When you are building inside AWS Nitro Enclaves for the first time, the documentation gives you a clean mental model: parent EC2 instance communicates with the enclave over vsock, the enclave runs your application, everything is isolated and tidy. What the documentation does not tell you is that "connected" and "live" are two different things, and conflating them will cost you time. This is the story of a silent failure I hit while building Mizan, a legal AI platform running inside Nitro Enclaves where attorney-client privileged data is processed entirely in hardware-isolated memory. The bug took about 90 minutes to resolve. Writing it up takes less than 10 minutes to read. Hopefully this saves you the 90. The Setup The architecture is straightforward: an AWS Nitro Enclave runs a raw vsock server on port 5000. The parent EC2 instance communicates with it over vsock, the only communication channel Nitro Enclaves support. No TCP, no network interfaces inside the enclave, just vsock.…