1

I'm new to Docker but I have learned quite enough knowledge and I'm going to setup Docker Swarm Cluster on Hetzner Cloud Platform (cloud.hetzner.com). However the problem is they don't provide Private IP address for each of their Instance machines. I'm worry is it save to use public IP address of each Node to join the Docker Swarm Cluster using command 

docker swarm join --token <TOKEN_HERE> PUBLIC_IP:2377

I exposed required ports on firewall so that Docker swarm able to operate. I have search Google many times,but the result shown up is all about 'How to setup Docker' , does not reply to my specific question. Please provide me some useful information. Thanks

Lion
  • 16,606
  • 23
  • 86
  • 148
Dylan B
  • 796
  • 8
  • 16

2 Answers2

1

I asked myself the same question and as far as I understand dockers documentation (https://docs.docker.com/engine/swarm/how-swarm-mode-works/pki/) the swarm encrypts it's communication with tls (the same used for https -> http with tls). So the swarms should be safe (enought).

Another point is the communication with overlay networks. There you should use encryption too: https://docs.docker.com/v17.09/engine/userguide/networking/overlay-security-model/ docker network create --opt encrypted --driver overlay --attachable my-attachable-multi-host-network.

A third point is docker daemon security. You can configure each swarm nodes docker daemon to listen on an public port over http. If you use this, you need to secure it with youre own tls certificates. By default, the daemon just listens to a local unix port, what is mostly ok.

If you wanne be safer, Hetzners Bare Metal Root server can be connected with a vSwitch, a virtual private network. This should be much safer.

If you need even more security for some business applications, you can also build a root server cluster with real 1GBit Lan connection, but this is a bit more expensive.

user2638109
  • 321
  • 3
  • 13
1

The Hetzner Cloud offers a feature called Networks: 

Let your servers communicate through a private network and setup complex network
topologies. Ideal for running a kubernetes cluster or a database server that should 
not be reachable publicly.

That should be what you are looking for. I think it was not available when you created your question.

Klaus
  • 1,080
  • 2
  • 10
  • 27