On May 19, 2026, at the Code with Claude event in London, Anthropic shipped MCP tunnels in research preview. The result: a Claude agent can call your internal ticketing system, your private database, or your on-prem knowledge base as a tool — without opening a single inbound firewall port or putting any of it on the public internet.
For consultancy work, government contracts, or anything under data residency rules, this is the gap that has been holding back real Claude agent deployments. Until now, “expose your MCP server to Anthropic’s IPs” was the only path, and for half of my actual customers that is a non-starter.
How It Actually Works
The deployment is two pieces of software running inside your network:
- cloudflared — the tunnel agent. Initiates an outbound-only connection on port 7844 (TCP/UDP) to the Anthropic-operated tunnel edge (
198.41.192.0/19). - Proxy — Anthropic’s routing component, running on your infrastructure. It terminates inner TLS using a certificate only you hold and routes each request to the correct upstream MCP server based on hostname.
Three security layers are stacked on top of each other:
| Layer | What it blocks |
|---|---|
| Outer mTLS with IP validation | Unauthorized clients reaching the tunnel |
| Inner TLS terminated on your proxy | Payload inspection by Cloudflare or any intermediary |
| OAuth on each upstream MCP server | Unauthorized tool calls by authenticated tunnel traffic |
Transport runs on Cloudflare’s network, but because the inner TLS cert lives on your proxy, Cloudflare cannot read payloads. They see egress IP, byte volume, and timing — that is it.
What The Invocation Looks Like
Once the tunnel is up, calling your private MCP server is the same shape as any remote MCP server. The url field points at your tunnel subdomain:
curl https://api.anthropic.com/v1/messages \
-H "Content-Type: application/json" \
-H "X-API-Key: $ANTHROPIC_API_KEY" \
-H "anthropic-version: 2023-06-01" \
-H "anthropic-beta: mcp-client-2025-11-20" \
-d '{
"model": "claude-opus-4-7",
"max_tokens": 1000,
"messages": [{"role": "user", "content": "..."}],
"mcp_servers": [{
"type": "url",
"url": "https://crm.your-tunnel-domain/mcp",
"name": "crm"
}],
"tools": [{"type": "mcp_toolset", "mcp_server_name": "crm"}]
}'
Deployment is either a Helm chart on Kubernetes or Docker Compose on a single VM. Tunnel auth can be Workload Identity Federation if you have an OIDC issuer, or a tunnel token plus a CA cert you register in the Claude Console.
The Catch
A few things to keep in mind before pointing production at this:
- It is a research preview. Anthropic says “as-is” — no uptime, support, or continuity commitment.
- Transport depends on Cloudflare, named as a subprocessor for the preview. Cloudflare makes no availability commitment for the underlying tunnel.
- You manage the server certificate and rotate it before it expires. If both your tunnel token and a TLS private key leak, an attacker can impersonate your proxy.
- OAuth on each upstream MCP server is your responsibility. The tunnel handles transport, not application auth.
None of that is a dealbreaker for a pilot. All of it would matter for a contract that promises SLAs.
Why This Matters For Local-First Folks
I have spent the last year arguing that for proprietary codebases, customer PII, or anything with residency requirements, the right answer is a local model. That argument still holds for the model itself.
But agents are bigger than the model. An agent that handles support tickets needs to read from your ticketing system. An agent that triages PRs needs to read from your internal GitLab. Until this week, “use Claude for the loop, keep the data private” meant either standing up a public-facing reverse proxy with allowlisting and praying, or abandoning the integration.
MCP tunnels removes the reverse-proxy step. The agent loop stays with Anthropic (and you pay them for it), the data stays on your side of the wire. For the consultancy work I do — Optimizely CMS, internal ERP, Azure DevOps — this is the integration shape that actually matches how those systems are deployed.
It is not a replacement for local models. It is a replacement for “do not let an agent near our internal systems.”
Related reading
- The Local AI Inflection Point: May 2026 — the wider local-vs-frontier picture
- Your Local Qwen3.6 Throughput Probably Just Halved — the other thing that shipped this month worth checking
Sources: