Notebook egress governance
Control which external hosts sandboxed Python notebooks can reach — PyPI, custom domains, or a fully air-gapped policy. Configured per deployment in Settings → Governance → Egress.
Marimo notebooks run Python code inside a sandboxed environment. By default that sandbox has no internet access — network calls to external hosts (including package registries like PyPI) are blocked. The Egress panel in Governance lets an IT admin open up exactly the destinations that are appropriate for the organisation's risk posture.
This setting is deployment-scoped, not per-organisation. All notebooks in a Scrydon cluster share the same egress policy. Per-organisation egress control is planned for a future release.
How egress is enforced (cluster requirement)
The sandbox is locked down by your cluster's NetworkPolicy: the notebook pod may reach the egress proxy and nothing else, so every outbound request must pass through the proxy and its allowlist.
This guarantee depends on your Kubernetes cluster running a CNI that enforces NetworkPolicy — Calico, Cilium, or Azure NPM on AKS.
Without a policy-enforcing CNI, Kubernetes accepts the NetworkPolicy object but nothing applies it. The proxy still governs traffic from tools that honour standard proxy settings (pip and most Python libraries do), but notebook code that deliberately ignores those settings could reach the internet directly. In that configuration, treat egress governance as advisory, not a hard security boundary.
Confirm NetworkPolicy is enforced before relying on egress governance as a security control. On AKS you can enable it with:
az aks update --resource-group <rg> --name <cluster> --network-policy azureor provision the cluster with Calico or Cilium.
Opening the panel
- Sign in as an organisation owner or organisation admin.
- Go to Settings → Governance → Egress.
The panel shows two controls:
- Allow Scrydon default traffic — a toggle that enables the platform's curated allowlist.
- Custom allowed domains — a list you maintain for organisation-specific destinations.
The Scrydon default allowlist
When Allow Scrydon default traffic is turned on, the sandbox gains access to the package registry hosts that pip needs to install packages from PyPI:
| Host | Purpose |
|---|---|
pypi.org | Package index — pip fetches metadata and version lists here |
files.pythonhosted.org | Wheel and source distribution downloads |
These two hosts are the complete v1 curated set. Additional registries (conda, HuggingFace Hub, …) are not included yet — use a custom domain entry if you need them.
Scrydon maintains this list. When new trusted public registries are added, they will appear in a platform release note. Enabling this toggle always uses the current version of the list.
Adding custom allowed domains
Click Add domain to append a domain to your custom allowlist. Enter either:
- An exact hostname —
cdn.example.comallows only that subdomain. - A parent domain —
example.comallowsexample.comand any subdomain under it (e.g.api.example.com,cdn.example.com).
Domain matching is case-insensitive. IP addresses are not accepted as allowlist entries.
After editing the list, click Save for the new policy to take effect. Changes apply to the next notebook run — any running notebook continues with the policy that was in effect when the run started.
Example: allow a private package index
If your organisation hosts a private PyPI mirror at pypi.internal.example.com:
- Add
internal.example.com(parent domain) — this also covers any other internal hosts under that domain. - Or add the exact hostname
pypi.internal.example.comif you prefer a tighter scope. - Click Save.
Notebooks will now be able to pip install from your private index in addition to (or instead of) the public PyPI hosts.
Default behaviour (deny-all)
With the toggle off and no custom domains added, the sandbox has no external network access. This is the default for new deployments.
In this mode:
pip install <package>fails with a network error — the proxy blocks the connection to PyPI.requests.get("https://api.example.com")raises a connection error.- Any attempt to reach an external host is blocked and recorded.
This is the safest posture for environments where all required packages are pre-baked into the notebook image or uploaded manually.
Pre-installed packages
The notebook runtime ships with a base set of packages already installed — no egress required to use them:
- Data / numerical:
pandas,numpy,scipy,duckdb - Visualisation:
matplotlib,altair - Notebook runtime:
marimo,pyarrow,polars - Scrydon helpers:
scrydon(the built-in table / KB / LLM client)
If a package you need is not in this list, it must be fetched at runtime (requires egress to a package registry) or uploaded manually (a coming capability). For example, a notebook that imports plotly needs pypi.org and files.pythonhosted.org reachable (enable Allow Scrydon default traffic) or the cell fails to install it.
Package upload (coming soon): A future release will let you upload Python wheel files directly to the platform, making them available to notebooks without any egress. This is useful for completely air-gapped deployments or for packages not available on public registries.
Permissions
| Role | Can view | Can change |
|---|---|---|
| Organisation owner | Yes | Yes |
| Organisation admin | Yes | Yes |
| Member | No (redirected to account settings) | No |
Troubleshooting
See the dedicated troubleshooting section in the Marimo notebooks page for step-by-step remedies when a notebook can't install a package or reach a host.
Related
- Marimo notebooks — how notebooks run, what they can access, and package troubleshooting.
- Data Loss Prevention — DLP controls that apply inside workflows.
- Governance usage & cost — monitor AI capability spend from the same Governance section.