Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Isolate containers connected to traefik overlay network on swarm

Tags:

docker

docker-swarm

docker-swarm-mode

traefik

I have multiple stacks running in docker swarm with traefik, where services in each stack are connected to an overlay network (traefik-net) so traefik can talk to them.

If I have a service in each stack that's called the same service name (service1), and then have another service (service2) in either stack try to access it by the service name (ping http://service1), it'll sometimes hit service1 in the other stack, and sometimes hit service1 in the same stack.

docker network create --driver overlay traefik-net

stack1:

services:
  service1:
    networks:
      - default
      - traefik-net

  service2:
    networks:
      - default
      - traefik-net

networks:
  traefik-net:
    external: true

stack2:

services:
  service1:
    networks:
      - default
      - traefik-net

networks:
  traefik-net:
    external: true

I want service2 to only hit service1 that is in the same stack.

I assumed that a service could only hit a service in another stack by prefixing the stack name to the service name (ping http//stack2_service1). But I learned that because of the traefik-net overlay network, they apparently can call each other without the stack name prefix.

Is there a way to turn off service communication across stacks without stack name prefixes?

Or maybe there's a traefik specific solution to the problem?

If anyone has run into this problem I would a very much appreciate a solution.

like image 296
mxrlkn Avatar asked Nov 27 '25 02:11

mxrlkn

1 Answers

Yes there is a solution to what you want to achieve you just need to make proper use of overlay networks.

By default all the services that are connected in the same overlay network can talk/resolve each other.

So let's visualize your current implementation. Now you have one network the traefik-net and you have connected there all your services so your design looks like that:

enter image description here

What you need to do in order to isolate services on different stacks but keep them accessible by traefik is to create a different overlay network in each stack file and connect traefik service to these networks by defining them as external in traefik stack file. You are going to end up like this:

enter image description here

In this implementation all the traffic between different stacks is only possible via traefik service and not directly.

like image 125
zochamx Avatar answered Nov 29 '25 19:11

zochamx
Sign in to Comment

Related questions

Kibana is not connecting to elasticsearch docker
Using volume for mounting a file
postgres database doesn't exist in docker container
Cannot connect to Cassandra running in a Docker container

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!