AI Gateway

Air-Gapped Claude Code in Regulated Industries with Bifrost

Air-Gapped Claude Code in Regulated Industries with Bifrost
Set up an air-gapped Claude Code deployment on Bifrost with zero data egress, offline install, and virtual-key governance for teams in regulated industries.

Claude Code routes its requests to public API endpoints by default, which is a problem for teams in healthcare, financial services, and government that are prohibited from sending source code or prompts outside their own network. Bifrost, the open-source AI gateway built in Go by Maxim AI, sits between Claude Code and any model provider, and it can be deployed entirely inside an air-gapped network with no phone-home, no telemetry, and zero data egress. This guide covers how to run an air-gapped Claude Code setup on Bifrost, from offline deployment to governance controls, for organizations operating under strict compliance requirements.

Why regulated industries cannot point Claude Code at public endpoints

Regulated organizations face a hard constraint: prompts, completions, and the source code Claude Code reads cannot leave a controlled network perimeter. When Claude Code calls Anthropic's API directly, every file it reads and every instruction it sends transits a third-party network, which most compliance teams block before adoption can begin.

The regulatory pressure behind this is well documented. According to Deloitte's 2025 State of AI in the Enterprise report, 73% of enterprises now cite data privacy and security as their top AI risk concern, and 77% factor a vendor's country of origin into AI purchasing decisions. Penalties under the EU AI Act can reach 7% of global turnover, higher than the ceiling under GDPR. For a deeper background on the underlying rules, IBM maintains a useful overview of data residency requirements.

An air-gapped AI gateway addresses this by keeping the entire request path inside infrastructure the organization controls. Claude Code sends requests to a local gateway, the gateway forwards them to approved models, and nothing crosses the boundary without explicit configuration.

What an air-gapped Claude Code setup requires

An air-gapped Claude Code setup is a deployment where Claude Code routes all traffic through a self-hosted gateway running inside a network with no internet access, so that no prompt, completion, or credential ever leaves the perimeter. Meeting that bar requires a specific set of properties from the gateway layer.

A compliant setup needs:

  • Offline deployment: the gateway must install and run with no external package fetches or update calls.
  • Zero data egress: prompts, completions, and code stay inside the network at all times.
  • No telemetry: the gateway must not emit usage data or phone home for any reason.
  • Local credential storage: provider keys and secrets remain in infrastructure the organization controls.
  • Access control and audit: per-user permissions and immutable logs for compliance evidence.
  • High availability: clustering so the gateway is not a single point of failure.

Bifrost was built to satisfy each of these requirements, which is what makes it suitable as the routing layer for Claude Code in restricted environments.

How Bifrost runs Claude Code entirely offline

Bifrost supports four deployment models, and the air-gapped model is designed for environments with no internet connectivity. The enterprise deployment workflow is straightforward: export the Bifrost Docker image on a connected machine using docker save, transfer the resulting tarball to the air-gapped environment on portable media, and load it into the internal registry. From there the gateway operates fully offline, with no phone-home and no telemetry leakage.

# On a connected machine
docker save maximhq/bifrost:latest -o bifrost.tar

# Transfer bifrost.tar to the air-gapped environment, then:
docker load -i bifrost.tar
docker run -p 8080:8080 maximhq/bifrost

For production, Bifrost ships as a single Go binary with a minimal footprint, requiring 2 vCPU and 4GB RAM for a single node. Teams that need in-VPC deployment rather than a fully disconnected setup can run Bifrost inside AWS, GCP, or Azure with complete network isolation and no external dependencies, keeping all LLM traffic within the private cloud. A single Terraform module targets EKS, ECS, GKE, Cloud Run, AKS, and generic Kubernetes, so the same gateway deploys consistently across infrastructure.

For high availability, clustering uses a peer-to-peer architecture with a three-node minimum and zero-downtime rolling updates, so no single instance becomes a point of failure for the Claude Code workflow.

Setting up Claude Code to route through Bifrost

Once the gateway is running inside the perimeter, Claude Code connects to it through the Bifrost integration by changing two environment values in settings.json. The recommended method uses ANTHROPIC_AUTH_TOKEN set to a Bifrost virtual key, which means no Anthropic account login and no Anthropic credentials are required, since the gateway handles routing and authentication.

Point the base URL at the local gateway and supply the virtual key:

"env": {
  "ANTHROPIC_BASE_URL": "<http://bifrost.internal:8080/anthropic>",
  "ANTHROPIC_AUTH_TOKEN": "your-virtual-key",
  "ANTHROPIC_DEFAULT_HAIKU_MODEL": "claude-haiku-4-6",
  "ANTHROPIC_DEFAULT_SONNET_MODEL": "claude-sonnet-4-6"
}

The global settings.json lives at ~/.claude/settings.json on macOS, Linux, and WSL, with project-specific overrides in .claude/settings.json. Merge the env block into the existing object rather than replacing the file, so permissions and other settings are preserved.

Claude Code uses three model tiers (Sonnet, Opus, and Haiku), and routing rules let an organization map those tiers to any approved model on any configured provider. Inside a regulated environment, that usually means routing to self-hosted models or to an approved enterprise endpoint such as Bedrock, Vertex, or Azure rather than the public Anthropic API. If a model is configured with automatic failover, Bifrost redirects to a healthy provider when a request fails, so a mid-session degradation does not break a long-running coding task.

If Claude Code uses MCP-connected tools, the MCP gateway centralizes those tool connections through Bifrost as well, so tool execution stays inside the same governed, offline boundary as model traffic.

Governance and compliance controls for Claude Code

Routing Claude Code through Bifrost converts an ungoverned developer tool into a controlled, auditable system. The enterprise deployment model ships the same security stack regardless of where the gateway runs.

Key controls include:

  • Virtual keys: Virtual keys are the primary governance entity, carrying per-consumer permissions, budgets, and rate limits. Tagging keys by team or environment makes every Claude Code request attributable.
  • RBAC and SSO: role-based access control with OpenID Connect integration for Okta, Zitadel, Keycloak and Entra ID enforces least-privilege access at the gateway.
  • Audit logs: immutable audit trails record activity for SOC 2 Type II, GDPR, HIPAA, and ISO 27001 evidence.
  • Vault support: secret management integrates with HashiCorp Vault, AWS Secrets Manager, Google Secret Manager, and Azure Key Vault, so provider keys never sit in config files.
  • Guardrails: content safety detects and blocks unsafe model outputs with real-time policy enforcement across all connected agents.
  • Observability: built-in monitoring exposes Prometheus metrics and OpenTelemetry traces for every request, with log exports to internal data lakes.

These controls map directly to the requirements that govern AI in government and public sector and healthcare and life sciences deployments, where traceability and network isolation are non-negotiable. Organizations evaluating the full deployment picture can review the Bifrost Enterprise options for air-gapped, on-prem, and in-VPC configurations.

Frequently asked questions

Can Claude Code run without internet access?

Yes, when it routes through a self-hosted gateway. Claude Code points at a local Bifrost endpoint, and Bifrost forwards requests to approved models inside the network. As long as those models are reachable internally, the entire workflow operates with no internet connectivity.

Does an air-gapped Bifrost deployment phone home?

No. The air-gapped deployment runs fully offline with no phone-home and no telemetry. The Docker image is exported on a connected machine and loaded into an internal registry, after which the gateway has no external dependencies.

How does Claude Code authenticate without an Anthropic account?

Setting ANTHROPIC_AUTH_TOKEN to a Bifrost virtual key removes the need for an Anthropic account login. Claude Code sends the token in the Authorization header, and Bifrost uses the virtual key for both routing and authentication.

Which compliance frameworks does this setup support?

The audit logging, RBAC, vault integration, and zero-egress deployment are built to support SOC 2 Type II, GDPR, HIPAA, and ISO 27001 evidence requirements, which is why the model fits regulated industries with strict data residency rules.

Running Claude Code where compliance demands it

An air-gapped Claude Code setup gives regulated teams the productivity of a terminal coding agent without surrendering control of their data. By routing Claude Code through Bifrost, prompts and source code stay inside the perimeter, provider access runs through governed virtual keys, and every request is logged for compliance. The same open-source AI gateway scales from a single offline node to a multi-cloud cluster, so the deployment grows with the organization rather than against it.

To see how an air-gapped Claude Code setup fits your compliance and infrastructure requirements, book a demo with the Bifrost team.

Read next