e2b-dev · levb · Mar 8, 2026 · Mar 8, 2026 · Mar 8, 2026 · Mar 8, 2026
@@ -502,6 +502,16 @@ func validateNetworkConfig(network *api.SandboxNetworkConfig) *api.APIError {
 	}
 
 	denyOut := sharedUtils.DerefOrDefault(network.DenyOut, nil)
+	allowOut := sharedUtils.DerefOrDefault(network.AllowOut, nil)
+
+	return validateEgressRules(allowOut, denyOut)
+}
+
+// validateEgressRules validates egress allow/deny rules:
+// - denyOut entries must be valid IPs or CIDRs (not domains)
+// - allowOut entries must be valid IPs, CIDRs, or domain names
+// - when allowOut contains domains, denyOut must include 0.0.0.0/0
+func validateEgressRules(allowOut, denyOut []string) *api.APIError {
 	for _, cidr := range denyOut {
 		if !sandbox_network.IsIPOrCIDR(cidr) {
 			return &api.APIError{
@@ -512,16 +522,30 @@ func validateNetworkConfig(network *api.SandboxNetworkConfig) *api.APIError {
 		}
 	}
 
-	// Validate that allow out rules have corresponding deny out rules
-	allowOut := sharedUtils.DerefOrDefault(network.AllowOut, nil)
 	if len(allowOut) > 0 {
 		_, allowedDomains := sandbox_network.ParseAddressesAndDomains(allowOut)
 
-		// Check if DenyOut contains block-all CIDR
+		for _, domain := range allowedDomains {
+			// Strip wildcard prefix for IDNA validation (*.example.com → example.com).
+			// The "*" label is not a valid IDNA label, but we support it as a wildcard.
+			validateDomain := domain
+			if strings.HasPrefix(domain, "*.") {
+				validateDomain = domain[2:]
+			}
+
+			if validateDomain != "*" {
+				if _, err := idna.Lookup.ToASCII(validateDomain); err != nil {
+					return &api.APIError{
+						Code:      http.StatusBadRequest,
+						Err:       fmt.Errorf("invalid allowed domain %q: %w", domain, err),
+						ClientMsg: fmt.Sprintf("invalid allowed domain: %s", domain),
+					}
+				}
+			}
+		}
+
 		hasBlockAll := slices.Contains(denyOut, sandbox_network.AllInternetTrafficCIDR)
 
-		// When specifying domains, require block-all CIDR in DenyOut
-		// Without this, domain filtering is meaningless (traffic is allowed by default)
 		if len(allowedDomains) > 0 && !hasBlockAll {
 			return &api.APIError{
 				Code:      http.StatusBadRequest,

@@ -0,0 +1,63 @@
+package handlers
+
+import (
+	"fmt"
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+
+	"github.com/e2b-dev/infra/packages/api/internal/api"
+	"github.com/e2b-dev/infra/packages/api/internal/utils"
+	"github.com/e2b-dev/infra/packages/auth/pkg/auth"
+	"github.com/e2b-dev/infra/packages/shared/pkg/telemetry"
+)
+
+func (a *APIStore) PutSandboxesSandboxIDNetwork(
+	c *gin.Context,
+	sandboxID string,
+) {
+	ctx := c.Request.Context()
+
+	var err error
+	sandboxID, err = utils.ShortID(sandboxID)
+	if err != nil {
+		a.sendAPIStoreError(c, http.StatusBadRequest, "Invalid sandbox ID")
+
+		return
+	}
+
+	team := auth.MustGetTeamInfo(c)
+
+	body, err := utils.ParseBody[api.PutSandboxesSandboxIDNetworkJSONBody](ctx, c)
+	if err != nil {
+		a.sendAPIStoreError(c, http.StatusBadRequest, fmt.Sprintf("Error when parsing request: %s", err))
+		telemetry.ReportCriticalError(ctx, "error when parsing request", err)
+
+		return
+	}
+
+	var allowedEntries []string
+	if body.AllowOut != nil {
+		allowedEntries = *body.AllowOut
+	}
+
+	var deniedEntries []string
+	if body.DenyOut != nil {
+		deniedEntries = *body.DenyOut
+	}
+
+	if apiErr := validateEgressRules(allowedEntries, deniedEntries); apiErr != nil {
+		a.sendAPIStoreError(c, apiErr.Code, apiErr.ClientMsg)
+
+		return
+	}
+
+	if apiErr := a.orchestrator.UpdateSandboxNetworkConfig(ctx, team.ID, sandboxID, allowedEntries, deniedEntries); apiErr != nil {
+		telemetry.ReportErrorByCode(ctx, apiErr.Code, "error updating sandbox network config", apiErr.Err)
+		a.sendAPIStoreError(c, apiErr.Code, apiErr.ClientMsg)
+
+		return
+	}
+
+	c.Status(http.StatusNoContent)
+}
@@ -31,6 +31,24 @@ import (
 	ut "github.com/e2b-dev/infra/packages/shared/pkg/utils"
 )
 
+// buildEgressConfig constructs the orchestrator egress configuration from
+// allow/deny entry lists. It splits allowed entries into CIDRs and domains,
+// and adds the default nameserver when domains are present so the sandbox can
+// resolve them.
+func buildEgressConfig(allowedEntries, deniedEntries []string) *orchestrator.SandboxNetworkEgressConfig {
+	allowedAddresses, allowedDomains := sandbox_network.ParseAddressesAndDomains(allowedEntries)
+
+	if len(allowedDomains) > 0 {
+		allowedAddresses = append(allowedAddresses, sandbox_network.DefaultNameserver)
+	}
+
+	return &orchestrator.SandboxNetworkEgressConfig{
+		AllowedCidrs:   sandbox_network.AddressStringsToCIDRs(allowedAddresses),
+		DeniedCidrs:    sandbox_network.AddressStringsToCIDRs(deniedEntries),
+		AllowedDomains: allowedDomains,
+	}
+}
+
 // buildNetworkConfig constructs the orchestrator network configuration from the input parameters
 func buildNetworkConfig(network *types.SandboxNetworkConfig, allowInternetAccess *bool, trafficAccessToken *string) *orchestrator.SandboxNetworkConfig {
 	orchNetwork := &orchestrator.SandboxNetworkConfig{
@@ -40,21 +58,8 @@ func buildNetworkConfig(network *types.SandboxNetworkConfig, allowInternetAccess
 		},
 	}
 
-	// Copy network configuration if provided
 	if network != nil && network.Egress != nil {
-		// Split allowed addresses into CIDRs/IPs and domains for the orchestrator
-		allowedAddresses, allowedDomains := sandbox_network.ParseAddressesAndDomains(network.Egress.AllowedAddresses)
-
-		// If allowed domain is provided, add the default nameserver to the allowed addresses
-		// This is to ensure that the sandbox can resolve the domain name to the IP address
-		if len(allowedDomains) > 0 {
-			allowedAddresses = append(allowedAddresses, sandbox_network.DefaultNameserver)
-		}
-
-		orchNetwork.Egress.AllowedCidrs = sandbox_network.AddressStringsToCIDRs(allowedAddresses)
-		orchNetwork.Egress.AllowedDomains = allowedDomains
-
-		orchNetwork.Egress.DeniedCidrs = sandbox_network.AddressStringsToCIDRs(network.Egress.DeniedAddresses)
+		orchNetwork.Egress = buildEgressConfig(network.Egress.AllowedAddresses, network.Egress.DeniedAddresses)
 	}
 
 	if network != nil && network.Ingress != nil {
@@ -64,7 +69,6 @@ func buildNetworkConfig(network *types.SandboxNetworkConfig, allowInternetAccess
 	// Handle the case where internet access is explicitly disabled
 	// This should be applied after copying the network config to preserve allowed addresses
 	if allowInternetAccess != nil && !*allowInternetAccess {
-		// Block all internet access - this overrides any other blocked addresses
 		orchNetwork.Egress.DeniedCidrs = []string{sandbox_network.AllInternetTrafficCIDR}
 	}
 

@@ -0,0 +1,113 @@
+package orchestrator
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net/http"
+
+	"github.com/google/uuid"
+	"go.opentelemetry.io/otel/attribute"
+	"go.opentelemetry.io/otel/trace"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+
+	"github.com/e2b-dev/infra/packages/api/internal/api"
+	"github.com/e2b-dev/infra/packages/api/internal/sandbox"
+	"github.com/e2b-dev/infra/packages/api/internal/utils"
+	"github.com/e2b-dev/infra/packages/db/pkg/types"
+	orchestratorgrpc "github.com/e2b-dev/infra/packages/shared/pkg/grpc/orchestrator"
+	"github.com/e2b-dev/infra/packages/shared/pkg/telemetry"
+)
+
+func (o *Orchestrator) UpdateSandboxNetworkConfig(
+	ctx context.Context,
+	teamID uuid.UUID,
+	sandboxID string,
+	allowedEntries []string,
+	deniedEntries []string,
+) *api.APIError {
+	egress := buildEgressConfig(allowedEntries, deniedEntries)
+
+	updateFunc := func(sbx sandbox.Sandbox) (sandbox.Sandbox, error) {
+		if sbx.State != sandbox.StateRunning {
+			return sbx, &sandbox.NotRunningError{SandboxID: sandboxID, State: sbx.State}
+		}
+
+		if sbx.Network == nil {
+			sbx.Network = &types.SandboxNetworkConfig{}
+		}
+
+		sbx.Network.Egress = &types.SandboxNetworkEgressConfig{
+			AllowedAddresses: allowedEntries,
+			DeniedAddresses:  deniedEntries,
+		}
+
+		return sbx, nil
+	}
+
+	var sbxNotFoundErr *sandbox.NotFoundError
+	var sbxNotRunningErr *sandbox.NotRunningError
+
+	sbx, err := o.sandboxStore.Update(ctx, teamID, sandboxID, updateFunc)
+	if err != nil {
+		switch {
+		case errors.As(err, &sbxNotRunningErr):
+			return &api.APIError{Code: http.StatusConflict, ClientMsg: utils.SandboxChangingStateMsg(sandboxID, sbxNotRunningErr.State), Err: err}
+		case errors.As(err, &sbxNotFoundErr):
+			return &api.APIError{Code: http.StatusNotFound, ClientMsg: utils.SandboxNotFoundMsg(sandboxID), Err: err}
+		default:
+			return &api.APIError{Code: http.StatusInternalServerError, ClientMsg: "Error updating sandbox network config", Err: err}
+		}
+	}
+
+	// Apply the network update on the orchestrator node.
+	return o.updateSandboxNetworkOnNode(ctx, sbx, egress)
+}
+
+func (o *Orchestrator) updateSandboxNetworkOnNode(
+	ctx context.Context,
+	sbx sandbox.Sandbox,
+	egress *orchestratorgrpc.SandboxNetworkEgressConfig,
+) *api.APIError {
+	ctx, span := tracer.Start(ctx, "update-sandbox-network-on-node",
+		trace.WithAttributes(
+			attribute.String("instance.id", sbx.SandboxID),
+		),
+	)
+	defer span.End()
+
+	node := o.GetNode(sbx.ClusterID, sbx.NodeID)
+	if node == nil {
+		return &api.APIError{
+			Code:      http.StatusInternalServerError,
+			ClientMsg: fmt.Sprintf("Node hosting sandbox '%s' not found", sbx.SandboxID),
+			Err:       fmt.Errorf("node '%s' not found for cluster '%s'", sbx.NodeID, sbx.ClusterID),
+		}
+	}
+
+	client, ctx := node.GetClient(ctx)
+	_, err := client.Sandbox.Update(ctx, &orchestratorgrpc.SandboxUpdateRequest{
+		SandboxId: sbx.SandboxID,
+		Egress:    egress,
+	})
+	if err != nil {
+		grpcErr, ok := status.FromError(err)
+		if ok && grpcErr.Code() == codes.NotFound {
+			return &api.APIError{Code: http.StatusNotFound, ClientMsg: utils.SandboxNotFoundMsg(sbx.SandboxID), Err: err}
+		}
+
+		err = utils.UnwrapGRPCError(err)
+		telemetry.ReportCriticalError(ctx, "failed to update sandbox network on node", err)
+
+		return &api.APIError{
+			Code:      http.StatusInternalServerError,
+			ClientMsg: "Error applying network config to sandbox",
+			Err:       fmt.Errorf("failed to update sandbox network on node: %w", err),
+		}
+	}
+
+	telemetry.ReportEvent(ctx, "Updated sandbox network on node")
+
+	return nil
+}
@@ -195,13 +195,12 @@ func BenchmarkBaseImageLaunch(b *testing.B) {
 	})
 
 	accessToken := "access-token"
-	sandboxConfig := sandbox.Config{
+	sandboxConfig := &sandbox.Config{
 		BaseTemplateID:  templateID,
 		Vcpu:            2,
 		RamMB:           512,
 		TotalDiskSizeMB: 2 * 1024,
 		HugePages:       useHugePages,
-		Network:         sbxNetwork,
 		Envd: sandbox.EnvdMetadata{
 			Vars:        map[string]string{"HELLO": "WORLD"},
 			AccessToken: &accessToken,
@@ -212,6 +211,7 @@ func BenchmarkBaseImageLaunch(b *testing.B) {
 			FirecrackerVersion: fcVersion,
 		},
 	}
+	sandboxConfig.SetNetwork(sbxNetwork)
 
 	runtime := sandbox.RuntimeMetadata{
 		TemplateID:  templateID,
@@ -348,7 +348,7 @@ type testContainer struct {
 	testType       testCycle
 	sandboxFactory *sandbox.Factory
 	tmpl           template.Template
-	sandboxConfig  sandbox.Config
+	sandboxConfig  *sandbox.Config
 	runtime        sandbox.RuntimeMetadata
 }
 

@@ -260,7 +260,7 @@ type runner struct {
 	factory    *sandbox.Factory
 	sandboxes  *sandbox.Map
 	tmpl       template.Template
-	sbxConfig  sandbox.Config
+	sbxConfig  *sandbox.Config
 	buildID    string
 	cache      *template.Cache
 	coldStart  bool
@@ -1091,18 +1091,18 @@ func run(ctx context.Context, buildID string, iterations int, coldStart, noPrefe
 		noPrefetch: noPrefetch,
 		config:     config.BuilderConfig,
 		storage:    persistence,
-		sbxConfig: sandbox.Config{
+		sbxConfig: &sandbox.Config{
 			BaseTemplateID: buildID,
 			Vcpu:           1,
 			RamMB:          512,
-			Network:        &orchestrator.SandboxNetworkConfig{},
 			Envd:           sandbox.EnvdMetadata{Vars: map[string]string{}, AccessToken: &token, Version: "1.0.0"},
 			FirecrackerConfig: fc.Config{
 				KernelVersion:      meta.Template.KernelVersion,
 				FirecrackerVersion: meta.Template.FirecrackerVersion,
 			},
 		},
 	}
+	r.sbxConfig.SetNetwork(&orchestrator.SandboxNetworkConfig{})
 
 	if runOpts.enabled() {
 		return r.cmdMode(ctx, runOpts)

@@ -107,22 +107,26 @@ func TestSmokeAllFCVersions(t *testing.T) { //nolint:paralleltest // subtests sh
 			sbx, err := infra.factory.ResumeSandbox(
 				ctx,
 				tmpl,
-				sandbox.Config{
-					BaseTemplateID: "smoke-" + fcMajor,
-					Vcpu:           2,
-					RamMB:          512,
-					HugePages:      true,
-					Network:        &orchestrator.SandboxNetworkConfig{},
-					Envd: sandbox.EnvdMetadata{
-						Vars:        map[string]string{},
-						AccessToken: &token,
-						Version:     "1.0.0",
-					},
-					FirecrackerConfig: fc.Config{
-						KernelVersion:      meta.Template.KernelVersion,
-						FirecrackerVersion: meta.Template.FirecrackerVersion,
-					},
-				},
+				func() *sandbox.Config {
+					cfg := &sandbox.Config{
+						BaseTemplateID: "smoke-" + fcMajor,
+						Vcpu:           2,
+						RamMB:          512,
+						HugePages:      true,
+						Envd: sandbox.EnvdMetadata{
+							Vars:        map[string]string{},
+							AccessToken: &token,
+							Version:     "1.0.0",
+						},
+						FirecrackerConfig: fc.Config{
+							KernelVersion:      meta.Template.KernelVersion,
+							FirecrackerVersion: meta.Template.FirecrackerVersion,
+						},
+					}
+					cfg.SetNetwork(&orchestrator.SandboxNetworkConfig{})
+
+					return cfg
+				}(),
 				sandbox.RuntimeMetadata{
 					TemplateID:  "smoke-" + fcMajor,
 					TeamID:      "smoke",