### Release notes You can now configure [project-level network access controls](https://docs.gitlab.com/user/duo_agent_platform/environment_sandbox/) for GitLab Duo Agent Platform remote flows, enabling secure external integrations while maintaining control over network destinations. This gives project maintainers the flexibility to allow necessary API connections, MCP servers, and third-party services while enforcing security boundaries. Configuration is managed via `network_policy` section in `.gitlab/duo/agent-config.yml`, protected by branch protection rules and MR approval workflows. {width="768" height="226"} ### Secondary Information for Context **Use case resolved:** * As a project maintainer, I want to configure which external services my remote flows can access so that I can enable necessary integrations (APIs, MCP servers, webhooks) while meeting security and compliance requirements * As a project maintainer, I want safe defaults for network access so that new projects are protected without manual configuration **Scope:** This MVC applies to remote flows only (flows executed in GitLab's runner infrastructure). Instance/TLG-level controls are targeted for 18.11. Linking issue: [#590021](https://gitlab.com/gitlab-org/gitlab/-/work_items/590021) Parent epic: [&20467 - Configurable Network Access for Agents and Flows](https://gitlab.com/groups/gitlab-org/-/work_items/20467)