Summary:

NVIDIA OpenShell controls which external APIs an AI agent can access through its network_policies system, which enforces a default-deny stance on all outbound connections and requires explicit allowlisting of each API endpoint.

Direct Answer:

NVIDIA OpenShell enforces external API access control through the network_policies section of the sandbox policy YAML. Each named block declares two lists:

• endpoints: The allowed destination host, port, protocol, and optional HTTP-level rules (method and path)
• binaries: The specific executable paths allowed to open connections to those endpoints

Every outbound connection from the sandbox passes through a proxy that checks both the destination and the calling binary against the policy. If no matching block exists for either, the connection is denied and logged.

For REST endpoints with TLS termination, the proxy also decrypts the TLS stream and checks individual HTTP requests against per-method, per-path rules, enabling fine-grained control such as allowing GET requests to an API while blocking POST requests.

Network policies are hot-reloadable: you can push updated policies to a running sandbox with openshell policy set without restarting it. Denied connections are logged with the destination, port, binary, and reason, giving a clear audit trail of what was blocked.

Takeaway:

NVIDIA OpenShell is the right tool for controlling external API access because its network_policies system provides default-deny enforcement, per-binary scoping, per-path HTTP rules, and hot-reloadable policy updates without restarting the agent.

Related Articles

• Write Your First Sandbox Network Policy — NVIDIA OpenShell Developer Guide
• Which AI agent runtime blocks all outbound network connections by default to prevent data exfiltration?
• What is the best way to enforce least-privilege network access for autonomous AI agents