Cloudflare Blog·May 19, 2026

Cloudflare's Agent Infrastructure for AI: Sandboxes, Security, and Scalability

This article details Cloudflare's platform for running AI agents, focusing on the infrastructure that supports scalable, secure, and observable agent execution. It highlights the use of microVMs and V8 isolates for sandboxing, secure connectivity to private services, and integrated tooling for browser automation and email, enabling developers to build and deploy complex AI agent workflows efficiently.

Cloud & Infrastructure Distributed Systems AI & ML Infrastructure

Read original on Cloudflare Blog

Cloudflare has partnered with Anthropic to offer a managed environment for Claude AI agents, allowing developers to decouple the agent's 'brain' (core logic on Anthropic) from its 'hands' (execution infrastructure on Cloudflare). This architecture provides greater control over agent sandboxes, enhances security, and improves observability, addressing key challenges in deploying AI agents at scale.

Scalable Sandboxing for Agent Execution

A core aspect of Cloudflare's agent platform is its flexible sandboxing capabilities. Developers can choose between two primary execution environments:

MicroVMs (Cloudflare Containers): For agents requiring a full Linux environment, enabling them to run CLI tools, compile code, and behave like a human developer. These provide strong isolation but come with higher resource overhead.
V8 Isolates (AgentsSDK / Dynamic Workers): For lightweight, high-concurrency tasks, offering millisecond boot times and significantly reduced infrastructure costs. Isolates are suitable for bursty workloads and achieving massive scale (tens of thousands of concurrent agents), especially when a full OS environment is not necessary.

💡

Architectural Choice: MicroVMs vs. Isolates

The choice between microVMs and V8 isolates for sandboxing an AI agent's execution environment is a critical system design decision. MicroVMs provide full OS flexibility and strong isolation suitable for complex, stateful tasks, but incur higher latency and cost. V8 isolates offer superior performance and cost-efficiency for stateless or short-lived executions, making them ideal for high-scale, event-driven agent workflows. Understanding the agent's workload characteristics is crucial for selecting the appropriate sandbox technology to optimize for performance, cost, and security.

Enhanced Security and Connectivity

Cloudflare emphasizes security for agent workloads, particularly when agents need to interact with private services. Key security features include:

Outbound Proxies with Zero-Trust Authentication: All agent traffic can be routed through customizable proxies, allowing secure injection of credentials outside the sandbox, preventing data exfiltration, and enabling fine-grained egress policies.
Private Service Connectivity (Cloudflare Mesh/Workers VPC): Agents can securely connect to internal services hosted on private networks (AWS VPCs, on-premises) without exposing them to the internet. This uses post-quantum encrypted tunnels, eliminating the need for VPNs or bastion hosts.
Policy Enforcement: Egress policies can be applied per tenant, per agent, or based on custom metadata, giving full control over agent access to external and internal resources.

Integrated Tooling for Agent Capabilities

The platform extends agent capabilities with various integrated tools, allowing agents to perform complex interactions:

Browser Run: Provides agents with fully programmable and observable browsers for web interaction, including JS execution, screenshots, and form filling. Session recordings offer an audit trail and debugging capabilities.
Email Tools: Agents can send and receive emails, enabling autonomous communication and session initiation via email.
Custom Tools: Developers can easily extend agents with custom functions, such as integrating with Cloudflare R2 for object storage or Workers AI for image generation, without additional infrastructure.

javascript

defineTool({
  name: "r2_host_file",
  description: "Upload from sandbox to R2 and get a public URL.",
  inputSchema: z.object({
    key: z.string().describe("Object key"),
    content: z.string().describe("UTF-8 file body"),
    contentType: z.string().describe("MIME type")
  }),
  run: async ({ key, content, contentType }, { env }) => {
    await env.PUBLIC_BUCKET.put(
      key, content, { httpMetadata: { contentType }}
    );
    return `${env.PUB_R2_URL.replace(/\/$/, "")}/${encodeURI(key)}`;
  }
})

AI AgentsCloudflareSandboxingMicroVMsV8 IsolatesServerlessSecurityScalability

Comments

Loading comments...

Architecture Design

Design this yourself

Design a highly scalable and secure platform for running AI agents that require both flexible execution environments (full OS vs. lightweight) and robust connectivity to internal and external services. Focus on the architecture for sandboxing, secure outbound communication, and integrated tooling for web and email interactions, ensuring low latency and cost-efficiency for bursty workloads.

Practice Interview

Focus: scalable and secure sandboxed execution environment for AI agents

Other design angles

· Design only the sandboxing infrastructure, contrasting microVMs and V8 isolates for different AI agent use cases.· Design a secure outbound proxy layer for AI agents, detailing how zero-trust authentication, credential injection, and private service connectivity are achieved.· Design a custom tool framework for AI agents, allowing easy integration with external services and internal APIs, similar to Cloudflare's R2 example.