Networking
Last updated: 2026-06-27
A workspace has one of two network modes: user (the default) gives the guest
unprivileged outbound IPv4 plus any TCP ports you publish, and isolated gives
it no network device at all. For controlling and auditing what the guest may
reach, read egress mediation.
Outbound access (the default)
Section titled “Outbound access (the default)”user mode is the default, so a plain workspace can already reach the network:
microagent create research --image docker.io/library/python:3.12microagent start researchmicroagent exec research -- curl -sS https://example.com >/dev/null && echo okYou do not need to configure host routing, bridges, or packet forwarding for
the default path. If outbound networking fails, run microagent doctor first;
it checks the host prerequisites for the current platform.
Publish a guest port to the host
Section titled “Publish a guest port to the host”Use --publish to expose a guest TCP port on the host. Repeat it per port:
microagent create web --image docker.io/library/python:3.12 \ --publish 127.0.0.1:8080:80/tcpmicroagent start webcurl -sS http://127.0.0.1:8080/The host listens on the declared address and port, the supervisor bridges the connection over the backend’s transport, and guest init forwards it to the requested guest port. See run a service for a worked example.
No network at all
Section titled “No network at all”When a workspace should have no network access, use isolated:
microagent create offline --image docker.io/library/python:3.12 --network isolatedIsolated workspaces reject --publish before the request leaves the CLI -
there’s no guest network for a forward to reach.
Related
Section titled “Related”- Both network modes - Network modes.
- The
networkcommand - thenetworkreference. - Publish a service’s port to the host - run a service.
- Control and audit what the guest reaches - egress mediation.