Network Policies for AI Agents: Controlling Outbound Traffic

AI agents with unrestricted network access can exfiltrate data, contact command-and-control servers, access cloud metadata endpoints, or make unauthorized API calls to external services. SafeClaw by Authensor enforces network policies at the action level: every outbound request is evaluated against a domain allowlist before execution, and any request to a domain not explicitly permitted is denied. Combined with deny-by-default, agents have zero network access until you grant it.

Quick Start

npx @authensor/safeclaw

Domain Allowlisting

Define exactly which domains an agent can contact:

version: "1.0"
description: "Network-controlled agent policy"

rules:
  # LLM API endpoints
  - action: network.request
    domain: "api.anthropic.com"
    effect: allow
    reason: "Claude API access"

- action: network.request
    domain: "api.openai.com"
    effect: allow
    reason: "OpenAI API access"

# Internal services
  - action: network.request
    domain: "*.internal.company.com"
    effect: allow
    reason: "Internal service mesh"

# Package registries
  - action: network.request
    domain: "registry.npmjs.org"
    effect: allow
    reason: "NPM package resolution"

# Block everything else
  - action: network.request
    domain: "*"
    effect: deny
    reason: "Unauthorized outbound domain"

- action: "*"
    effect: deny
    reason: "Default deny"

Blocking Common Attack Vectors

Cloud Metadata SSRF

Cloud metadata endpoints (169.254.169.254 on AWS/GCP/Azure) expose instance credentials. Block them explicitly:

  - action: network.request
    domain: "169.254.169.254"
    effect: deny
    reason: "Block cloud metadata SSRF"

- action: network.request
    domain: "metadata.google.internal"
    effect: deny
    reason: "Block GCP metadata endpoint"

Data Exfiltration via DNS

Agents can encode data in DNS queries. Block DNS to unauthorized resolvers:

  - action: network.request
    domain: "*.ngrok.io"
    effect: deny
    reason: "Block tunnel services used for exfiltration"

- action: network.request
    domain: "*.requestbin.com"
    effect: deny
    reason: "Block request inspection services"

- action: network.request
    domain: "*.webhook.site"
    effect: deny
    reason: "Block webhook capture services"

- action: network.request
    domain: "*.burpcollaborator.net"
    effect: deny
    reason: "Block security testing callback services"

Unauthorized API Calls

Prevent agents from contacting services outside their scope:

  # Block social media APIs
  - action: network.request
    domain: "*.twitter.com"
    effect: deny

- action: network.request
    domain: "*.facebook.com"
    effect: deny

# Block email services (prevent agent-initiated emails)
  - action: network.request
    domain: "*.sendgrid.com"
    effect: deny

- action: network.request
    domain: "smtp.*"
    effect: deny

Protocol-Level Controls

Restrict not just domains but methods and protocols:

  # Allow GET requests to documentation
  - action: network.request
    domain: "docs.company.com"
    method: "GET"
    effect: allow
    reason: "Read-only documentation access"

# Block POST/PUT/DELETE to documentation
  - action: network.request
    domain: "docs.company.com"
    method: "POST"
    effect: deny
    reason: "No write access to documentation service"

Egress Rate Limiting

Prevent agents from flooding external services:

  - action: network.request
    domain: "api.anthropic.com"
    rateLimit:
      maxRequests: 60
      window: "1 minute"
    effect: allow
    reason: "Rate-limited Claude API access"

- action: network.request
    domain: "api.openai.com"
    rateLimit:
      maxRequests: 30
      window: "1 minute"
    effect: allow
    reason: "Rate-limited OpenAI API access"

Network Audit Trail

Every network request decision is logged:

npx @authensor/safeclaw audit export \
  --filter action=network.request \
  --format json \
  --since "24h"

Sample output:

{
  "timestamp": "2026-02-13T10:15:33.221Z",
  "action": "network.request",
  "target": "https://suspicious-endpoint.example.com/upload",
  "domain": "suspicious-endpoint.example.com",
  "effect": "deny",
  "matchedRule": "catch-all-deny",
  "reason": "Unauthorized outbound domain"
}

This provides forensic evidence for investigating data exfiltration attempts.

Combining with Container Network Isolation

For maximum security, layer SafeClaw network policies with container-level isolation:

# Container: no network by default
docker run --network=none ...

Then SafeClaw: explicit domain allowlist for any permitted connections

If the container has no network, SafeClaw's network policies serve as a second line of defense for environments where the container does have network access (e.g., when agents need LLM API access).

Why SafeClaw

• 446 tests cover domain matching, wildcard resolution, and rate limit enforcement
• Deny-by-default gives agents zero network access until explicitly granted
• Sub-millisecond evaluation means network policy checks do not add latency
• Hash-chained audit trail logs every network request decision for forensic review
• Works with Claude AND OpenAI — network controls apply regardless of LLM backend
• MIT licensed — implement network policies without vendor dependencies

See Also

• Zero Trust Architecture for AI Agents
• Sandboxing AI Agents: Container Isolation Explained
• GDPR Compliance When Using AI Agents
• Multi-Tenant AI Agent Safety: Isolating Customer Workloads