Add network configuration documentation for PR #1016 (#60)

Co-authored-by: mintlify[bot] <109931778+mintlify[bot]@users.noreply.github.com>
Co-authored-by: Jakub Dobry <[email protected]>

Author: mintlify[bot]

docs/sandbox/internet-access.mdx

@@ -31,6 +31,113 @@ isolated_sandbox = Sandbox.create(allow_internet_access=False)
 
 When internet access is disabled, the sandbox cannot make outbound network connections, which provides an additional layer of security for sensitive code execution.
 
+<Note>
+Setting `allowInternetAccess` to `false` is equivalent to setting `network.denyOut` to `['0.0.0.0/0']` (denying all traffic).
+</Note>
+
+## Fine-grained network control
+
+For more granular control over network access, you can use the `network` configuration option to specify allow and deny lists for outbound traffic.
+
+### Allow and deny lists
+
+You can specify IP addresses or CIDR blocks that the sandbox can or cannot connect to:
+
+<CodeGroup>
+```js JavaScript & TypeScript
+import { Sandbox, ALL_TRAFFIC } from '@e2b/code-interpreter'
+
+// Deny all traffic except specific IPs
+const sandbox = await Sandbox.create({
+  network: {
+    denyOut: [ALL_TRAFFIC],
+    allowOut: ['1.1.1.1', '8.8.8.0/24']
+  }
+})
+
+// Deny specific IPs only
+const restrictedSandbox = await Sandbox.create({
+  network: {
+    denyOut: ['8.8.8.8']
+  }
+})
+```
+```python Python
+from e2b_code_interpreter import Sandbox, ALL_TRAFFIC
+
+# Deny all traffic except specific IPs
+sandbox = Sandbox.create(
+    network={
+        "deny_out": [ALL_TRAFFIC],
+        "allow_out": ["1.1.1.1", "8.8.8.0/24"]
+    }
+)
+
+# Deny specific IPs only
+restricted_sandbox = Sandbox.create(
+    network={
+        "deny_out": ["8.8.8.8"]
+    }
+)
+```
+</CodeGroup>
+
+### Priority rules
+
+When both `allowOut` and `denyOut` are specified, **allow rules always take precedence** over deny rules. This means if an IP address is in both lists, it will be allowed.
+
+<CodeGroup>
+```js JavaScript & TypeScript
+import { Sandbox, ALL_TRAFFIC } from '@e2b/code-interpreter'
+
+// Even though ALL_TRAFFIC is denied, 1.1.1.1 and 8.8.8.8 are explicitly allowed
+const sandbox = await Sandbox.create({
+  network: {
+    denyOut: [ALL_TRAFFIC],
+    allowOut: ['1.1.1.1', '8.8.8.8']
+  }
+})
+```
+```python Python
+from e2b_code_interpreter import Sandbox, ALL_TRAFFIC
+
+# Even though ALL_TRAFFIC is denied, 1.1.1.1 and 8.8.8.8 are explicitly allowed
+sandbox = Sandbox.create(
+    network={
+        "deny_out": [ALL_TRAFFIC],
+        "allow_out": ["1.1.1.1", "8.8.8.8"]
+    }
+)
+```
+</CodeGroup>
+
+### ALL_TRAFFIC helper
+
+The `ALL_TRAFFIC` constant represents the CIDR range `0.0.0.0/0`, which matches all IP addresses. Use it to easily deny or allow all network traffic:
+
+<CodeGroup>
+```js JavaScript & TypeScript
+import { Sandbox, ALL_TRAFFIC } from '@e2b/code-interpreter'
+
+// Deny all outbound traffic
+const sandbox = await Sandbox.create({
+  network: {
+    denyOut: [ALL_TRAFFIC]
+  }
+})
+```
+```python Python
+from e2b_code_interpreter import Sandbox, ALL_TRAFFIC
+
+# Deny all outbound traffic
+sandbox = Sandbox.create(
+    network={
+        "deny_out": [ALL_TRAFFIC]
+    }
+)
+```
+</CodeGroup>
+
 ## Sandbox public URL
 Every sandbox has a public URL that can be used to access running services inside the sandbox.
 
@@ -68,6 +175,76 @@ https://3000-i62mff4ahtrdfdkyn2esc.e2b.app
 
 The first leftmost part of the host is the port number we passed to the method.
 
+## Restricting public access to sandbox URLs
+
+By default, sandbox URLs are publicly accessible. You can restrict access to require authentication using the `allowPublicTraffic` option:
+
+<CodeGroup>
+```js JavaScript & TypeScript
+import { Sandbox } from '@e2b/code-interpreter'
+
+// Create sandbox with restricted public access
+const sandbox = await Sandbox.create({
+  network: {
+    allowPublicTraffic: false
+  }
+})
+
+// The sandbox has a traffic access token
+console.log(sandbox.trafficAccessToken)
+
+// Start a server inside the sandbox
+await sandbox.commands.run('python -m http.server 8080', { background: true })
+
+const host = sandbox.getHost(8080)
+const url = `https://${host}`
+
+// Request without token will fail with 403
+const response1 = await fetch(url)
+console.log(response1.status) // 403
+
+// Request with token will succeed
+const response2 = await fetch(url, {
+  headers: {
+    'e2b-traffic-access-token': sandbox.trafficAccessToken
+  }
+})
+console.log(response2.status) // 200
+```
+```python Python
+import requests
+from e2b_code_interpreter import Sandbox
+
+# Create sandbox with restricted public access
+sandbox = Sandbox.create(
+    network={
+        "allow_public_traffic": False
+    }
+)
+
+# The sandbox has a traffic access token
+print(sandbox.traffic_access_token)
+
+# Start a server inside the sandbox
+sandbox.commands.run("python -m http.server 8080", background=True)
+
+host = sandbox.get_host(8080)
+url = f"https://{host}"
+
+# Request without token will fail with 403
+response1 = requests.get(url)
+print(response1.status_code)  # 403
+
+# Request with token will succeed
+response2 = requests.get(url, headers={
+    'e2b-traffic-access-token': sandbox.traffic_access_token
+})
+print(response2.status_code)  # 200
+```
+</CodeGroup>
+
+When `allowPublicTraffic` is set to `false`, all requests to the sandbox's public URLs must include the `e2b-traffic-access-token` header with the value from `sandbox.trafficAccessToken`.
+
 ## Connecting to a server running inside the sandbox
 You can start a server inside the sandbox and connect to it using the approach above.
 
@@ -94,6 +271,7 @@ console.log('Response from server inside sandbox:', data);
 await process.kill()
 ```
 ```python Python
+import requests
 from e2b_code_interpreter import Sandbox
 
 sandbox = Sandbox.create()
@@ -105,16 +283,15 @@ url = f"https://{host}"
 print('Server started at:', url)
 
 # Fetch data from the server inside the sandbox.
-response = sandbox.commands.run(f"curl {url}")
-data = response.stdout
-print("Response from server inside sandbox:", data)
+response = requests.get(url)
+data = response.text
+print('Response from server inside sandbox:', data)
 
 # Kill the server process inside the sandbox.
 process.kill()
 ```
 </CodeGroup>
 
-
 This output will look like this:
 <CodeGroup>
 ```bash JavaScript & TypeScript
@@ -158,3 +335,39 @@ Response from server inside sandbox: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0
 </html>
 ```
 </CodeGroup>
+
+
+## Masking request host headers
+
+You can customize the `Host` header that gets sent to services running inside the sandbox using the `maskRequestHost` option. This is useful when your application expects a specific host format.
+
+<CodeGroup>
+```js JavaScript & TypeScript
+import { Sandbox } from '@e2b/code-interpreter'
+
+// Create sandbox with custom host masking
+const sandbox = await Sandbox.create({
+  network: {
+    maskRequestHost: 'localhost:${PORT}'
+  }
+})
+
+// The ${PORT} variable will be replaced with the actual port number
+// Requests to the sandbox will have Host header set to for example: localhost:8080
+```
+```python Python
+from e2b_code_interpreter import Sandbox
+
+# Create sandbox with custom host masking
+sandbox = Sandbox.create(
+    network={
+        "mask_request_host": "localhost:${PORT}"
+    }
+)
+
+# The ${PORT} variable will be replaced with the actual port number
+# Requests to the sandbox will have Host header set to for example: localhost:8080
+```
+</CodeGroup>
+
+The `${PORT}` variable in the mask will be automatically replaced with the actual port number of the requested service.