The Model Context Protocol has a reach problem. MCP servers are the connectors that let AI agents talk to external systems — files, databases, internal tools. For many enterprise workflows, those servers sit behind a firewall. You can’t expose them to the internet, but you also need your agent to reach them.
The standard solution was to punch a hole. Expose the server, add auth, call it done. The MCP RCE vulnerability research from April 2026 made clear exactly how dangerous that hole could become — a compromised or malicious server has a direct path to credential theft if it can read your .env files.
Anthropic’s answer, shipped at Code with Claude London in mid-May 2026, is a feature called MCP tunnels. It’s now in research preview for Managed Agents and the Messages API.
The Core Architecture: Outbound Only
The design principle is stated simply: the agent never holds the credentials for your private network, and no inbound firewall rules are needed.
Here’s how it works in practice. You deploy a lightweight gateway — Anthropic calls it a tunnel server — inside your network, adjacent to the MCP servers you want to expose. That gateway opens one outbound mTLS connection to Anthropic’s infrastructure. This connection is persistent and outbound-only from your network’s perspective. Nothing needs to be opened on your firewall because the connection originates from inside.
When Claude wants to call a private MCP server, the request flows through this established tunnel. The agent reaches the tunnel endpoint at anthropic.com, which forwards the request through the already-open mTLS connection to your gateway, which forwards it to the local MCP server. The server responds the same way in reverse.
Claude (externally) → anthropic.com → outbound mTLS tunnel → your gateway → private MCP server
The security properties here are meaningful:
- No inbound ports exposed — your firewall sees only outbound traffic
- No long-lived credentials on the agent side — the agent authenticates to Anthropic, not to your network
- mTLS between Anthropic and your gateway — the tunnel itself is encrypted and mutually authenticated
- Policy enforcement at the gateway — the gateway controls which MCP servers and methods are reachable
This is architecturally cleaner than VPN solutions for the agent use case. A VPN gives an agent full network access to your internal network. A tunnel gateway gives an agent specific, controlled access to specific MCP servers.
Why This Matters for Multi-Agent Pipelines
For someone building a multi-agent pipeline like Aniket’s ACO System — where a PM agent talks to a Planner, which talks to an Architect, which talks to a Developer, which talks to a QA agent — the MCP tunnel architecture has a direct implication.
Right now, many agent pipelines operate by giving agents shared filesystem access or a shared tool server with credentials baked into environment variables. If one agent in the chain is compromised or fed a malicious prompt, those credentials are exposed. This is the exact vulnerability chain documented in the April 2026 OX Security disclosure.
With MCP tunnels, the architecture shifts from credential-sharing to credential-proxying. Each agent in the pipeline talks to a tunnel gateway that proxies to the specific tools it needs. The agent never holds the credentials — the gateway does, and it enforces which methods can be called. This is a more granular security model than “all-or-nothing” filesystem or environment variable access.
For production agent pipelines, this changes what’s auditable. You can log which agent called which tool through the tunnel, even if you can’t see the full prompt content. That’s a meaningful improvement over agents that share a single set of credentials with no per-agent call tracing.
The Self-Hosted Sandbox Piece
The second feature shipped at Code with Claude London was self-hosted sandboxes, now in public beta for Managed Agents. Where MCP tunnels solve the connectivity problem, sandboxes solve the execution isolation problem.
The sandbox runtime lets you define exactly which directories and network resources a Managed Agent can access. This is the execution context — not the connectivity layer. An agent running in a sandbox can be given access to an MCP tunnel endpoint but nothing else on your network.
The combination is: sandbox = what an agent can do (execution permissions), tunnel = how it reaches things (connectivity). They’re separate layers that compose together.
The Picture That’s Emerging
What Anthropic is building with this release is an agent platform with layered security primitives: sandboxes for execution isolation, tunnels for private network access, and MCP for tool interoperability. These address three distinct threat surfaces — malicious execution, credential exposure, and lateral movement.
The MCP ecosystem is now at 9,400+ published servers in registries as of Q2 2026, up 58% from Q1. That’s a massive surface area, and the security primitives are finally catching up to the complexity of what people are building with it.
The tunnel architecture is a particularly clean solution — not because it’s the only possible approach, but because it enforces the principle of least privilege at the network layer rather than relying on individual MCP servers to secure themselves. For anyone building multi-agent pipelines that need to access private infrastructure, this is worth designing around.