diff --git a/docs/toolhive/guides-cli/network-isolation.mdx b/docs/toolhive/guides-cli/network-isolation.mdx index c84de5e6..a7df68fa 100644 --- a/docs/toolhive/guides-cli/network-isolation.mdx +++ b/docs/toolhive/guides-cli/network-isolation.mdx @@ -240,6 +240,39 @@ thv run --isolate-network --permission-profile none --volume /home/user/aws-diag This approach is more flexible since you can easily change the host directory without editing a profile file. +## Accessing other workloads on the same container network + +To allow an MCP server to access other workloads on the same network, you need +to configure network isolation to include the appropriate hostnames and ports. +This is commonly needed when your MCP server needs to communicate with +databases, APIs, or other services that are running on your local host during +development. + +For example, in Docker environments, you can add `host.docker.internal` to +access services on the host. `host.docker.internal` is a special hostname +provided by Docker that resolves to the host machine's IP address from within +containers. + +Create a permission profile that allows this hostname and the required port: + +```json title="internal-access-profile.json" +{ + "network": { + "outbound": { + "insecure_allow_all": false, + "allow_host": ["host.docker.internal"], + "allow_port": [3000] + } + } +} +``` + +Run the MCP server with this profile: + +```bash +thv run --isolate-network --permission-profile ./internal-access-profile.json +``` + ## Related information - [`thv run` command reference](../reference/cli/thv_run.md) diff --git a/docs/toolhive/guides-ui/network-isolation.mdx b/docs/toolhive/guides-ui/network-isolation.mdx index f08c8204..c55e65f7 100644 --- a/docs/toolhive/guides-ui/network-isolation.mdx +++ b/docs/toolhive/guides-ui/network-isolation.mdx @@ -79,6 +79,22 @@ The configuration pictured below allows the MCP server to access />
+### Accessing other workloads on the same container network + +To allow an MCP server to access other workloads on the same network, you need +to configure network isolation to include the appropriate hostnames and ports. +This is commonly needed when your MCP server needs to communicate with +databases, APIs, or other services that are running on your local host during +development. + +For example, in Docker environments, you can add `host.docker.internal` to +access services on the host. `host.docker.internal` is a special hostname +provided by Docker that resolves to the host machine's IP address from within +containers. + +- **Allowed hosts**: `host.docker.internal` +- **Allowed ports**: `3000` + ## Related information - [Run MCP servers](./run-mcp-servers.md)