routing-setup.sh
Configure IP routing tables to allow external hosts to reach the enclave.
DESCRIPTION
The routing-setup.sh script MUST be run at least once (without any command-line parameters)
to setup the necessary routing rules to communicate with the enclave. This step is
required for a client running on the AWS EC2 parent instance to have the ability to
communicate with the Nitro enclave:
sudo /opt/anjuna/nitro/bin/routing-setup.sh
In this basic setup, the Nitro Enclave and the EC2 parent instance are on the same
virtual interface (named anjuna0), each with a separate IP address.
-
192.168.0.1is the IP address of the Nitro Enclave -
192.168.0.2is the IP address of the Nitro parent instance
This setup allows the Nitro Enclave and the parent host to communicate with each other.
For example, the Nitro Enclave can ping that Nitro parent instance with the following command:
ping -c 10 192.168.0.2
Similarly, the Nitro parent instance can ping the Nitro Enclave with the following command:
ping -c 10 192.168.0.1
| The examples above assume that you have started the anjuna-nitro-netd-parent agent. |
On the other hand, if the Nitro Enclave needs to be reachable from other hosts, the
routing-setup.sh script should be invoked to expose specific ports to the external
network interface.
For example, if you are running Nginx in the Nitro Enclave, you can expose it to external hosts with the following command (assuming Nginx is configured to listen on port 80):
sudo /opt/anjuna/nitro/bin/routing-setup.sh --fwd-port 80
After this command is executed, you can reach Nginx in the enclave using the EC2 instance IP address (from a different host):
curl http://<nitro-ip-address>:80
or
curl http://<nitro-ip-address>
The example above uses port 80 but this is applicable to any port your application uses.
|
| You still have to properly setup the EC2 firewall rules for the ports you want to expose to other hosts. See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html for more information. |