All geek questions in one place

Restrict Internet Access - Docker Container

I have a situation to restrict access to an Internet container in a load balancing network. for example, in the picture below

easy for your reference

Only container4 connects to the Internet; the other three communicate only through container4 with the outside world. For example, if container1 requires smtp support, it will send an smtp request to container4 to gain access.

No container except container4 should have direct access to the Internet! This should be applied at the Docker level.

, Docker Network, - , ?

+13
3

--subnet = 172.19.0.0/16 internet

--internal --subnet 10.1.1.0/24 no-internet

docker network connect internet container-name


docker network connect no-internet container-name

, ,

+17

, docker-compose. docker-compose.yml:

version: '3'

services:
  outgoing-wont-work:
    image: alpine
    networks:
      - no-internet
    command: ping -c 3 google.com # will crash

  internal-will-work:
    image: alpine
    networks:
      - no-internet
    command: ping -c 3 internal-and-external

  internal-and-external:
    image: alpine
    networks:
      - no-internet
      - internet
    command: ping -c 3 google.com

networks:
  no-internet:
    driver: bridge
    internal: true
  internet:
    driver: bridge

docker-compose up -d, docker-compose ps - :

              Name                            Command               State    Ports
----------------------------------------------------------------------------------
dco_inet_internal-and-external_1   ping -c 3 google.com             Exit 0        
dco_inet_internal-will-work_1      ping -c 3 internal-and-ext ...   Exit 0        
dco_inet_outgoing-wont-work_1      ping -c 3 google.com             Exit 1
+12

Docker Compose? :

https://docs.docker.com/compose/overview/

https://docs.docker.com/compose/networking/

Example docker-compose.ymlin your case (unverified):

version: '2'

services:
  container1:
    image: ...
    container_name: container1
    networks:
      - container1

  container2:
    image: ...
    container_name: container2
    networks:
      - container2

  container3:
    image: ...
    container_name: container3
    networks:
      - container3

  container4:
    image: ...
    container_name: container4
    ports:
      - "80:80"
    networks:
      - container1
      - container2
      - container3

networks:
  container1:
  container2:
  container3:

Thus, the container hostname will look like a specific one container_name.

+1
source

Source: https://habr.com/ru/post/1657035/

More articles:


All Articles