Cloudflare Sandboxes Reach General Availability, Giving AI Agents Persistent Isolated Environments

Cloudflare Sandboxes Reach General Availability, Giving AI Agents Persistent Isolated Environments - InfoQ

[BT](http://www.infoq.com/int/bt/ "bt")

InfoQ Software Architects' Newsletter

A monthly overview of things you need to know as an architect or aspiring architect.

View an example

Enter your e-mail address

Select your country - [x] I consent to InfoQ.com handling my data as explained in this Privacy Notice.

We protect your privacy.

Close

Live Webinar and Q&A: Portable by Design: Data Mobility & Recovery Patterns for Multi-Cloud Systems (May 21, 2026)Save Your Seat

Close

Toggle Navigation

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

English edition

• English edition
• Chinese edition
• Japanese edition
• French edition

[Write for InfoQ](http://www.infoq.com/write-for-infoq/ "Write for InfoQ")

Search

RegisterSign in

Unlock the full InfoQ experience

Unlock the full InfoQ experience by logging in! Stay updated with your favorite authors and topics, engage with content, and download exclusive resources.

Log In

or

Don't have an InfoQ account?

Register

• **Stay updated on topics and peers that matter to you**Receive instant alerts on the latest insights and trends.
• **Quickly access free resources for continuous learning**Minibooks, videos with transcripts, and training materials.
• **Save articles and read at anytime**Bookmark articles to read whenever youre ready.

Logo - Back to homepage

NewsArticlesPresentationsPodcastsGuides

Topics

[Development](http://www.infoq.com/development/ "Development")

• [Java](http://www.infoq.com/java/ "Java")
• [Kotlin](http://www.infoq.com/kotlin/ "Kotlin")
• [.Net](http://www.infoq.com/dotnet/ ".Net")
• [C#](http://www.infoq.com/c_sharp/ "C#")
• [Swift](http://www.infoq.com/swift/ "Swift")
• [Go](http://www.infoq.com/golang/ "Go")
• [Rust](http://www.infoq.com/rust/ "Rust")
• [JavaScript](http://www.infoq.com/javascript/ "JavaScript")

Featured in Development

• #### From VR to Flat Screens: Bridging the Input and Immersion Gap

Dany Lepage discusses the architectural journey of porting a hit VR title to seven non-VR platforms. He explains how his team solved the challenges of cross-progression, diverse input paradigms, and maintaining release velocity across Steam, iOS, and PlayStation. Beyond the tech, he shares candid lessons on the "product fit" gap when translating immersive social presence to 2D screens.


All in developmentFollow Topic

[Architecture & Design](http://www.infoq.com/architecture-design/ "Architecture & Design")

• [Architecture](http://www.infoq.com/architecture/ "Architecture")
• [Enterprise Architecture](http://www.infoq.com/enterprise-architecture/ "Enterprise Architecture")
• [Scalability/Performance](http://www.infoq.com/performance-scalability/ "Scalability/Performance")
• [Design](http://www.infoq.com/design/ "Design")
• [Case Studies](http://www.infoq.com/Case_Study/ "Case Studies")
• [Microservices](http://www.infoq.com/microservices/ "Microservices")
• [Service Mesh](http://www.infoq.com/servicemesh/ "Service Mesh")
• [Patterns](http://www.infoq.com/DesignPattern/ "Patterns")
• [Security](http://www.infoq.com/Security/ "Security")

Featured in Architecture & Design

• #### Event-Driven Patterns for Cloud-Native Banking - What Works, What Hurts?

Chris Tacey-Green discusses the shift from synchronous commands to asynchronous events within highly regulated environments. He explains the critical role of Inbox and Outbox patterns in preventing data loss, the nuances of event versioning, and how to maintain decoupling between domains. He shares "battle-tested" principles for implementing fault tolerance and managing eventual consistency.


All in architecture-designFollow Topic

[AI Infrastructure](http://www.infoq.com/ai-ml-data-eng/ "AI Infrastructure")

• [Big Data](http://www.infoq.com/bigdata/ "Big Data")
• [Machine Learning](http://www.infoq.com/machinelearning/ "Machine Learning")
• [NoSQL](http://www.infoq.com/nosql/ "NoSQL")
• [Database](http://www.infoq.com/database/ "Database")
• [Data Analytics](http://www.infoq.com/data-analytics/ "Data Analytics")
• [Streaming](http://www.infoq.com/streaming/ "Streaming")

Featured in AI, ML & Data Engineering

• #### Dynamic Moments: Weaving LLMs into Deep Personalization at DoorDash

Sudeep Das and Pradeep Muthukrishnan explain the shift from static merchandising to dynamic, moment-aware personalization at DoorDash. They share how LLMs generate natural-language "consumer profiles" and content blueprints, while traditional deep learning handles last-mile ranking. This hybrid approach allows the platform to adapt to short-lived user intent and massive catalog abundance.


All in ai-ml-data-engFollow Topic

[Culture & Methods](http://www.infoq.com/culture-methods/ "Culture & Methods")

• [Agile](http://www.infoq.com/agile/ "Agile")
• [Diversity](http://www.infoq.com/diversity/ "Diversity")
• [Leadership](http://www.infoq.com/leadership/ "Leadership")
• [Lean/Kanban](http://www.infoq.com/lean/ "Lean/Kanban")
• [Personal Growth](http://www.infoq.com/personal-growth/ "Personal Growth")
• [Scrum](http://www.infoq.com/scrum/ "Scrum")
• [Sociocracy](http://www.infoq.com/sociocracy/ "Sociocracy")
• [Software Craftmanship](http://www.infoq.com/software_craftsmanship/ "Software Craftmanship")
• [Team Collaboration](http://www.infoq.com/team-collaboration/ "Team Collaboration")
• [Testing](http://www.infoq.com/testing/ "Testing")
• [UX](http://www.infoq.com/ux/ "UX")

Featured in Culture & Methods

• #### Panel: Building a Culture that Works

The panelists share insights on evolving company culture. They discuss leveraging feedback loops, lending social capital, and the friction between legacy bureaucracy and agile engineering. The panel explains how to maintain cohesion in remote teams and use interviews to uncover the true "unmanicured" culture of a firm.


All in culture-methodsFollow Topic

DevOps

• [Infrastructure](http://www.infoq.com/infrastructure/ "Infrastructure")
• [Continuous Delivery](http://www.infoq.com/continuous_delivery/ "Continuous Delivery")
• [Automation](http://www.infoq.com/automation/ "Automation")
• [Containers](http://www.infoq.com/containers/ "Containers")
• [Cloud](http://www.infoq.com/cloud-computing/ "Cloud")
• [Observability](http://www.infoq.com/observability/ "Observability")

Featured in DevOps

• #### Beyond One-Click: Designing an Enterprise-Grade Observability Extension for Docker

Docker Extensions boost developer speed but create a "visibility gap" by isolating telemetry. To meet enterprise needs, extensions must act as bridges to centralized platforms. This article details how to use OpenTelemetry, policy-as-code, and encryption to build secure pipelines. Learn to balance developer productivity with the governance required for scalable, compliant observability.


All in devopsFollow Topic

[Events](https://events.infoq.com/ "Events")

Helpful links

• [About InfoQ](http://www.infoq.com/about-infoq "About InfoQ")
• [InfoQ Editors](http://www.infoq.com/infoq-editors "InfoQ Editors")
• [Write for InfoQ](http://www.infoq.com/write-for-infoq "Write for InfoQ")
• [About C4Media](https://c4media.com/ "About C4Media")
• [Diversity](https://c4media.com/diversity "Diversity")

Choose your language

• [En](http://www.infoq.com/news/2026/04/cloudflare-sandboxes-ga/# "InfoQ English")
• 中文
• 日本
• Fr


[InfoQ Homepage](http://www.infoq.com/ "InfoQ Homepage")[News](http://www.infoq.com/news "News")Cloudflare Sandboxes Reach General Availability, Giving AI Agents Persistent Isolated Environments

[Cloud](http://www.infoq.com/Cloud/ "Cloud")

QCon San Francisco (Nov 16-20): Deep technical sessions. Peer conversations that change how you think.

Cloudflare Sandboxes Reach General Availability, Giving AI Agents Persistent Isolated Environments

Apr 22, 2026 3 min read

by

• Steef-Jan Wiggers

Follow Cloud Queue Lead Editor | Domain Architect | Cloud Expert

#### Write for InfoQ

**Feed your curiosity.**Help 550k+ global

senior developers

each month stay ahead.Get in touch

Log in to listen to this article

Audio ready to play

Your browser does not support the audio element.

0:00 0:00

Normal 1.25x 1.5x

Like

• Reading list

Cloudflare has announced the general availability of Sandboxes and Cloudflare Containers as part of its Agents Week, providing persistent, isolated Linux environments for AI agent workloads.

First launched in beta last June, the GA release adds secure credential injection, PTY terminal support, persistent code interpreters, filesystem watching, snapshot-based session recovery, and active CPU pricing, which charges only for used cycles. Kate Reznykova and Mike Nomitch from the Cloudflare team write:

What we have now is different in kind. A Sandbox today is a full development environment: a terminal you can connect a browser to, a code interpreter with persistent state, background processes with live preview URLs, a filesystem that emits change events in real time, egress proxies for secure credential injection, and a snapshot mechanism that makes warm starts nearly instant.

A Cloudflare Sandbox is a container that starts on demand when requested by name, sleeps automatically when idle, and wakes when it receives a new request. The same sandbox is accessible from anywhere via a consistent ID, providing agents with a stateful environment that persists across interactions. The SDK provides methods for executing commands, cloning repositories, writing files, and managing processes through a TypeScript API.

The main improvements since the beta center on security, developer experience, and cost. On the security side, outbound Workers provide a programmable egress proxy that intercepts outbound requests from the sandbox and injects credentials at the network layer. The agent never sees the token. Developers can write custom auth logic per destination domain, apply identity-aware policies per sandbox, and dynamically restrict network access as a task progresses. Cloudflare describes this as a zero-trust model where no token is ever granted to the untrusted workload.

class OpenCodeInABox extends Sandbox {
  static outboundByHost = {
    "my-internal-vcs.dev": (request, env, ctx) => {
      const headersWithAuth = new Headers(request.headers);
      headersWithAuth.set("x-auth-token", env.SECRET);
      return fetch(request, { headers: headersWithAuth });
    }
  }
}

For developer experience, PTY support replaces the request-response shell simulation of earlier agent systems with real pseudo-terminal sessions proxied over WebSocket. Persistent code interpreters maintain state across execution calls, so variables and imports survive between steps the way they would in a Jupyter notebook. Background processes with live preview URLs let agents start development servers and share a working link. Filesystem watching, built on Linux inotify, allows agents to react to file changes in real time.

Snapshots, rolling out in the coming weeks, will preserve a container's full disk state and allow near-instant restoration. This enables a pattern where agents can fork sessions: boot four sandboxes from the same snapshot to explore different approaches in parallel. Cloudflare demonstrates the practical impact with a concrete number: cloning a repository, running npm install, and booting from scratch takes 30 seconds, while restoring from a backup takes two seconds.

Figma is running production agent workloads on the infrastructure. Alex Mullans, who leads AI and Developer Platforms at Figma, described the use case in the announcement:

Figma Make is built to help builders and makers of all backgrounds go from idea to production, faster. To deliver on that goal, we needed an infrastructure solution that could provide reliable, highly-scalable sandboxes where we could run untrusted agent- and user-authored code.

The AI agent sandbox space has become increasingly crowded. E2B uses Firecracker microVMs with dedicated kernels per session and reports adoption by roughly half of the Fortune 500. Daytona, which pivoted from development environments to AI agent infrastructure in early 2025, claims sub-90ms sandbox creation using Docker containers. Modal targets GPU-heavy Python workloads with serverless infrastructure. Vercel launched its own Firecracker-based Sandbox in beta. What differentiates Cloudflare's offering is edge distribution across its global network, combined with the two-tier architecture: lightweight V8 isolate-based Dynamic Workers for ephemeral code execution (which entered open beta during the same Agents Week) alongside full container-based Sandboxes for when agents need a complete operating system with git, bash, dev servers, and multi-language builds.

On pricing, Sandboxes now use active CPU pricing, charging only for CPU cycles actually used rather than for provisioned resources. CPU time is billed at $0.00002 per vCPU-second. The standard plan supports up to 15,000 concurrent lite instances, 6,000 basic instances, and over 1,000 larger instances. The SDK is at version 0.8.9, and the documentation is now available.

About the Author


#### **Steef-Jan Wiggers**

Steef-Jan Wiggers is one of InfoQ's senior cloud editors and works as a Domain Architect at VGZ in the Netherlands. His current technical expertise focuses on implementing integration platforms, Azure DevOps, AI, and Azure Platform Solution Architectures. Steef-Jan is a regular speaker at conferences and user groups and writes for InfoQ. Furthermore, Microsoft has recognized him as a Microsoft Azure MVP for the past sixteen years.

Show more Show less

#### This content is in the Cloud topic

Follow Topic

##### Related Topics:

• Development### Development

Followers: 4088

Follow Topic

• Architecture & Design### Architecture & Design

Followers: 10203

Follow Topic

• DevOps### DevOps

Followers: 5046

Follow Topic

• AI, ML & Data Engineering### AI, ML & Data Engineering

Followers: 5870

Follow Topic

• Agents### Agents

Followers: 39

Follow Topic

• Linux### Linux

Followers: 37

Follow Topic

• Artificial Intelligence### Artificial Intelligence

Followers: 211

Follow Topic

• Architecture### Architecture

Followers: 3333

Follow Topic

• Cloudflare### Cloudflare

Followers: 16

Follow Topic

• Cloud### Cloud

Followers: 2126

Follow Topic

* #### Related Editorial

• ##### Cloudflare Launches Dynamic Workers Open Beta: Isolate-Based Sandboxing for AI Agent Code Execution

• ##### Cloudflare Demonstrates Moltworker, Bringing Self-Hosted AI Agents to the Edge

• ##### Cloudflare Workflows Adds Python Support for Durable AI Pipelines

• ##### Cloudflare Launches Vertical Microfrontend Template for Path-Based Edge Routing

• ##### Cloudflare Outlines MCP Architecture as Enterprises Confront Security and Governance Risks

* #### Related Sponsors

• ##### The missing layer in the agentic AI stack: Why AI applications need durable sessions

• ##### Architecture Beyond the Diagram: Decisions, Systems, and the Forces That Shape Them - Download the InfoQ eMag

• ##### The Essential Guide to AI Tools for Jakarta EE Developers

• ##### Autonomous Production Operations Built on AWS

• ##### Understanding AI Agent Security

• #### Related Sponsor

Confidently test, evaluate, and red-team your LLM apps with **Promptfoo** — catch regressions, benchmark models, and ship high-quality AI features faster; start testing your prompts today. **Learn More.**

Related Content

• ##### Cloudflare Outlines MCP Architecture as Enterprises Confront Security and Governance Risks

Apr 22, 2026

• ##### Cloudflare Launches Dynamic Workers Open Beta: Isolate-Based Sandboxing for AI Agent Code Execution

Apr 01, 2026

• ##### Anthropic Introduces Managed Agents to Simplify AI Agent Deployment

Apr 21, 2026

• ##### Cloudflare Introduces Project Think: A Durable Runtime for AI Agents

Apr 21, 2026

• ##### Designing Memory for AI Agents: Inside Linkedin’s Cognitive Memory Agent

Apr 20, 2026

• ##### Subagents in Gemini CLI Enable Task Delegation and Parallel Agent Workflows

Apr 20, 2026

• ##### Cloudflare Launches Code Mode MCP Server to Optimize Token Usage for AI Agents

Apr 16, 2026

• ##### Cloudflare Introduces EmDash: TypeScript CMS Positioned as WordPress Successor

Apr 09, 2026

• ##### Google Brings MCP Support to Colab, Enabling Cloud Execution for AI Agents

Apr 09, 2026

Related Sponsors

• #### Inside MCP: A Protocol for AI Integration

The Model Context Protocol (MCP) defines a standard way for AI systems to interact with tools, data, and services. This article explains MCP’s architecture—hosts, clients, and servers—and how it enables structured, secure integrations between AI models and external systems.

• #### Harder, Better, Prompter, Stronger: AI system prompt hardening

System prompts define how LLM applications behave—but they are vulnerable to manipulation. This article explores prompt hardening techniques such as instruction shielding, syntax reinforcement, and layered prompting to defend AI systems against prompt injection and override attacks.

• Sponsored by


Related Content

• ##### TigerFS Mounts PostgreSQL Databases as a Filesystem for Developers and AI Agents

Apr 04, 2026

• ##### When a Cloud Region Fails: Rethinking High Availability in a Geopolitically Unstable World

Apr 22, 2026 

• ##### Google Unveils AppFunctions to Connect AI Agents and Android Apps

Mar 29, 2026

• ##### Microsoft Launches Azure Copilot Migration Agent to Accelerate Cloud Migration Planning

Mar 29, 2026

• ##### "Pick and Mix" Custom Regions: Cloudflare Introduces Fine-Grained Data Residency Control

Mar 28, 2026

• ##### QCon London 2026: AI Agents Write Your Code. What’s Left for Humans?

Mar 27, 2026

**The InfoQ** Newsletter

A round-up of last week’s content on InfoQ sent out every Tuesday. Join a community of over 250,000 senior developers. View an example

Enter your e-mail address

Select your country - [x] I consent to InfoQ.com handling my data as explained in this Privacy Notice.

We protect your privacy.

• Development

• ##### [C++26: Reflection, Memory Safety, Contracts, and a New Async Model](http://www.infoq.com/news/2026/04/cpp-26-reflection-safety-async/ "C++26: Reflection, Memory Safety, Contracts, and a New Async Model")

• ##### [From VR to Flat Screens: Bridging the Input and Immersion Gap](http://www.infoq.com/presentations/game-vr-flat-screens/ "From VR to Flat Screens: Bridging the Input and Immersion Gap")

• ##### [Cursor 3 Introduces Agent-First Interface, Moving beyond the IDE Model](http://www.infoq.com/news/2026/04/cursor-3-agent-first-interface/ "Cursor 3 Introduces Agent-First Interface, Moving beyond the IDE Model")

• Architecture & Design

• ##### [Cloudflare Outlines MCP Architecture as Enterprises Confront Security and Governance Risks](http://www.infoq.com/news/2026/04/cloudflare-mcp/ "Cloudflare Outlines MCP Architecture as Enterprises Confront Security and Governance Risks")

• ##### [Anthropic Introduces Managed Agents to Simplify AI Agent Deployment](http://www.infoq.com/news/2026/04/anthropic-managed-agents/ "Anthropic Introduces Managed Agents to Simplify AI Agent Deployment")

• ##### [Slack Rebuilds Notification System, Reports 5X Increase in Settings Engagement](http://www.infoq.com/news/2026/04/slack-new-notification-system/ "Slack Rebuilds Notification System, Reports 5X Increase in Settings Engagement")

• Culture & Methods

• ##### [Panel: Building a Culture that Works](http://www.infoq.com/presentations/panel-positive-culture/ "Panel: Building a Culture that Works")

• ##### [Platform as a Product: Delivering Value While Balancing Competing Priorities](http://www.infoq.com/news/2026/04/platform-product-deliver-value/ "Platform as a Product: Delivering Value While Balancing Competing Priorities")

• ##### [Empower Your Developers: How Open Source Dependencies Risk Management Can Unlock Innovation](http://www.infoq.com/presentations/open-source-dependencies/ "Empower Your Developers: How Open Source Dependencies Risk Management Can Unlock Innovation")

• AI, ML & Data Engineering

• ##### [Dynamic Moments: Weaving LLMs into Deep Personalization at DoorDash](http://www.infoq.com/presentations/llm-personalization/ "Dynamic Moments: Weaving LLMs into Deep Personalization at DoorDash")

• ##### [Subagents in Gemini CLI Enable Task Delegation and Parallel Agent Workflows](http://www.infoq.com/news/2026/04/subagents-gemini-cli/ "Subagents in Gemini CLI Enable Task Delegation and Parallel Agent Workflows")

• ##### [Google’s Aletheia Advances the State of the Art of Fully Autonomous Agentic Math Research](http://www.infoq.com/news/2026/04/deepmind-aletheia-agentic-math/ "Google’s Aletheia Advances the State of the Art of Fully Autonomous Agentic Math Research")

• DevOps

• ##### [GitHub Acknowledges Recent Outages, Cites Scaling Challenges and Architectural Weaknesses](http://www.infoq.com/news/2026/04/github-outages-scaling/ "GitHub Acknowledges Recent Outages, Cites Scaling Challenges and Architectural Weaknesses")

• ##### [AWS Announces General Availability of DevOps Agent for Automated Incident Investigation](http://www.infoq.com/news/2026/04/aws-devops-agent-ga/ "AWS Announces General Availability of DevOps Agent for Automated Incident Investigation")

• ##### [Pulumi Adds Full Bun Runtime Support](http://www.infoq.com/news/2026/04/pulumi-bun-support/ "Pulumi Adds Full Bun Runtime Support")

**The InfoQ** Newsletter

A round-up of last week’s content on InfoQ sent out every Tuesday. Join a community of over 250,000 senior developers. View an example

• Get a quick overview of content published on a variety of innovator and early adopter technologies
• Learn what you don’t know that you don’t know
• Stay up to date with the latest information from the topics you are interested in

Enter your e-mail address

Select your country - [x] I consent to InfoQ.com handling my data as explained in this Privacy Notice.

We protect your privacy.

**May 7 | June 10, 2026 | Online** Architecture decisions are hard to validate while shipping. Join a **5-week online cohort** for **senior engineers, architects, and team leads** to pressure-test real decisions, apply practical frameworks, and work through challenges with a confidential peer group. Facilitated by Luca Mezzalira, Principal Architect at AWS, this cohort helps you: * Pressure-test real decisions. * Apply frameworks to real problems. * Publish on InfoQ.com and earn your certification. **RESERVE YOUR PLACE**

[Home](http://www.infoq.com/ "Home")[Create account](http://www.infoq.com/reginit.action "Create account")Log In[QCon Conferences](http://qconferences.com/ "QCon Conferences")Events[Write for InfoQ](http://www.infoq.com/write-for-infoq/ "Write for InfoQ")[InfoQ Editors](http://www.infoq.com/infoq-editors/ "InfoQ Editors")[About InfoQ](http://www.infoq.com/about-infoq/ "About InfoQ")[About C4Media](https://c4media.com/ "About C4Media")[Media Kit](https://get.infoq.com/infoq-mediakit/ "Media Kit")[InfoQ Developer Marketing Blog](https://devmarketing.c4media.com/?utm_source=infoq "InfoQ Developer Marketing Blog")[Diversity](https://c4media.com/diversity "Diversity")

#### Events

• ##### Online InfoQ Architect Certification

May 7, 2026

• ##### QCon AI Boston

June 1-2, 2026

• ##### Online InfoQ Architect Certification

June 10, 2026

• ##### QCon San Francisco

November 16-20, 2026

#### Follow us on

Youtube 232K FollowersLinkedin 26K FollowersRSS 19K ReadersX 57.1k FollowersFacebook 21K LikesBluesky NewInstagram New

#### Stay in the know

The InfoQ PodcastEngineering Culture PodcastThe Software Architects' Newsletter

General Feedback [feedback@infoq.com](mailto:feedback@infoq.com) Advertising [sales@infoq.com](mailto:sales@infoq.com) Editorial [editors@infoq.com](mailto:editors@infoq.com) Marketing [marketing@infoq.com](mailto:marketing@infoq.com)

InfoQ.com and all content copyright © 2006-2026 C4Media Inc.

Privacy Notice, Terms And Conditions, Cookie Policy

Close

[BT](http://www.infoq.com/int/bt/ "bt")