Egress Policies & Allowlists

Codex Cloud microVMs operate under a default-deny egress policy. No outbound network traffic is allowed unless explicitly permitted by the allowlist. The default allowlist includes package registries (registry.npmjs.org, pypi.org, crates.io, proxy.golang.org), git hosts (github.com, gitlab.com, bitbucket.org), and OpenAI API endpoints. Everything else — your company's internal APIs, third-party SaaS services, cloud provider endpoints — is blocked. This is the opposite of how most development environments work, where everything is allowed and specific endpoints are blocked.

The default-deny model exists because Codex Cloud executes untrusted code. Your task prompt tells the agent to write code, and the agent runs that code inside the microVM. If the generated code makes network requests — intentionally or accidentally — those requests could exfiltrate repository contents, probe internal networks, or interact with external services in unexpected ways. The allowlist ensures that even if the agent generates code that attempts to contact unauthorized endpoints, the traffic never leaves the sandbox.

Custom allowlists extend the default list with domains your tasks legitimately need. Adding a domain requires justification: which tasks need it, what data flows over the connection, and what happens if the domain becomes unreachable. Each allowed domain expands the attack surface of the sandbox. The discipline is minimal allowlisting — add only what is required, review the list quarterly, and remove domains that are no longer needed.