Merge pull request #24612 from dvdksn/sbx/access-host-services

sandboxes: document accessing host services via host.docker.internal

Author: dvdksn

content/manuals/ai/sandboxes/troubleshooting.md

@@ -34,6 +34,12 @@ To allow all outbound traffic instead:
 $ sbx policy allow network "**"
 ```
 
+## Can't reach a service running on the host
+
+If a request to `127.0.0.1` or a local network IP returns "connection refused"
+from inside a sandbox, the address is not routable from within the sandbox VM.
+See [Accessing host services from a sandbox](usage.md#accessing-host-services-from-a-sandbox).
+
 ## Docker authentication failure
 
 If you see a message like `You are not authenticated to Docker`, your login

content/manuals/ai/sandboxes/usage.md

@@ -298,6 +298,28 @@ A few things to keep in mind:
   must use `--unpublish 8080:3000`. Run `sbx ports my-sandbox` first if you
   used an ephemeral port and need to find the assigned host port.
 
+## Accessing host services from a sandbox
+
+Services running on your host are reachable from inside a sandbox using the
+hostname `host.docker.internal`.
+Use this instead of `127.0.0.1` or your machine's local network IP address,
+which are not routable from inside the sandbox.
+
+The sandbox proxy translates `host.docker.internal` to `localhost` before
+forwarding the request, so you must add the `localhost` address with the
+specific port to your network policy allowlist:
+
+```console
+$ sbx policy allow network localhost:11434
+```
+
+Then use `host.docker.internal` in any configuration or request that points at
+the host service. For example, to verify connectivity from a sandbox shell:
+
+```console
+$ curl http://host.docker.internal:11434
+```
+
 ## What persists
 
 While a sandbox exists, installed packages, Docker images, configuration