Anthropic introduced MCP Tunnels in research preview: a lightweight gateway you deploy inside your own network that establishes an outbound encrypted connection to Anthropic infrastructure. Once that tunnel is up, Managed Agents and the Messages API can reach private MCP servers running on your side — internal databases, APIs, ticketing systems, knowledge bases — without you opening a single inbound firewall rule. The pattern is the same idea as Cloudflare Tunnel, ngrok, or AWS PrivateLink, applied to MCP traffic and the Anthropic agent surface. Authentication model, transport, and pricing not yet disclosed.
What this solves. The Managed Agents primitive Anthropic announced at Code With Claude — sandboxed execution, checkpointing, credential scoping — is hosted on Anthropic infrastructure. Useful by itself, but the enterprise blocker has always been the data: agents need to reach your private Postgres, your internal Jira, your company wiki, your customer-data-platform, none of which lives on the public internet. The previous workaround was either expose those services via VPN or reverse proxy (security review nightmare), or move the data to Anthropic-side infrastructure (data residency nightmare). MCP Tunnels makes the third path operational: the connection initiates from inside your perimeter outward, so your existing network security model doesn't change. Agents reach private MCP servers through the tunnel; internal systems never accept inbound connections from Anthropic. This is the connectivity primitive that turns Managed Agents from interesting-demo into enterprise-deployable.
Ecosystem context. Anthropic is filling out the MCP stack vertically: protocol (MCP itself), execution (Managed Agents), connectivity (MCP Tunnels). Each layer is a primitive that wrapper-ecosystem players (LangGraph, AutoGen, custom enterprise agent platforms) had previously sold to the same buyer. The bet is the same as Anthropic's other infrastructure moves this week: own the primitives, let the wrapper layer be optional. For competitors: OpenAI's Assistants API and the Agents SDK don't currently have a native private-network-access story comparable to MCP Tunnels — enterprise OpenAI deployments rely on Azure OpenAI's private endpoints (captive to Azure) or custom reverse-proxy setups. Google's Antigravity 2.0 (also this week) doesn't ship a hosted equivalent. AWS Bedrock Agents have PrivateLink for VPC-internal services, but that's AWS-captive. MCP Tunnels is the first vendor-neutral pattern: your MCP server can live anywhere, the tunnel is the ingress.
Monday: if you have a paused or shelved "agent that needs to reach our internal systems" project, dust it off — MCP Tunnels closes the network-access gap that killed those previously. Get on the research preview waitlist. Architectural decision before you adopt: where does your MCP server live (your VPC, your on-prem, a hybrid edge)? The tunnel gateway runs alongside the MCP server; placement decides which networks the agent can effectively reach. Security review ask: the gateway initiates outbound to Anthropic; verify that your egress policy permits the destination, that the tunnel binary is auditable or open, and that you understand the trust boundary on agent payloads coming back through. Auth model details haven't been published — push your Anthropic account team for scoping primitives (per-tool, per-database, per-row) before committing to a production pilot. The research-preview label means expect breaking changes for 1-2 months and production GA in Q3 or Q4. The pattern is here to stay either way: outbound-only tunnels for agent connectivity is what enterprise will demand from every vendor that wants to ship managed agents.