, *.actions.githubusercontent.com, and related hosts used for API access, package downloads, container pulls, and Git over HTTPS |
| APT | mirrors.edge.kernel.org and related Debian/Ubuntu mirrors |
| Node | registry.npmjs.org, registry.yarnpkg.com, nodejs.org, and related hosts |
| PyPI | pypi.org, *.pythonhosted.org, and test/upload endpoints |
| Go | proxy.golang.org, sum.golang.org, pkg.go.dev, and related hosts |
| Rust | crates.io, index.crates.io, sh.rustup.rs, and related hosts |
| Ruby | rubygems.org, index.rubygems.org, cache.ruby-lang.org, and related hosts |
| Java | repo.maven.apache.org and repo1.maven.org |
| Docker | registry-1.docker.io, auth.docker.io, quay.io, and related registries |
| Ubuntu | security.ubuntu.com, *.archive.ubuntu.com, and related Ubuntu infrastructure |
| OpenAI | api.openai.com, chatgpt.com, and related hosts |
| Anthropic | api.anthropic.com, claude.ai, and related hosts |
| Homebrew | formulae.brew.sh |
| Foundry | foundry.paradigm.xyz |
| Misc. | mise.run, tuf-repo-cdn.sigstore.dev, www.example.com, and a few others |
In addition to hostnames, a set of GitHub IP CIDR ranges is included by default to support Git operations over SSH.
To view the full list of default hosts and CIDR ranges applied to your account, use the CLI:
irons egress listDefault rules can be supplemented with your own entries (see Allowlisting Hosts). They can also be removed via:
irons egress remove <rule_id>SSH Access
Inbound SSH to a sandbox is routed through a bridge on the host machine. The bridge forwards connections on an assigned host port to port 22 inside the VM. Use irons ssh --command to get the exact host and port for a given sandbox:
irons ssh my-sandbox --command
# e.g. ssh -p 32847 user@host.iron.shThe SSH key you provide at creation time (--key, defaulting to ~/.ssh/id_rsa.pub) is the only credential accepted.
For outbound SSH from the sandbox (for example, to push to a Git remote over SSH), the destination must be manually whitelisted by IP address or CIDR range. Domain-based egress rules do not apply to SSH traffic because the SSH client resolves DNS before opening the TCP connection, so by the time the bridge sees the traffic there is no hostname to match against — only an IP address.
ICMP
ICMP (ping and related diagnostics) is always permitted and is not subject to egress rules.
Footnotes
-
Outbound SSH destinations must be whitelisted by IP address or CIDR range, not by domain. The SSH client resolves DNS before making the TCP connection, so the bridge only ever sees an IP address for SSH traffic. ↩