Stacklok and Anthropic MCP Tunnels: securely connect Claude to everything behind your firewall

You’re invested in Claude, including Claude Code, Claude Cowork, Claude Design. To make it as valuable as possible, you need to connect it to your internal systems and data. Traditionally that required you to punch holes in your firewall. But now Anthropic has launched MCP Tunnels. Stacklok had early access to the technology and is the critical piece that enterprises need to use it in production. 

Here’s what you’ll learn in this post:

• Why connecting AI models like Claude to internal enterprise tooling has been blocked by a fundamental security constraint
• How Anthropic MCP Tunnels solve this by inverting the connection direction
• Why Stacklok is the essential client-side piece that makes the tunnel production-ready for enterprises
• How Stacklok has already deployed this architecture at large, complex organizations

The problem: your data is inside, the model is outside

Every enterprise using Claude faces the same structural challenge. The AI model lives at Anthropic, but your most valuable data and tooling (e.g. internal APIs, databases, Jira, Datadog, Slack, GitHub, etc.) lives inside your network. To let Claude access those tools via Model Context Protocol (MCP), you’d traditionally need to expose internal systems to the internet. Security teams won’t allow it, and in regulated industries it’s a non-starter.

As a result, teams end up running AI tools in a stripped-down, isolated context, cut off from the systems that would make them genuinely useful.

Anthropic MCP Tunnels: inverting the connection

Anthropic MCP Tunnels solve this by flipping the connection direction. Instead of Anthropic reaching into your network, your infrastructure reaches outward to Anthropic. 

Here’s how it works:

1. You deploy the tunnel endpoint inside your own network via Docker Compose or a Helm chart pointed at Stacklok and your MCP servers.
2. On Anthropic’s side, an internal service called Toolbox acts as the MCP client. Toolbox powers MCP calls across the entire Anthropic ecosystem: Claude Code, Claude Enterprise, and agentic products.
3. The connection is secured end-to-end with mutual TLS (mTLS), with Anthropic adding its own encryption layer independent of the transport.
4. Your team manages its own keys. Even in a worst-case scenario at the transport layer, no customer data is exposed and no cross-customer data commingling is possible.
5. OAuth sits on top for standard MCP-level authentication.

The security architecture was designed specifically for highly regulated industries: financial services, healthcare, and others where the default answer to “can we open an inbound port?” is always no.

Why Stacklok is the essential client-side piece

The tunnel handles the secure connection between Anthropic and your network. What it doesn’t handle is everything that comes next: managing which MCP servers are available, controlling who can access which tools, enforcing policy, and providing the observability your operations team needs.

Stacklok sits on the customer side of the tunnel as the management and orchestration layer for your MCP servers. Specifically, Stacklok provides:

Virtual MCP Server (vMCP). Stacklok’s vMCP feature aggregates multiple MCP servers into a single endpoint, with access segmented by group. You can expose one set of tools to your engineering team, a different set to marketing, and a third to everyone, all governed by the same identity policies you already use.

“Install once, use everywhere.” Before the tunnel, MCP servers had to be configured separately for Claude Code, Claude.ai, Claude Desktop … every client was its own silo. With Stacklok connected via the Anthropic tunnel, every Anthropic product surface automatically gets access to your MCP servers. 

A path from experiment to production. Teams frequently build MCP servers for personal use but have no clear path to promote them into a production Kubernetes environment with monitoring, health checks, and SLA expectations. Stacklok provides that deployment model.

Agentic workloads. As Claude increasingly runs in asynchronous, cloud-based modes, you shift from “a developer connecting to MCP servers” to “an AI actor in the cloud connecting to MCP servers.” Stacklok handles this cleanly, whereas a per-laptop local setup cannot.

We’ve already done this — at scale

Stacklok worked closely with Anthropic during the development of MCP Tunnels, giving us a head start in deploying this architecture at enterprises with complex, real-world requirements. We’ve seen firsthand what resonates with enterprise security and platform teams, and what friction points need to be designed around.

We’ve also deployed this in our own environment. Stacklok runs three vMCP endpoints live behind Anthropic MCP Tunnels today:

• A shared connector available to everyone, covering Google Drive, Slack, and Read AI
• An engineering connector covering Discord, GitHub, and our internal engineering metrics platform
• A marketing connector covering HubSpot

Each is gated by Okta group membership. Every member of the Stacklok team gets access to the tools relevant to their role, through any Anthropic surface, with no per-device configuration and no credential sprawl.

This isn’t a proof of concept. It’s how our team works.

What this unlocks for enterprise AI adoption

The Anthropic tunnel plus Stacklok represents a shift in how enterprises can think about AI deployment. The blockers that made MCP impractical in regulated environments (e.g. inbound network exposure, per-developer credential chaos, no path to production) are addressable now. Work with Stacklok and you get:

• Claude with full access to your internal tooling, without exposing your network
• Centralized policy, auth, and access control through your existing identity infrastructure
• A consistent experience across every Anthropic surface, for every team member
• A deployment model that scales from a single team’s experiment to an org-wide production rollout

---

Want to see what Stacklok can do for your organization? Book a demo and we’ll walk you through how the tunnel architecture works in practice.