Configuration

Virtual gateways can be deployed in your internal network/VPC to provide secure access to your remote resources. The current recommended deployment model is to deploy a virtual gateway either in a container based environment or on a configured linux host (see below).

Simple ingress example

Here is an example docker compose file to pass ingress traffic to a docker container in the same docker network as the agent. Requests to the gateway node on port 80 can be forwarded to the whoami container on port 80. You can set the gateway node to use the remote hostname of whoami to dynamically look up the address of the whoami container. Please note that this assumes that you've created an agent_token.txt file with the agent token in the same directory as the docker compose file.

INFO

Due to a limitation in how Docker handles iptable rules, you cannot (easily) forward traffic from a container to the host network even if host networking is enabled. We recommend using a Linux host for this use case.

services:
  enclave-agent:
    image: public.ecr.aws/sidechannel/enclave-agent:ubuntu-latest
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun
    environment:
      AGENT_TOKEN_FILE: /run/secrets/agent_token
    secrets:
      - agent_token

  whoami:
    image: containous/whoami
    command:
      - --port=80
      - --name=whoami

secrets:
  agent_token:
    file: agent_token.txt

Host networking example

Prerequisites:

• Linux host running Ubuntu 20.04+, Debian 10+, or RHEL 8+
• nftables installed (i.e. on a Debian-based distro apt install nftables)
• IPv4 forwarding enabled (/proc/sys/net/ipv4/ip_forward set to 1)

With your host configured, install the enclave agent and register it using a gateway registration code or agent token. Once the agent is registered, it will add NAT rules to an nftables chain to forward traffic out of the host. You can then configure gateway nodes to forward traffic out of the host.