Networking and Ports
Sandbox networking has two parts:
- outbound egress policy for the sandbox
- explicit public HTTP preview ports
Egress policy
Section titled “Egress policy”Set egress policy when creating the sandbox:
curl https://api.watasu.io/v1/sandboxes \ -H "Authorization: Bearer $WATASU_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "team": "acme", "template_id": "base", "timeout": 3600, "allow_internet_access": true, "allow_package_registry_access": true, "allow_public_traffic": true }'Common fields:
| Field | What it controls |
|---|---|
allow_internet_access | General outbound internet access from the sandbox. |
allow_package_registry_access | Package-registry egress for package managers and language ecosystems. |
allow_public_traffic | Whether the sandbox contract allows public preview traffic. |
allow_out | Hostnames or CIDRs the sandbox can reach. |
deny_out | Hostnames or CIDRs the sandbox cannot reach. |
egress_profile / egress_profiles | Named platform egress profiles, such as package registries. |
Sandbox limits include the default network class for new sandboxes.
Update egress policy
Section titled “Update egress policy”Replace the network policy for a running sandbox with PUT /v1/sandboxes/:id/network:
curl -X PUT https://api.watasu.io/v1/sandboxes/123/network \ -H "Authorization: Bearer $WATASU_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "allow_internet_access": false, "allow_package_registry_access": true, "allow_out": ["pypi.org:443", "registry.npmjs.org:443"], "deny_out": ["169.254.169.254"] }'The update is persisted in the control plane and applied to the live runtime firewall. If the runtime dispatcher is temporarily unavailable, Watasu records the desired policy and retries the runtime apply through the sandbox operation worker.
await sbx.updateNetwork({ allowInternetAccess: false, allowPackageRegistryAccess: true, allowOut: ["pypi.org:443", "registry.npmjs.org:443"], denyOut: ["169.254.169.254"],})sbx.update_network( allow_internet_access=False, allow_package_registry_access=True, allow_out=["pypi.org:443", "registry.npmjs.org:443"], deny_out=["169.254.169.254"],)Expose a public HTTP port
Section titled “Expose a public HTTP port”List public ports when creating the sandbox:
curl https://api.watasu.io/v1/sandboxes \ -H "Authorization: Bearer $WATASU_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "team": "acme", "template_id": "base", "timeout": 3600, "allow_public_traffic": true, "exposed_ports": [ { "port": 3000, "protocol": "http", "public": true } ] }'After the sandbox is ready, inspect the port:
curl https://api.watasu.io/v1/sandboxes/123/ports/3000 \ -H "Authorization: Bearer $WATASU_API_KEY"The response includes the public host, URL, protocol, public flag, and gateway status.
Public sandbox HTTP URLs use this shape:
https://p<port>-<route-token>.sandbox.watasuhost.comFor example:
https://p3000-ab12cd34ef56gh78ij90kl12.sandbox.watasuhost.comRun your service inside the sandbox on the exposed port, then open the public URL in a browser or use it from your automation.
Data-plane API URL
Section titled “Data-plane API URL”The sandbox data-plane API uses the route-token hostname:
https://<route-token>.sandbox.watasuhost.comUse the data-plane URL together with the access token returned by POST /v1/sandboxes or POST /v1/sandboxes/:id/resume for file, directory, and streaming process operations. connect remains available as an alias. See Files and Processes.