In this talk, Remy Guercio from Tailscale explores the concept of treating the network itself as a sandbox environment, rather than relying solely on traditional sandboxing methods like VMs or containers. He begins by breaking down the essential components of a sandbox: a clear boundary and a set of permissions or identities that govern what can happen inside. He critiques current approaches to agent permissions, which often rely on API keys or OAuth/OIDC, noting that these methods place sensitive credentials inside the sandbox, potentially exposing them to misuse.
Remy then introduces how Tailscale leverages the WireGuard protocol to embed identity and permissioning directly at the network layer. By integrating user and device identity into every network connection within a Tailnet, Tailscale enables fine-grained access control that governs which devices or agents can communicate and what they can do. This approach consolidates authentication and authorization into the network fabric itself, allowing for more secure and transparent interactions between components like containers, laptops, or automated agents.
A key application of this concept is demonstrated through Aperture, an AI gateway built on top of Tailscale’s identity primitives. Aperture acts as a centralized proxy for large language model (LLM) access, using a single API key from providers like OpenAI or Anthropic while enforcing identity-based permissions on the client side. This means that sandboxed agents, such as GitHub Action runners tagged with specific identities, can access LLM services without holding individual API keys, preventing unauthorized usage or data exfiltration. Aperture also provides detailed logging and cost tracking for all requests, enhancing observability and control.
Remy showcases a live demo of Aperture, highlighting how it tracks usage metrics, request details, and even the specific tool calls made by agents, such as bash commands executed during a PR review bot’s operation. This network-layer enforcement ensures that all activity is visible and controllable, allowing administrators to set budgets, quotas, and permissions per user or group. The system supports integrations like webhooks for real-time monitoring and can be configured via a visual editor or JSON-based policy files, facilitating GitOps workflows and scalable management.
In conclusion, Remy emphasizes that this network-centric sandboxing model offers a powerful alternative to traditional methods by embedding identity and permissioning directly into network connections. This approach simplifies secure access to AI models and internal services, improves transparency, and reduces the risk of credential leakage. He invites developers and organizations to explore building their own solutions using Tailscale’s open-source TS net library and expresses openness to collaboration and further innovation in this space.
