2

Quite possibly a very trivial question but I can't find anything in the documentation about a feature like this. As we know from the routing mesh documentation:

All nodes participate in an ingress routing mesh. The routing mesh enables each node in the swarm to accept connections on published ports for any service running in the swarm, even if there’s no task running on the node. The routing mesh routes all incoming requests to published ports on available nodes to an active container.

However, I do not wish some nodes to participate in the routing mesh, but I still want them to participate in hosting the service.

The configuration I'm trying to achieve looks a bit like this:

node-topology

I have a single service, hello-world, with three instances, one on each node.

I would like, in this example, only node-1 and node-2 to participate in externalising the ingress network. However, when I visit 10.0.0.3, it still exposes port 80 and 443 as it still has to have the ingress network on it to be able to run the container hello-world, and I would like this not to be the case.

In essence, I'd like to be able to run containers for a service that hosts port 80 & 443 on 10.0.0.3 without being to access it by visiting 10.0.0.3 in a web browser. Is there any way to configure this? Even if there's no container running on the node, it'll still forward traffic to a container that is running.

Thank you!

Sam Holmes
  • 1,594
  • 13
  • 31

1 Answers1

2

The short answer to your specific question is no, there is no supported way to selectively enable/disable the ingress network on specific nodes for specific overlay networks.

But based on what you're asking to do, the expected model for using only specific nodes for incoming traffic is to control which nodes receive the traffic, not shutoff ports on specific nodes...

In a typical 6-node swarm where you've separated out your managers to be protected in a different subnet from the DMZ (e.g. a subnet behind the workers). You'd use placement constraints to ensure your app workloads were only assigned to worker nodes, and those nodes were the only ones in the VLAN/Security Group/etc. for being accessible from user/client traffic.

Most prod designs of Swarm recommend protecting your managers (which manage the orchestration and scheduling of containers, store secrets, etc.) from external traffic.

Why not put your proxies on the workers in a client-accessible network, and have those nodes the only in DMZ/external LB.

Note that if you only allow firewall/LB access to some nodes (e.g. just 3 workers) then the other nodes that don't receive external incoming traffic are effectively not using their ingress networks, which achieves your desired result. The node that receives the external connection uses its VIP to route the traffic directly to the node that runs the published container port.

Bret Fisher
  • 8,164
  • 2
  • 31
  • 36
  • Thank you a lot for this answer, especially explaining the prod designs of swarm! I hadn't considered fully the best way to implement it so this was really helpful :) – Sam Holmes Mar 26 '18 at 13:41
  • I suggest reading this blog post https://ops.tips/blog/blocking-ingress-traffic-to-docker-swarm-worker-machines/ – Alessandro Dionisi Mar 08 '19 at 11:11