Introducing Nitrogen: Deploy Web Servers and Databases to AWS Nitro Enclaves

TL;DR: Nitrogen is a tool for deploying web servers, databases, and other services to AWS Nitro Enclaves. Given a Dockerfile, Nitrogen will spin up an EC2 instance, configure external networking, and build and deploy your web service. What you get back is a hostname and port that's ready to use. Nitrogen is fully open source and comes with pre-built scripts for popular services like Redis, and Nginx. For example, to deploy Nginx, first install Nitrogen:

curl -fsSL https://raw.githubusercontent.com/capeprivacy/nitrogen/main/install.sh | sh

Clone the examples:

git clone git@github.com:capeprivacy/nitrogen.git
cd nitrogen

Note: An AWS account is required. If you have AWS cli configured you can retrieve your credentials with cat ~/.aws/credentials. See troubleshooting if your AWS account uses MFA

export AWS_ACCESS_KEY_ID=<YOUR ACCESS KEY> export AWS_SECRET_ACCESS_KEY=<YOUR SECRET>

And then setup, build, and deploy:

nitrogen setup my-nginx-enclave ~/.ssh/id_rsa.pub nitrogen build ./examples/nginx nitrogen deploy my-nginx-enclave ~/.ssh/id_rsa

And that's it! You have a Nitro Enclave running Nginx:

curl http://ec2-34-56-789-0.compute-1.amazonaws.com:5000

How Nitrogen Works

A Nitro Enclave can run almost anything that a regular EC2 instance can, but typically you need do a lot of work. A Nitro Enclave is an isolated VM carved out of an EC2 instance by the Nitro Hypervisor. By default, it has no network, no disk, and no shell access. (Even a root user has no access!) These constraints are core security features, but you need to open things up a little in order to run your application. (A complete blackbox would have no effect on the outside world!) To understand this complexity, see Running an HTTP Server with AWS Nitro Enclaves by @bendecoste. Nitrogen makes working with Nitro Enclaves super easy. Let's walk through the example of deploying Nginx with Nitrogen in more detail...

Launch a Nitro Enclave Capable EC2 Instance

# nitrogen setup <name> <public_key>
nitrogen setup my-nginx-enclave ~/.ssh/id_rsa.pub

nitrogen setup uses CloudFormation to spawn an EC2 instance, and configure networking like SSH. You can now SSH into the EC2 instance if you want, but you don't need to. Nitrogen defaults to m5a.xlarge EC2 instance type but you can also specify --instance-type <any-enclave-enabled-instance-type>.

Build an Enclave Image File (EIF) from a Dockerfile

# nitrogen build <dockerfile-directory>
nitrogen build ./examples/nginx

nitrogen build will first build a docker image from the Dockerfile you specify, and then convert it to an Enclave Image File and save it locally.

Deploy an EIF to a Nitro Enclave

# nitrogen deploy <name> <private_key>
nitrogen deploy my-nginx-enclave ~/.ssh/id_rsa
# Listening: ec2-34-56-789-0.compute-1.amazonaws.com:5000`

nitrogen deploy will upload the EIF to the EC2 instance and launch it into the Nitro Enclave. And that's it! Nginx is now setup and running on an AWS Nitro Enclave and we can curl the server.

curl https://ec2-34-56-789-0.compute-1.amazonaws.com:5000
# Hello World!

What's Next for Nitrogen?

In a follow up post we'll walkthrough how Nitrogen works under the hood. And we'll share more details about the roadmap.

For now, you can curl -fsSL https://raw.githubusercontent.com/capeprivacy/nitrogen/main/install.sh | sh and start using it. We'd love to hear what you think in the comments below. Please star Nitrogen on GitHub, and come chat on Discord. Thanks!