Introduction to Nitrogen: Deploy Web Servers and Databases in the AWS Nitro Enclave

tl; DR: Nitrogen is a tool for deploying web servers, databases and other services in the AWS Nitro Enclave. Looking at the Dockerfile, Nitrogen will spin up an EC2 instance, configure external networking, and build and deploy your web service. What you get back is a hostname and port ready to use. Nitrogen is completely open source and comes with Redis, and Nginx . Pre-built scripts for popular services like,

For example, to deploy Nginx, first install Nitrogen:

curl -fsSL https://raw.githubusercontent.com/capeprivacy/nitrogen/main/install.sh | sh
enter fullscreen mode

exit fullscreen mode

clone example:

git clone git@github.com:capeprivacy/nitrogen.git
cd nitrogen
enter fullscreen mode

exit fullscreen mode

Note: An AWS account is required. If you have aws cli configured you can retrieve your credentials cat ~/.aws/credentials, See Troubleshooting if your AWS account uses MFA

export AWS_ACCESS_KEY_ID=<YOUR ACCESS KEY>
export AWS_SECRET_ACCESS_KEY=<YOUR SECRET>
enter fullscreen mode

exit fullscreen mode

And then setup, build and deploy:

nitrogen setup my-nginx-enclave ~/.ssh/id_rsa.pub
nitrogen build ./examples/nginx
nitrogen deploy my-nginx-enclave ~/.ssh/id_rsa
enter fullscreen mode

exit fullscreen mode

And all! You have a nitro enclave running Nginx,

curl http://ec2-34-56-789-0.compute-1.amazonaws.com:5000
# Hello World!
enter fullscreen mode

exit fullscreen mode

how nitrogen works

A nitro enclave can run almost Anything that a regular EC2 instance can do, but generally you need to do a lot of work. Nitro Enclave is a separate VM that has been carved out of an EC2 instance by Nitro Hypervisor. By default, it has no network, no disk, and no shell access. (Even the root user doesn’t have access!) These constraints are core security features, but you’ll have to open things up a bit to get your application running. (A complete blackbox would have no effect on the outside world!) To understand this complexity, see Running an HTTP Server with the AWS Nitro Enclave by @bendecoste.

Nitrogen Nitro Enclave Makes It Easier To Work With, Let’s go through an example of deploying Nginx with Nitrogen in more detail…

Launch a Nitro Enclave Enabled EC2 Instance

# nitrogen setup <name> <public_key>
nitrogen setup my-nginx-enclave ~/.ssh/id_rsa.pub
enter fullscreen mode

exit fullscreen mode

nitrogen setup Uses CloudFormation to spawn EC2 instances, and configures networking such as SSH. You can now SSH into the EC2 instance if you want, but you don’t need to. nitrogen default m5a.xlarge EC2 instance type but you can also specify --instance-type <any-enclave-enabled-instance-type>,

Create an Enclave Image File (EIF) from Dockerfile

# nitrogen build <dockerfile-directory>
nitrogen build ./examples/nginx
enter fullscreen mode

exit fullscreen mode

nitrogen build Will first create a Docker image from the Dockerfile you specified, and then convert it to an enclave image file and save it locally.

Deploy eIF to Nitro Enclave

# nitrogen deploy <name> <private_key>
nitrogen deploy my-nginx-enclave ~/.ssh/id_rsa
# Listening: ec2-34-56-789-0.compute-1.amazonaws.com:5000
enter fullscreen mode

exit fullscreen mode

nitrogen deploy Will upload the EIF to the EC2 instance and launch it in the Nitro Enclave.

And all! Nginx is now setup and running on AWS Nitro Enclave and we can curl Server.

curl https://ec2-34-56-789-0.compute-1.amazonaws.com:5000
# Hello World!
enter fullscreen mode

exit fullscreen mode

What’s next for nitrogen?

In a follow-up post we’ll go over how nitrogen works under the hood. And we will share more details about the roadmap.

For now, you can curl -fsSL https://raw.githubusercontent.com/capeprivacy/nitrogen/main/install.sh | sh and start using it. We’d love to know what you think in the comments below. Please star Nitrogen on GitHub, and chat on Discord. Thank you!

Leave a Comment