How to spin up a secure code sandbox & microVM in seconds with Northflank
Running secure, isolated workloads at scale has never been easier. With Northflank, you can spin up microVM-backed containers in seconds, combining the performance and compatibility of containers with the strong isolation of virtual machines.
In this guide, we’ll walk you through how to:
- Create a secure, multi-tenant project on Northflank
- Deploy any container image using microVMs
- Build and deploy from Dockerfiles or OCI-compliant containers
- Launch services in seconds with strong network and runtime isolation
Northflank is a full-stack cloud platform that runs microVM-backed sandboxes using Kata Containers, Firecracker, and gVisor, with isolation applied per workload. It supports managed cloud and BYOC (Bring Your Own Cloud) deployment into your own VPC, alongside databases, GPU workloads, and background jobs in the same control plane. In production since 2021 across startups, public companies, and government deployments.
Building a secure sandboxing platform with Firecracker and Kubernetes isn’t a weekend project. It can take a team months or longer, and the complexity doesn’t go away, it becomes something you have to operate and maintain every day.
Northflank already did the hard part. You can start running secure microVMs in seconds, without any heavy lifting required.
Companies like Writer, Sentry, cto.new, and others have leveraged Northflank’s secure runtime to run multi-tenant customer deployments for untrusted code at scale.
It’s proven in production and you get to partner closely with the Northflank infrastructure engineering team.
Let’s dive in.
microVMs (like those powered by Kata Containers) offer VM-level isolation with container startup speed. They’re ideal for:
- Running untrusted code inside a secure sandbox
- Isolating multi-tenant workloads in a secure runtime
- Securing AI inference, CI jobs, or backend functions
- Minimizing kernel attack surface per container
Northflank natively supports microVM-backed workloads with seamless orchestration, startup, and monitoring.
Northflank sandboxes are powered by microVMs or gVisor. Technologies like Firecracker, Kata, gVisor, and Cloud Hypervisor (CLH), giving you flexibility in your secure compute stack wherever you need it: AWS, GCP, Azure, bare-metal.
Whether you're building or want to leverage Firecracker's minimalist VM design, gVisor's syscall interception, or CLH's performance, Northflank delivers strong isolation and orchestration out of the box.
To enable secure isolation between end-users or workloads, start by creating a dedicated project:
- Head to your Northflank dashboard
- Click “Create Project”
- Choose:
- Region for running workloads close to your users
- or Bring your own cloud to run workloads in your own VPC or customers VPC for data privacy and locality
Each project acts as a namespace, giving you strict runtime and network separation, perfect for SaaS platforms, API execution environments, or internal tooling.
Here is a code snippet example of initializing the Northflank SDK and creating a project:
import {
ApiClient,
ApiClientInMemoryContextProvider,
} from "@northflank/js-client";
const contextProvider = new ApiClientInMemoryContextProvider();
await contextProvider.addContext({
name: "context",
token: process.env.NORTHFLANK_TOKEN,
});
const apiClient = new ApiClient(contextProvider, {
throwErrorOnHttpErrorCode: true,
});
const project = await apiClient.create.project({
data: {
name: "sandbox-project",
region: "europe-west",
}
});Next, create a service backed by microVMs:
- In your project, click “Create Service”
- Select “Job or Backend Service” depending on the use case
- Choose your container image:
- Public (e.g.
ubuntu,python,ghcr.io/...) - Private (via credentials)
- Public (e.g.
- Choose CPU, memory, disk — your microVM will be provisioned accordingly
- Hit “Deploy”
Northflank provisions the microVM, pulls your image, and runs it within seconds inside a secure sandbox.
Pro tip: Enable persistent or ephemeral disk storage depending on workload needs (e.g. build caching, temporary compute jobs, etc.)
Here is an example of using the Northflank SDK to provision a secure sandbox that will boot in a few seconds:
const service = await apiClient.create.service.deployment({
parameters: {
projectId: project.data.id,
},
data: {
name: "sandbox-service",
billing: {
deploymentPlan: "nf-compute-20", // 2 vCPU, 4GB RAM
},
deployment: {
instances: 1,
external: {
imagePath: "alpine:latest",
},
},
},
});Need to build your image from source?
- Create a new Build in the same project
- Connect a Git repository or upload a Dockerfile
- Configure:
- Build context
- Dockerfile path
- Build arguments or secrets
- Northflank will use fast, ephemeral builds to produce an OCI image
- Deploy that image to any service — including microVMs — with a single click
Builds typically complete in under a minute for small to medium images
Every microVM on Northflank runs:
- In its own secure runtime with a sandboxed kernel
- With configurable CPU and memory limits
- With no shared namespaces unless explicitly enabled
- Over isolated, per-service networking
The secure sandboxing model prevents container breakout and ensures tenant isolation, even for untrusted workloads.
You can scale vertically (larger instances) or horizontally (replica count) and even autoscale based on resource usage.
Here are just a few things you can build with Northflank microVM services:
| Use case | Benefits |
|---|---|
| Untrusted code runners | VM-grade isolation, no risk of container breakout — run in a secure sandbox using Northflank secure runtime |
| Multi-tenant API hosting | Isolated execution per customer or request, protected by a Northflank’s hardened secure runtime |
| AI model inference | Combine with GPUs and secure tenant-level execution using Northflank’s gVisor or microVMs |
| Serverless backends | Fast boot times, strong tenancy and network isolation |
| Build sandboxes | Run "npm install", "cargo build", or "docker build" safely inside a hardened, using Northflank ephemeral microVMs |
Use the following resources:
- Sandboxes on Northflank: overview and concepts: architecture overview and core sandbox concepts
- Deploy sandboxes on Northflank: step-by-step deployment guide: step-by-step deployment guide
- Deploy sandboxes in your cloud: BYOC deployment guide: run sandboxes inside your own VPC
- Create a sandbox with the SDK: programmatic sandbox creation: programmatic sandbox creation via the Northflank JS client
Get started (self-serve), or book a session with an engineer if you have specific infrastructure or compliance requirements.