feat(mbe): isolate awm network

Author: cpatino-intive

README.md

@@ -248,6 +248,56 @@ Notes:
 - The `:Z` option in volume mounts is specific to SELinux-enabled systems and ensures proper volume labeling
 - The logs directory will be created with appropriate permissions if it doesn't exist
 
+## Docker Compose Deployment
+
+The application includes a Docker Compose configuration that runs both Advanced Wallet Manager (AWM) and Master BitGo Express (MBE) services with proper network isolation for enhanced security.
+
+### Architecture Overview
+
+The Docker Compose setup creates two isolated services:
+
+- **Advanced Wallet Manager (AWM)**: Runs in an isolated internal network with no external access for maximum security
+- **Master BitGo Express (MBE)**: Connected to both internal network (for AWM communication) and public network (for external API access)
+- **Network Isolation**: AWM is completely isolated from external networks and only accessible through MBE
+
+### Network Configuration
+
+The setup creates two distinct networks:
+
+1. **my-internal-network**: 
+   - Internal bridge network with `internal: true`
+   - Used for secure AWM isolation and MBE-to-AWM communication
+   - No external internet access for security
+
+2. **my-public-network**: 
+   - Public bridge network
+   - Used for external access to MBE APIs
+   - Connected to host networking
+
+### Prerequisites
+
+1. **Install Docker and Docker Compose**
+2. **Ensure KMS service is running** on your host machine (typically on port 3000)
+
+### Quick Start
+
+1. **Start the services:**
+
+```bash
+# Navigate to project directory
+cd advanced-wallet
+
+# Start both services in background
+docker-compose up -d
+```
+
+2. **Stop the services:**
+
+```bash
+# Stop and remove containers
+docker-compose down
+```
+
 ## API Endpoints
 
 ### Advanced Wallet Manager (Port 3080)
@@ -300,4 +350,3 @@ env | grep -E "(APP_MODE|KMS_URL|ADVANCED_WALLET_MANAGER|TLS_)"
 ## License
 
 MIT
-```

docker-compose.yml

@@ -0,0 +1,53 @@
+version: '3.8'
+
+services:
+  # Service for advanced-wallet-manager (AWM)
+  advanced-wallet-manager:
+    build: .  # Build from the Dockerfile inside the repo
+    container_name: advanced-wallet-manager
+    networks:
+      - my-internal-network  # Only part of the internal network
+    environment:
+      - ADVANCED_WALLET_MANAGER_PORT=3081
+      - TLS_MODE=disabled
+      - ALLOW_SELF_SIGNED=true
+      - MTLS_REQUEST_CERT=false
+      - RECOVERY_MODE=true
+      - APP_MODE=advanced-wallet-manager
+      - KMS_URL=http://172.20.0.1:3000
+      - BIND=0.0.0.0
+    restart: always
+    ports: []  # No public ports exposed
+
+  # Service for master-bitgo-express (MBE) - both internal and publicly accessible
+  master-bitgo-express:
+    build: .  # Build from the Dockerfile inside the repo
+    container_name: master-bitgo-express
+    networks:
+      - my-internal-network  # Connect to the internal network for internal communication
+      - my-public-network  # Connect to the public network for external access
+    environment:
+      - APP_MODE=master-express
+      - BITGO_ENV=test
+      - TLS_KEY_PATH=test-ssl-key.pem
+      - TLS_CERT_PATH=test-ssl-cert.pem
+      - ADVANCED_WALLET_MANAGER_URL=http://advanced-wallet-manager:3081
+      - ENCLAVED_EXPRESS_CERT=./test-ssl-cert.pem
+      - MTLS_REQUEST_CERT=false
+      - ALLOW_SELF_SIGNED=true
+      - TLS_MODE=disabled
+      - RECOVERY_MODE=true
+      - MASTER_EXPRESS_PORT=3081
+      - BIND=0.0.0.0
+    restart: always
+    ports:
+      - "3081:3081"  # Expose MBE publicly on port 3081
+
+# Networks section
+networks:
+  my-internal-network:
+    driver: bridge  # Internal communication network, no access to the internet
+    internal: true  # Ensures this network is not accessible from outside
+  
+  my-public-network:
+    driver: bridge  # Public network, allowing external access to MBE