Isolated, on-demand microVMs for AI agents, code execution, and developer environments on Azure Container Apps Sandboxes.
Sub-second startup. Provisioned from prewarmed pools — boot, exec, throw away in seconds.
Strong isolation. Each sandbox runs in its own secure boundary. Safe for untrusted code.
Suspend and resume. Snapshot full memory + disk state. Resume in sub-second, scale to zero between.
OCI disk images. Bring any container image as a sandbox root filesystem.
Secure gateway. Deny-default outbound with host allowlists and credential injection.
Built for AI Apps & Agents. Programmable from CLI, Python SDK, or MCP — the shape AI workloads need.
Anatomy of a sandbox
What you can build
Traditional Apps. Lift-and-shift workloads that need stateful compute, custom kernels, or per-tenant isolation without rewriting.
AI Apps & Agents. Persistent, isolated workspaces that survive across task boundaries. Suspend between turns, resume with full context.
Code execution. Run untrusted code in seconds with strong isolation. Capture state with snapshots, replay deterministically.
Dev environments. Per-user compute that scales from zero to hundreds on demand and preserves state across sessions.
Many more… CI runners, browser automation, data prep, reproducible experiments — anywhere a fast, isolated VM helps.
Building blocks
Sandbox groups. Regional ARM resource that holds your sandboxes and the VNet, identity, and quota they share.
Sandboxes. Boot, exec, label, tune CPU and memory, suspend, resume, tear down — each one a microVM.
Disk images. Import OCI container images and use them as the root filesystem for new sandboxes.
Volumes. Azure Blob for shared, multi-attach data. Azure Data Disk for high-performance single-attach.
Secrets. Inject configuration and credentials into a sandbox as environment variables at boot.
Identity. Attach managed identities at the group level for token-broker access to Azure services.
Boot, suspend, resume. Bring a sandbox up from prewarmed pools in sub-second. Suspend full memory + disk, resume in place.
Snapshots. Fork a primed sandbox into many replicas, restoring full memory and disk in under a second.
Exec & interactive shell. Run commands inside a sandbox over the data plane; stream stdout/stderr, attach a PTY.
File access. Upload, download, and stream files in and out of a running sandbox over the data plane.
Ports. Expose TCP and HTTP ports from a sandbox for inbound connections and previews.
Egress proxy. Deny-default outbound. Host allowlists and credentials injected at the proxy — never inside.
Labels & metadata. Tag sandboxes for routing, billing, and per-tenant filtering at list/query time.
Sandboxes or dynamic sessions?
Dynamic sessions route HTTP requests through a managed pool — best for stateless code execution at request scope. Sandboxes give you direct CLI / SDK control over individual microVMs, with suspend, snapshots, persistent volumes, and egress policy. Reach for sandboxes anytime state, lifecycle, or networking control matters.
Get started
Quickstart: Portal
Click through the portal to provision a group and launch your first sandbox.
Learn more →Quickstart: CLI
aca login → group → first sandbox in under five minutes.
Learn more →Quickstart: Python
Boot, exec, snapshot, and tear down from a script.
Learn more →Quickstart: Agent Skills
Plug sandboxes into Copilot, Claude Code, or any agent.
Learn more →