Sandbox updates (#2783)

Co-authored-by: Jo Franchetti <jofranchetti@gmail.com>

Author: philhawksworth

sandboxes/_data.ts

@@ -59,6 +59,10 @@ export const sidebar = [
         title: "Examples",
         href: "/examples/#sandboxes",
       },
+      {
+        title: "Pricing",
+        href: "https://deno.com/deploy/pricing/",
+      },
     ],
   },
 ] satisfies Sidebar;

sandboxes/create.md

@@ -23,13 +23,22 @@ process. You can tailor the sandbox by passing an options object.
 | Option     | Description                                                                                                             |
 | ---------- | ----------------------------------------------------------------------------------------------------------------------- |
 | `region`   | Eg `ams` or `ord`                                                                                                       |
+| `allowNet` | Array of hosts that can receive requests from the sandbox. If specified, any hosts not listed are unreachable.          |
 | `memoryMb` | Allocate between 768 and 4096 MB of RAM for memory-heavy tasks or tighter budgets.                                      |
 | `lifetime` | [How long the sandbox stays alive](./lifetimes) in (m) or (s) such as `5m`                                              |
 | `labels`   | Attach arbitrary key/value labels to help identify and manage sandboxes                                                 |
 | `env`      | Set initial environment variables inside the sandbox. Secrets should still be managed via Deploy’s secret substitution. |
 
 ## Example configurations
 
+### Allow outbound traffic to specific APIs
+
+```tsx
+const sandbox = await Sandbox.create({
+  allowNet: ["api.openai.com", "api.stripe.com"],
+});
+```
+
 ### Run in a specific region with more memory
 
 ```tsx
@@ -63,6 +72,7 @@ const sandbox = await Sandbox.create({
 
 ## Tips
 
+- Keep `allowNet` as narrow as possible to block exfiltration attempts.
 - Use metadata keys such as `agentId` or `customerId` to trace sandboxes in the
   Deploy dashboard.
 - Let `await using` (or dropping the last reference) dispose of the sandbox

sandboxes/getting_started.md

@@ -87,13 +87,15 @@ Details about the sandbox will be shown in its **Event log**.
 When creating a sandbox witb `Sandbox.create()`, you can configure it with the
 following options:
 
+- `allowNet`: List of hosts that can receive outbound traffic from the sandbox.
 - `region`: Deploy region where the sandbox will be created.
 - `memoryMb`: Amount of memory allocated to the sandbox.
 - `lifetime`: Lifetime of the sandbox.
 - `labels`: Arbitrary key/value tags to help identify and manage sandboxes
 
 ```tsx
 await using sandbox = await Sandbox.create({
+  allowNet: ["api.stripe.com", "api.openai.com"], // optional: list of hosts that this sandbox can communicate with
   region: "sjc", // optional: choose the Deploy region
   memoryMb: 1024, // optional: pick the RAM size (768-4096)
 });

sandboxes/index.md

@@ -128,6 +128,9 @@ Sandboxes have the following limits:
 - **Lifetime:** Configurable per sandbox and bound to a session, up to 30
   minutes
 - **Disk**: 10 GB of ephemeral storage
+- **Concurrency**: 5 concurrent sandboxes per organization (This is the default
+  concurrency limit during the pre-release phase of Sandboxes. Contact
+  [deploy@deno.com](mailto:deploy@deno.com) to request a higher limit.)
 
 Exceeding these limits may result in throttling or termination of your sandbox.