Moving AI Sandboxing from the Container to the Network Layer
AI Engineergo watch the original →
the gist
Tailscale's Aperture gateway replaces vulnerable API keys with identity-aware network connections, allowing organizations to monitor and restrict LLM tool calls and bash commands without instrumenting the agent itself.
The Flaw in Traditional Sandboxing
Standard agent sandboxing typically relies on containers or VMs to isolate execution, but these environments still require API keys to function. This creates a critical security gap: the agent holds a credential that can be exfiltrated, misused, or leveraged to bypass intended scopes. Guercio argues that current approaches conflate execution isolation with access control. By placing the key inside the sandbox, developers inadvertently grant the agent the ability to act beyond its constraints, as the model can often find creative ways to abuse these credentials if given enough time or loop iterations.
Aperture: Identity-Aware LLM Gateway
Tailscale’s solution, Aperture, shifts the security boundary from the container to the network layer. By leveraging WireGuard and Tailscale’s identity primitives, Aperture treats every connection as a verified identity (user, tag, or group). Instead of injecting a real API key into the agent's environment, the agent uses a placeholder. All traffic is routed through the Aperture gateway, which sits on the Tailnet. Because the gateway is identity-aware, it validates the source of every request before forwarding it to the LLM provider.
Total Visibility and Control
Because all traffic must pass through the network layer, Aperture provides comprehensive visibility into agent behavior without requiring internal instrumentation. This includes tracking tool calls, bash commands, and MCP requests. This visibility is particularly useful for auditing complex agentic workflows, such as PR review bots, where traditional logging often fails to capture the full chain of commands. Security teams can enforce cost controls, set quotas, and trigger webhooks based on specific tool usage, all managed via a centralized policy file or GitOps workflow.
Building Custom Identity-Aware Services
Beyond the Aperture gateway, Tailscale exposes these capabilities through tsnet, an open-source library that allows developers to build custom internal services that are identity-aware. This enables teams to create internal MCP servers or API proxies that automatically inherit the organization's network identity, removing the need for complex OIDC or OAuth implementations for internal tools.