From ca056b299f14d89c648db1d0204b3f486dc1f93e Mon Sep 17 00:00:00 2001 From: Yolanda Robla Date: Mon, 29 Sep 2025 09:32:10 +0200 Subject: [PATCH 1/9] add an example about accessing internal workloads This is specifically for accessing containers on the same network when running network isolation --- docs/toolhive/guides-ui/network-isolation.mdx | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/docs/toolhive/guides-ui/network-isolation.mdx b/docs/toolhive/guides-ui/network-isolation.mdx index f08c8204..0322c69c 100644 --- a/docs/toolhive/guides-ui/network-isolation.mdx +++ b/docs/toolhive/guides-ui/network-isolation.mdx @@ -79,6 +79,19 @@ The configuration pictured below allows the MCP server to access />
+### Accessing other workloads on the same network + +To allow an MCP server to access other workloads on the same network, you need +to configure network isolation to include the appropriate hostnames and ports. +This is commonly needed when your MCP server needs to communicate with +databases, APIs, or other services that are not publicly accessible. + +For example, in Docker environments, you can add `host.docker.internal` to +access services on the host: + +- **Allowed hosts**: `host.docker.internal` +- **Allowed ports**: `3000` + ## Related information - [Run MCP servers](./run-mcp-servers.md) From 2ccce306abbb46b2e3bf18c13e0da27b0c595882 Mon Sep 17 00:00:00 2001 From: Yolanda Robla Mota Date: Tue, 30 Sep 2025 11:38:19 +0200 Subject: [PATCH 2/9] Update docs/toolhive/guides-ui/network-isolation.mdx Co-authored-by: Dan Barr --- docs/toolhive/guides-ui/network-isolation.mdx | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/toolhive/guides-ui/network-isolation.mdx b/docs/toolhive/guides-ui/network-isolation.mdx index 0322c69c..7b511166 100644 --- a/docs/toolhive/guides-ui/network-isolation.mdx +++ b/docs/toolhive/guides-ui/network-isolation.mdx @@ -84,7 +84,8 @@ The configuration pictured below allows the MCP server to access To allow an MCP server to access other workloads on the same network, you need to configure network isolation to include the appropriate hostnames and ports. This is commonly needed when your MCP server needs to communicate with -databases, APIs, or other services that are not publicly accessible. +databases, APIs, or other services that are running on your local host during +development. For example, in Docker environments, you can add `host.docker.internal` to access services on the host: From 8c2646dae612554e43ec455611d6dde7ee8d2aec Mon Sep 17 00:00:00 2001 From: Yolanda Robla Mota Date: Tue, 30 Sep 2025 11:38:27 +0200 Subject: [PATCH 3/9] Update docs/toolhive/guides-ui/network-isolation.mdx Co-authored-by: Dan Barr --- docs/toolhive/guides-ui/network-isolation.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/toolhive/guides-ui/network-isolation.mdx b/docs/toolhive/guides-ui/network-isolation.mdx index 7b511166..641b392a 100644 --- a/docs/toolhive/guides-ui/network-isolation.mdx +++ b/docs/toolhive/guides-ui/network-isolation.mdx @@ -79,7 +79,7 @@ The configuration pictured below allows the MCP server to access />
-### Accessing other workloads on the same network +### Accessing other workloads on the same container network To allow an MCP server to access other workloads on the same network, you need to configure network isolation to include the appropriate hostnames and ports. From 440d638b6a2ecb95c4685ae47812dcaa6dd68aef Mon Sep 17 00:00:00 2001 From: Yolanda Robla Date: Tue, 30 Sep 2025 11:51:26 +0200 Subject: [PATCH 4/9] changes from review --- .../toolhive/guides-cli/network-isolation.mdx | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/docs/toolhive/guides-cli/network-isolation.mdx b/docs/toolhive/guides-cli/network-isolation.mdx index c84de5e6..5b55cdef 100644 --- a/docs/toolhive/guides-cli/network-isolation.mdx +++ b/docs/toolhive/guides-cli/network-isolation.mdx @@ -240,6 +240,36 @@ thv run --isolate-network --permission-profile none --volume /home/user/aws-diag This approach is more flexible since you can easily change the host directory without editing a profile file. +## Accessing other workloads on the same container network + +To allow an MCP server to access other workloads on the same network, you need +to configure network isolation to include the appropriate hostnames and ports. +This is commonly needed when your MCP server needs to communicate with +databases, APIs, or other services that are running on your local host during +development. + +For example, in Docker environments, you can use `host.docker.internal` to +access services on the host. Create a permission profile that allows this +hostname and the required port: + +```json title="internal-access-profile.json" +{ + "network": { + "outbound": { + "insecure_allow_all": false, + "allow_host": ["host.docker.internal"], + "allow_port": [3000] + } + } +} +``` + +Run the MCP server with this profile: + +```bash +thv run --isolate-network --permission-profile ./internal-access-profile.json +``` + ## Related information - [`thv run` command reference](../reference/cli/thv_run.md) From 1038d41a16c9973f0b86597855d7def642aa31e4 Mon Sep 17 00:00:00 2001 From: Yolanda Robla Mota Date: Tue, 30 Sep 2025 12:07:13 +0200 Subject: [PATCH 5/9] Update docs/toolhive/guides-cli/network-isolation.mdx Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- docs/toolhive/guides-cli/network-isolation.mdx | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/docs/toolhive/guides-cli/network-isolation.mdx b/docs/toolhive/guides-cli/network-isolation.mdx index 5b55cdef..3fee613b 100644 --- a/docs/toolhive/guides-cli/network-isolation.mdx +++ b/docs/toolhive/guides-cli/network-isolation.mdx @@ -249,7 +249,11 @@ databases, APIs, or other services that are running on your local host during development. For example, in Docker environments, you can use `host.docker.internal` to -access services on the host. Create a permission profile that allows this +access services on the host. + +> **Note:** `host.docker.internal` is a special hostname provided by Docker that resolves to the host machine's IP address from within containers. This allows containers to access services running on the host system. + +Create a permission profile that allows this hostname and the required port: ```json title="internal-access-profile.json" From a586146d208c2de8bb4cfee4924b298defc80fa6 Mon Sep 17 00:00:00 2001 From: Yolanda Robla Mota Date: Tue, 30 Sep 2025 12:07:31 +0200 Subject: [PATCH 6/9] Update docs/toolhive/guides-ui/network-isolation.mdx Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- docs/toolhive/guides-ui/network-isolation.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/toolhive/guides-ui/network-isolation.mdx b/docs/toolhive/guides-ui/network-isolation.mdx index 641b392a..04aa8afc 100644 --- a/docs/toolhive/guides-ui/network-isolation.mdx +++ b/docs/toolhive/guides-ui/network-isolation.mdx @@ -88,7 +88,7 @@ databases, APIs, or other services that are running on your local host during development. For example, in Docker environments, you can add `host.docker.internal` to -access services on the host: +access services on the host. `host.docker.internal` is a special hostname provided by Docker that resolves to the host machine's IP address from within containers: - **Allowed hosts**: `host.docker.internal` - **Allowed ports**: `3000` From c8cb2dd0f3f72254c596a430ee4ef99c367c0dbf Mon Sep 17 00:00:00 2001 From: Yolanda Robla Mota Date: Wed, 1 Oct 2025 10:22:51 +0200 Subject: [PATCH 7/9] Update docs/toolhive/guides-ui/network-isolation.mdx Co-authored-by: Dan Barr --- docs/toolhive/guides-ui/network-isolation.mdx | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/toolhive/guides-ui/network-isolation.mdx b/docs/toolhive/guides-ui/network-isolation.mdx index 04aa8afc..c55e65f7 100644 --- a/docs/toolhive/guides-ui/network-isolation.mdx +++ b/docs/toolhive/guides-ui/network-isolation.mdx @@ -88,7 +88,9 @@ databases, APIs, or other services that are running on your local host during development. For example, in Docker environments, you can add `host.docker.internal` to -access services on the host. `host.docker.internal` is a special hostname provided by Docker that resolves to the host machine's IP address from within containers: +access services on the host. `host.docker.internal` is a special hostname +provided by Docker that resolves to the host machine's IP address from within +containers. - **Allowed hosts**: `host.docker.internal` - **Allowed ports**: `3000` From eb5d186f2ecaf5893f9853ee0c0dee5c18039a60 Mon Sep 17 00:00:00 2001 From: Yolanda Robla Mota Date: Wed, 1 Oct 2025 10:23:04 +0200 Subject: [PATCH 8/9] Update docs/toolhive/guides-cli/network-isolation.mdx Co-authored-by: Dan Barr --- docs/toolhive/guides-cli/network-isolation.mdx | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/toolhive/guides-cli/network-isolation.mdx b/docs/toolhive/guides-cli/network-isolation.mdx index 3fee613b..8bcfd7d1 100644 --- a/docs/toolhive/guides-cli/network-isolation.mdx +++ b/docs/toolhive/guides-cli/network-isolation.mdx @@ -248,10 +248,10 @@ This is commonly needed when your MCP server needs to communicate with databases, APIs, or other services that are running on your local host during development. -For example, in Docker environments, you can use `host.docker.internal` to -access services on the host. - -> **Note:** `host.docker.internal` is a special hostname provided by Docker that resolves to the host machine's IP address from within containers. This allows containers to access services running on the host system. +For example, in Docker environments, you can add `host.docker.internal` to +access services on the host. `host.docker.internal` is a special hostname +provided by Docker that resolves to the host machine's IP address from within +containers. Create a permission profile that allows this hostname and the required port: From edd9f2700e6b9a2ee745e7bbf0b828fa47757eb8 Mon Sep 17 00:00:00 2001 From: Yolanda Robla Date: Wed, 1 Oct 2025 10:27:51 +0200 Subject: [PATCH 9/9] fix ci --- docs/toolhive/guides-cli/network-isolation.mdx | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/toolhive/guides-cli/network-isolation.mdx b/docs/toolhive/guides-cli/network-isolation.mdx index 8bcfd7d1..a7df68fa 100644 --- a/docs/toolhive/guides-cli/network-isolation.mdx +++ b/docs/toolhive/guides-cli/network-isolation.mdx @@ -253,8 +253,7 @@ access services on the host. `host.docker.internal` is a special hostname provided by Docker that resolves to the host machine's IP address from within containers. -Create a permission profile that allows this -hostname and the required port: +Create a permission profile that allows this hostname and the required port: ```json title="internal-access-profile.json" {