Advanced egress firewall filtering for Vercel Sandbox

Vercel Sandbox now supports advanced egress firewall filtering via SNI-based host filtering and CIDR blocks to control outbound network access for sandboxes.

• •SNI-peeking inspects the unencrypted bytes of a TLS handshake to extract the target hostname, enabling host-based rules without requiring an HTTP proxy
• •IP/CIDR-based rules are also supported as a fallback for legacy or non-TLS systems
• •Network policies can be defined at sandbox creation time using an allowlist of domains, with wildcard support for CDN-backed services
• •Policies can be dynamically updated on a running sandbox without restarting, enabling phased access patterns (open → locked → narrow → air-gapped)
• •Designed to prevent untrusted or AI-generated code from exfiltrating data or making unintended API calls