Communicating with the parent instance
When using the Anjuna Nitro Runtime, the Anjuna Nitro Network Proxy enables
the AWS Nitro Enclave to communicate with the outside world,
as described on the anjuna-nitro-netd-parent reference page.
Inside the enclave, localhost and 127.0.0.1 refer to the enclave itself.
This means that localhost and 127.0.0.1 cannot be used to address other services running on the parent instance,
including other enclaves.
The parent instance IP address
The special address 192.168.127.254 is used by the Anjuna Nitro Runtime to refer to the enclave’s parent instance.
From within an AWS Nitro Enclave,
you can use 192.168.127.254:<PORT> to refer to the parent instance
or exposed ports of any enclaves running on the same instance.
For example, you could run a parent instance which is running a non-enclave service on port P, Enclave A on port A, and Enclave B on port B. The following table shows how to address the each service, depending on where the client is:
| Target service | Enclave A | Enclave B | Parent instance |
|---|---|---|---|
Listener inside Enclave A (not exposed) |
|
Unreachable |
Unreachable |
Listener inside Enclave A
( |
|
|
|
Listener inside Enclave B (not exposed) |
Unreachable |
|
Unreachable |
Listener inside Enclave B
( |
|
|
|
Listener on parent instance |
|
|
|
A public IP or hostname (like |
|
|
|
When using the Anjuna Nitro K8s Toolset, the Pod should define exposed ports
using the field spec.containers.ports instead of calling anjuna-nitro-netd-parent --expose directly.
|
Docker networks
You may need to run a service using Docker on the parent instance and access it from an enclave.
Since the Anjuna Nitro Runtime is not aware of Docker’s network isolation,
you should run the Docker service using the host network
(docker run --network host, or if using Docker Compose, network_mode: "host").
Then from inside the enclave, you will be able to reach the Dockerized service at 192.168.127.254:<PORT>.