> ## Documentation Index > Fetch the complete documentation index at: https://upstash.com/docs/llms.txt > Use this file to discover all available pages before exploring further. # Network Policy Network policies control outbound network access from a box. Use them when you want to: * block all outbound traffic * allow only specific public domains * restrict egress to specific CIDR ranges By default, boxes use: ```ts theme={"system"} { mode: "allow-all" } ``` *** ## Modes | Mode | Description | | ----------- | ----------------------------------------------- | | `allow-all` | Default. No outbound restrictions. | | `deny-all` | Block all outbound network access. | | `custom` | Allow or deny specific domains and CIDR ranges. | The SDK type is: ```ts theme={"system"} type NetworkPolicy = | { mode: "allow-all" | "deny-all" } | { mode: "custom" allowedDomains?: string[] allowedCidrs?: string[] deniedCidrs?: string[] } ``` *** ## Create a box with a policy Pass `networkPolicy` when creating a box: ```ts theme={"system"} import { Box } from "@upstash/box" const box = await Box.create({ runtime: "node", networkPolicy: { mode: "custom", allowedDomains: ["api.github.com", "registry.npmjs.org"], }, }) ``` You can also combine domain and CIDR rules: ```ts theme={"system"} const box = await Box.create({ runtime: "node", networkPolicy: { mode: "custom", allowedDomains: ["api.github.com", "*.githubusercontent.com"], allowedCidrs: ["104.16.0.0/12"], }, }) ``` `networkPolicy` is also supported in `Box.fromSnapshot()` and `EphemeralBox`. *** ## Read the current policy Use the `networkPolicy` getter: ```ts theme={"system"} console.log(box.networkPolicy) // { mode: "allow-all" } ``` *** ## Update a running box Update the policy after creation: ```ts theme={"system"} await box.updateNetworkPolicy({ mode: "deny-all" }) ``` Switch back to unrestricted outbound access: ```ts theme={"system"} await box.updateNetworkPolicy({ mode: "allow-all" }) ``` Changes take effect immediately. You do not need to recreate the box. *** ## Matching rules * `allowedDomains` supports exact matches such as `api.github.com` * wildcard domains must use `*.suffix` form, for example `*.githubusercontent.com` * `allowedCidrs` and `deniedCidrs` use standard CIDR notation * in `custom` mode, `deniedCidrs` takes precedence over allowed CIDRs * private IP ranges are always blocked even if you try to allow them explicitly *** ## Example patterns Allow only GitHub and npm: ```ts theme={"system"} await box.updateNetworkPolicy({ mode: "custom", allowedDomains: ["github.com", "*.github.com", "registry.npmjs.org"], }) ``` Block all outbound traffic: ```ts theme={"system"} await box.updateNetworkPolicy({ mode: "deny-all" }) ``` Allow a specific public CIDR: ```ts theme={"system"} await box.updateNetworkPolicy({ mode: "custom", allowedCidrs: ["104.16.0.0/12"], }) ``` Block a specific CIDR range: ```ts theme={"system"} await box.updateNetworkPolicy({ mode: "custom", deniedCidrs: ["104.16.120.0/24"], }) ``` *** ## Related * [Security](/box/overall/security) * [Shell](/box/overall/shell) * [How It Works](/box/overall/how-it-works)