← 15.215.4 →
1744 words Slides

15.3 Network and Security Configuration

Course: Claude Code - Enterprise Development Section: 15 - Enterprise Deployment Video Length: 4-5 minutes Presenter: Daniel Treasure

Opening Hook

"Your Claude Code agents are running in the cloud, but are they talking securely? Today we lock down the network—proxies to inspect traffic, CA certificates for internal trust, mTLS to authenticate both sides of the connection, and API gateways to control who gets in."

Key Talking Points

1. HTTP Proxies & Traffic Inspection

What to say: - "A corporate proxy sits between Claude Code and the outside world. Every request goes through it—we can log it, filter it, scan it for threats." - "The proxy sees your API calls, your model queries, your token counts. Compliance teams use this to audit Claude Code usage." - "Setup is simple: three environment variables. But the proxy must pass traffic through without mangling TLS."

What to show on screen: - Network diagram: Claude Code → Proxy Server → Cloud Provider - Flow annotations: outbound connections go through proxy, logs collected - Example proxy configuration (Squid, corporate proxy appliance)

2. Custom CA Certificates & Internal Trust

What to say: - "Your organization has its own certificate authority—for internal services, internal APIs, internal databases." - "Claude Code needs to trust those certs. It won't do an HTTP call to an internal service if the cert isn't in its trust store." - "We add your org's CA cert to Claude Code's environment. From then on, it trusts anything signed by your CA."

What to show on screen: - System file: /etc/ssl/certs/ca-bundle.crt (Linux) or Keychain (macOS) - Add your org's internal CA cert - Show before/after: SSL error → SSL trusted

3. Mutual TLS (mTLS) for Service-to-Service Auth

What to say: - "mTLS means both sides prove their identity. Claude Code presents a client certificate, the backend verifies it." - "It's stronger than API keys. Keys can leak; certificates are hardware-backed, rotated regularly, audited." - "Use mTLS when Claude Code calls critical internal services—databases, secret managers, payment systems."

What to show on screen: - Certificate flow diagram: Claude Code client cert ← generated from org PKI ← certificate authority - Server cert ← from same CA - Handshake: both sides present certs, both sides verify - Success: encrypted tunnel established

4. API Gateways & Controlled Entry Points

What to say: - "Instead of Claude Code talking directly to 50 different microservices, it talks to one gateway." - "The gateway enforces authentication, rate limits, audit logging, request validation." - "If someone compromises a Claude Code session, the blast radius is limited—the gateway is the only thing it can call."

What to show on screen: - Architecture diagram: Claude Code → API Gateway → {Service A, Service B, Service C} - Gateway responsibilities listed: auth, rate limit, logging, request validation - Firewall rule: Claude Code can only reach gateway IP, not internal services directly

5. Integration with Zero Trust & Corporate Network Policies

What to say: - "Zero Trust means never trust by default, always verify. Claude Code is treated like any other application." - "Your network policy says: 'Claude Code can call these 3 services, only from these 2 IP ranges, only with mTLS.'" - "If Claude Code tries to call Slack, or GitHub, or anything outside the approved list, the network blocks it."

What to show on screen: - Firewall rules table: source IP (Claude Code), destination IP (service), protocol, certificate requirement - Example: "10.0.1.0/24 → 10.0.5.42 → TLS 1.3 + mTLS required" - Denial log: "Connection blocked: unexpected destination 8.8.8.8"

Demo Plan

Setup (30 seconds)

  1. Open terminal
  2. Show current network config: env | grep -i proxy
  3. Show installed certificates: ls ~/.claude-code/certs/ or equivalent
  4. Say: "Here's our current network baseline. We're about to lock it down."

Step 1: Configure HTTP Proxy (60 seconds)

  1. Create/show .env or config file: bash export HTTP_PROXY=http://corporate-proxy.internal:3128 export HTTPS_PROXY=http://corporate-proxy.internal:3128 export NO_PROXY=localhost,127.0.0.1,10.0.0.0/8
  2. Explain NO_PROXY: "These destinations bypass the proxy—localhost, internal IPs."
  3. Run a test call: curl -v https://api.anthropic.com (through proxy)
  4. Show proxy logs (if available): request logged with timestamp, user, bytes transferred

Step 2: Install Custom CA Certificate (60 seconds)

  1. Show organization's CA cert file: cat org-ca.pem | head -20
  2. Install it on the system: bash export NODE_EXTRA_CA_CERTS=/etc/ssl/certs/org-ca.pem
  3. Try accessing an internal service that was previously failing: bash curl https://internal-api.company.com/health
  4. Before: SSL error (untrusted cert). After: 200 OK
  5. Explain: "Claude Code now trusts our internal services."

Step 3: mTLS Setup (60 seconds)

  1. Show client certificate and key: bash ls -la /etc/claude-code/certs/client*
  2. Set environment variables: bash export CLAUDE_CODE_CLIENT_CERT=/etc/claude-code/certs/client-cert.pem export CLAUDE_CODE_CLIENT_KEY=/etc/claude-code/certs/client-key.pem
  3. Show configuration in managed-mcp.json (service endpoint + cert requirement): json { "mcpServers": { "internal-database": { "url": "grpc://internal-db.company.com:5432", "tlsConfig": { "clientCert": "${CLAUDE_CODE_CLIENT_CERT}", "clientKey": "${CLAUDE_CODE_CLIENT_KEY}", "mtlsRequired": true } } } }
  4. Test a call to the internal service (will fail without cert, succeed with it)

Step 4: API Gateway Integration (60 seconds)

  1. Show architecture diagram with gateway
  2. Show firewall rule: "Claude Code can reach 10.0.5.10 (gateway) only"
  3. Make a request through gateway: bash curl -H "Authorization: Bearer ${CLAUDE_CODE_TOKEN}" \ https://api-gateway.internal/v1/database/query
  4. Show gateway logs: request logged with user, timestamp, service called, result
  5. Try to bypass (call service directly): blocked by firewall

Step 5: Network Policy Verification (30 seconds)

  1. Show network policy file (in managed config or firewall rules)
  2. Highlight allowed destinations
  3. Run network audit: claude audit-network or similar
  4. Show report: approved routes, blocked attempts, policy violations

Wrap-up (30 seconds)

  • Recap: "Proxy for logging, CA certs for trust, mTLS for strong auth, gateways for control."
  • Preview: "Next video—identity and access management. Who's allowed to do what, and how we prove it."

Code Examples & Commands

Environment variables for proxy

export HTTP_PROXY=http://corporate-proxy.internal:3128
export HTTPS_PROXY=http://corporate-proxy.internal:3128
export NO_PROXY=localhost,127.0.0.1,10.0.0.0/8,192.168.0.0/16

# For SOCKS5 proxy (if your org uses it)
export HTTP_PROXY=socks5://socks-proxy.internal:1080
export HTTPS_PROXY=socks5://socks-proxy.internal:1080

Custom CA certificate installation

# Linux (system-wide)
sudo cp org-ca.pem /etc/ssl/certs/
sudo update-ca-certificates

# macOS (system-wide)
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain org-ca.pem

# Node.js / Claude Code (app-specific)
export NODE_EXTRA_CA_CERTS=/path/to/org-ca.pem

# Verify installation
curl -v https://internal-service.company.com

mTLS configuration in managed-mcp.json

{
  "mcpServers": {
    "internal-database": {
      "command": "node",
      "args": ["database-server.js"],
      "env": {
        "TLS_CERT": "/etc/claude-code/certs/client-cert.pem",
        "TLS_KEY": "/etc/claude-code/certs/client-key.pem",
        "TLS_CA": "/etc/ssl/certs/org-ca.pem",
        "MTLS_REQUIRED": "true"
      }
    }
  }
}

mTLS certificate generation (for org admins)

# Generate private key
openssl genrsa -out client-key.pem 2048

# Generate CSR (certificate signing request)
openssl req -new -key client-key.pem -out client.csr \
  -subj "/CN=claude-code-agent-prod/O=MyCompany/C=US"

# Sign with org CA (org admin does this)
openssl x509 -req -in client.csr \
  -CA org-ca.pem -CAkey org-ca-key.pem \
  -CAcreateserial -out client-cert.pem -days 365 \
  -extensions v3_usr -extfile <(printf "subjectAltName=DNS:*.company.com")

# Verify cert
openssl verify -CAfile org-ca.pem client-cert.pem

API gateway configuration example

# Firewall rule: Claude Code can only reach API gateway
iptables -A OUTPUT -p tcp -m owner --uid-owner claude-code \
  -d 10.0.5.10 --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp -m owner --uid-owner claude-code -j DROP

# Or in cloud provider (AWS security group)
# egress: allow to 10.0.5.10:443 only

Network audit & verification

# Check proxy is being used
curl -v http://httpbin.org/ip 2>&1 | grep -i "via"

# Check CA certificates are trusted
openssl s_client -connect internal-api.company.com:443 \
  -CAfile /path/to/ca-bundle.crt

# Verify mTLS handshake
openssl s_client -connect internal-service:5432 \
  -cert client-cert.pem -key client-key.pem \
  -CAfile org-ca.pem

# Check network policies
iptables -L OUTPUT -v  # Linux firewall rules

Gotchas & Tips

Gotcha: "Proxy doesn't support all protocols" - HTTP proxies work for HTTP/HTTPS. For gRPC, WebSocket, or binary protocols, you need SOCKS or a different gateway. - Check if your proxy supports the protocol you're using.

Tip: "Test proxy before rolling to prod" - Spin up a test Claude Code session, make sure it can call the cloud provider through the proxy. - Proxy misconfigurations can silently fail and be hard to debug.

Gotcha: "Cert installation is OS-specific" - Linux, macOS, Windows, Docker all have different cert paths. - For Docker, install certs in the image during build. For Kubernetes, use secret mounts.

Tip: "Rotate mTLS certificates quarterly" - Set a calendar reminder. Expired certs will block all traffic to critical services. - Automate rotation if possible—use cert-manager in Kubernetes, or cloud provider certificate management.

Gotcha: "mTLS doubles handshake latency" - Normal TLS: 1 handshake (server cert). mTLS: 2 handshakes (client + server certs). - Not a blocker, but be aware for latency-sensitive services.

Tip: "Use API gateway for audit trail" - Instead of logging at the network layer, log at the gateway layer. - You get application-level context: who called what, with what parameters.

Gotcha: "Firewall rules can be overly strict" - A rule like "block everything except port 443" might block internal DNS, time sync, or other critical services. - Test with a loose rule first, then tighten.

Lead-out

"Your network is now locked down: proxies inspect traffic, certificates establish trust, mTLS proves identity, and gateways control access. Next video—identity and access management. We're solving the last piece: who's allowed to do what."

Reference URLs

  • HTTP Proxy Configuration: https://docs.anthropic.com/claude-code/proxy-config
  • mTLS Setup Guide: https://docs.anthropic.com/claude-code/mtls-setup
  • Certificate Management: https://docs.anthropic.com/claude-code/certificate-management
  • API Gateway Integration: https://docs.anthropic.com/claude-code/api-gateway-setup
  • Zero Trust Architecture: https://docs.anthropic.com/claude-code/zero-trust

Prep Reading

  • Your org: proxy policies, CA certificate chain, internal service endpoints
  • OWASP: mTLS best practices
  • Cloud provider: API gateway offerings (AWS API Gateway, GCP Apigee, Azure API Management)
  • Network team: firewall rules, security policies, monitoring infrastructure

Notes for Daniel

  • Network configuration is often where deployments break. Take your time, be clear.
  • Use real examples from your org if possible. "Our proxy is at 10.0.1.1:3128" is more credible than generic IPs.
  • When you get to mTLS, pause and explain the client cert flow. A lot of engineers haven't seen it before.
  • The API gateway section can feel abstract. Show the actual gateway in your org (Apigee, Kong, whatever), not just a diagram.
  • For the firewall rules section, be specific: show the exact iptables rule or cloud security group rule.
  • The demo should include at least one "before" (network error) and one "after" (works). That drives home why this matters.
  • Don't over-tech this. Proxies, certs, mTLS are standard enterprise stuff. Confidence is key.