Traffic Inspection & Logging

Traffic inspection captures metadata about every network connection a microVM makes: destination domain, port, protocol, bytes transferred, duration, and result (allowed/blocked). This metadata is essential for security audit (what did the sandbox access?), compliance (can we prove the sandbox did not access restricted data?), and cost optimization (which tasks generate the most network traffic?). The proxy logs this metadata automatically — no configuration is needed inside the microVM.

For HTTPS traffic, the proxy logs the destination domain (via SNI) but cannot inspect the encrypted payload without performing TLS interception (MITM). TLS interception is technically possible — the proxy presents its own certificate to the microVM and re-encrypts traffic toward the destination — but it breaks certificate pinning, complicates debugging, and raises privacy concerns. Most deployments do not enable TLS interception and rely on domain-level metadata for auditing. If content-level inspection is required (regulated industries, sensitive data), TLS interception should be scoped to specific domains, not applied globally.

# Traffic log entry (one per connection)

{
  "timestamp": "2026-04-21T14:32:07Z",
  "task_id": "task_abc123",
  "user": "developer@company.com",
  "direction": "egress",
  "domain": "registry.npmjs.org",
  "port": 443,
  "protocol": "https",
  "sni": "registry.npmjs.org",
  "bytes_sent": 1024,
  "bytes_received": 458752,
  "duration_ms": 340,
  "result": "allowed",
  "allowlist_rule": "default:npm"
}

# Log aggregation queries

# Top domains by traffic volume
SELECT domain, SUM(bytes_received) as total
FROM traffic_logs
GROUP BY domain ORDER BY total DESC

# Blocked connection attempts (potential issues)
SELECT domain, COUNT(*) as attempts
FROM traffic_logs
WHERE result = 'blocked'
GROUP BY domain ORDER BY attempts DESC