Inbound web traffic to sandbox hosts

If you start a web service on a sandbox host, it is not publicly available. The learner can send web requests through our inbound proxy:

Forwarding web traffic from the learner to a sandbox host

Every sandbox hosts has a unique subdomain URL on the proxy. This is the format of the URL:


There are three components in the subdomain:

  • Hostname: The name of the sandbox host in config.yml. (A sandbox host is a VM or a container.)

  • Port: The port to forward the traffic to. If you're forwarding traffic to a container, make sure to expose the port in config.yml.

  • Participant ID: An identifier that uniquely identifies a sandbox environment. You can access the participant ID on any sandbox host through the environment variable INSTRUQT_PARTICIPANT_ID

The inbound proxy authenticates incoming requests and terminates HTTPS:

  • Only requests from the learner who plays the track are forwarded.

  • Incoming requests are forwarded as plain HTTP(S)/1 to your sandbox hosts.

  • Your services can use TLS with (self-signed) certificates. Our proxy will accept any certificate, as long as it's not expired.

If your service uses HTTPS with a (self-signed) TLS certificate, you have to use a port that ends with 443 (e.g. 8443). That will tell our proxy to use HTTPS instead of HTTP for communication with your service.

To embed a web service that runs on a sandbox host, use a service tab, not a website tab. Use a website tab to embed external websites.

Outbound traffic from sandbox hosts

Sandbox hosts can connect to the public internet.

Hosts to host communication

Instruqt provides internal DNS to hosts. If you add a host with the name host1 , and another host with the name host2, they can reach one another using their local name. Both container to container, container to VM (and vice versa) work:

[email protected]:~# ping host02 -c 1
PING host02.cn7p5alqphbi.svc.cluster.local ( 56(84) bytes of data.
64 bytes from ( icmp_seq=1 ttl=63 time=1.34 ms