Cloudflare and Anthropic just shipped Claude Managed Agents on Cloudflare’s edge infrastructure. The integration runs Claude’s autonomous agent loop on Anthropic’s platform while delegating code execution, tool calls, and network access to Cloudflare Workers and Sandboxes. The security model is the interesting part: agent-generated code runs in V8 isolates or microVMs with explicit permission boundaries, and all network traffic routes through customizable proxies that can inject credentials, block exfiltration, or log every request.
This is not a hosted notebook. It is a production-grade execution environment where you control what the agent can touch.
Architecture: Where the Agent Runs vs. Where Code Executes
Claude Managed Agents splits the control plane from the execution plane.
Control plane (Anthropic):
- Agent reasoning loop
- Tool selection and planning
- State management across turns
Execution plane (Cloudflare):
- Code execution in Workers (V8 isolates) or Sandboxes (microVMs)
- Tool invocations with scoped permissions
- Network egress through proxies
- Browser automation via Browser Run
- Email sending with per-agent addresses
The agent decides what to do. Cloudflare enforces what it can do.
Isolation Model: V8 Isolates and MicroVMs
Cloudflare offers two execution environments for agent-generated code.
V8 Isolates (Dynamic Workers):
- Sub-millisecond cold starts
- Shared-nothing memory model
- CPU time limits (10ms to 30s depending on plan)
- No filesystem access
- Network requests only via fetch API
MicroVMs (Sandboxes):
- Full Linux environment
- Stateful filesystem
- SSH access for debugging
- Custom images with preinstalled dependencies
- Longer execution windows (up to 15 minutes)
Isolates are cheaper and faster. MicroVMs are necessary when the agent needs persistent state, file I/O, or long-running processes like database migrations or video encoding.
| Execution Environment | Cold Start | Max Duration | Filesystem | Use Case |
|---|---|---|---|---|
| V8 Isolate (Worker) | <1ms | 30s | None | API calls, data transforms, quick scripts |
| MicroVM (Sandbox) | ~500ms | 15min | Ephemeral | Builds, migrations, browser automation |
Tool Sandboxing: How Permissions Are Scoped
Claude uses function calling to invoke tools. Cloudflare intercepts these calls and enforces permission boundaries before execution.
Permission model:
- Each tool is a named function with an explicit schema
- The agent cannot call a tool unless it is registered in the deployment config
- Network access is scoped per tool (allowlist of domains or IP ranges)
- Credentials are injected by Cloudflare proxies, never visible to the agent
Example: an agent with a query_database tool can only reach the specific database endpoint you configure. It cannot pivot to other internal services, even if it generates code that tries.
Proxy layer: All outbound HTTP requests from agent code pass through Cloudflare’s proxy infrastructure. You can:
- Inject API keys or OAuth tokens without exposing them to the agent
- Block requests to sensitive endpoints
- Log every request and response for audit trails
- Rate-limit per-tool to prevent abuse
This is the security boundary. The agent can reason about what to do, but it cannot bypass the proxy to exfiltrate data or access unauthorized services.
Runtime Constraints: Preventing Runaway Execution
Agents can generate infinite loops, memory leaks, or recursive tool calls. Cloudflare enforces hard limits.
CPU time limits:
- Workers: 10ms (free), 50ms (paid), 30s (unbound)
- Sandboxes: configurable up to 15 minutes
Memory limits:
- Workers: 128MB per isolate
- Sandboxes: 256MB to 2GB depending on plan
Retry policies:
- Failed tool calls can retry with exponential backoff
- Max retry count is configurable per tool
- Circuit breakers prevent cascading failures
Timeout behavior: If an agent exceeds CPU time, the isolate is killed and the agent receives an error. The agent can handle the error and retry with a different approach, or it can escalate to a human.
Observability: What You Can See
Cloudflare exposes detailed telemetry for every agent execution.
Logs:
- Console output from agent-generated code
- Tool call parameters and responses
- Network request logs (URL, method, status, latency)
- Error stack traces
Metrics:
- Execution duration per tool
- Memory usage per isolate
- Request count and error rate
- Cold start frequency
Session recording (Browser Run):
- Video replay of every browser interaction
- DOM snapshots at each step
- JavaScript console logs
- Network waterfall
You can SSH into a running Sandbox to inspect filesystem state, attach a debugger, or manually test tool behavior. This is critical when an agent fails in production and you need to reproduce the exact environment.
Code Example: Tool Registration with Network Scoping
Here is how you register a tool with explicit network boundaries.
import { Agent } from '@cloudflare/agents-sdk';
const agent = new Agent({
model: 'claude-3-5-sonnet',
tools: [
{
name: 'query_database',
description: 'Fetch customer records from the internal database',
parameters: {
type: 'object',
properties: {
customer_id: { type: 'string' }
},
required: ['customer_id']
},
handler: async (params, ctx) => {
// Network access is scoped to this domain only
const response = await fetch('https://internal-db.example.com/customers', {
method: 'POST',
headers: {
// Credentials injected by Cloudflare proxy, not visible to agent
'Authorization': ctx.env.DB_TOKEN
},
body: JSON.stringify({ id: params.customer_id })
});
return response.json();
},
// Explicit network allowlist
network: {
allow: ['internal-db.example.com']
}
}
]
});The agent can call query_database, but it cannot make requests to any other domain. If it tries, the proxy blocks the request and returns an error.
Private Service Connectivity: Cloudflare Tunnel Integration
Agents often need to reach internal services that are not exposed to the internet. Cloudflare Tunnel creates a secure connection from your private network to Cloudflare’s edge.
How it works:
- Run
cloudflareddaemon in your private network - Configure tunnel routes (e.g.,
internal-api.example.com→10.0.1.5:8080) - Agent code makes requests to the public hostname
- Cloudflare routes traffic through the tunnel to your private service
The agent never sees your private IP addresses. The tunnel is authenticated with a service token, and you can revoke access at any time.
Failure Modes and Mitigations
Agent generates malicious code:
- V8 isolate prevents filesystem access, process spawning, or raw socket access
- Proxy blocks unauthorized network requests
- CPU and memory limits kill runaway processes
Agent tries to exfiltrate data:
- Proxy logs every outbound request
- Network allowlists prevent connections to attacker-controlled domains
- Credentials are injected by Cloudflare, never visible to agent code
Agent exceeds resource limits:
- Execution is killed and agent receives an error
- Agent can retry with a simpler approach or escalate to a human
- Circuit breakers prevent repeated failures from cascading
Agent enters infinite loop:
- CPU time limit kills the isolate
- Retry budget prevents infinite retries
- Observability logs show the exact tool call that triggered the loop
Technical Verdict
Use Cloudflare Claude Managed Agents when:
- You need autonomous agents in production with strict security boundaries
- You want to connect agents to private services without exposing them to the internet
- You need sub-second execution for lightweight tool calls
- You require detailed observability and audit trails for compliance
Avoid when:
- You need agents to run on-premises or in a specific cloud region (Cloudflare is edge-only)
- Your tools require GPU access or specialized hardware (Workers and Sandboxes are CPU-only)
- You need execution windows longer than 15 minutes (use a traditional VM or container instead)
- You want full control over the agent reasoning loop (Claude’s control plane is managed by Anthropic)
The security model is the differentiator. Most agent platforms give you a hosted notebook and hope you do not shoot yourself in the foot. Cloudflare gives you isolation, permission boundaries, and proxy-enforced network controls. If you are deploying agents that touch production data or internal services, this is the architecture to study.