I have a VM with
- a public IP Address on eth0
- an internal private ip address on ens01 (10.0.0.1)
- up to 5 private IP aliases on ens01 (10.0.0.2, .3, .4, .5, .6)
I want to route traffic to my docker containers through the private network from a reverse proxy running on another VM.
I want all containers to use host networking, but i want each listen on one and only one of the private IP addresses. For example every container should be able to listen on port 80 bound to its own private IP address.
My plan is to put a firewall rule on the public IP to prevent any traffic from entering or leaving the VM through the public internet.
First of all, is this even possible? and if so how do I accomplish it?
2
Answers
This is possible, you need to create a macvlan network https://docs.docker.com/network/macvlan/
And assign your containers to it with their respective ip adresses.
Docker can do this, out of the box, with no special configuration, and without disabling Docker’s networking layer.
The
docker run -poption (and, equivalently, Composeports:) takes an optional host IP address. So in your setup where the host already has multiple IP addresses configured, you just need to tell Docker which one goes with which container:If you do, this completely disables Docker’s networking layer. Every container can see every host interface, and it’s up to the specific application running inside the container to bind to the right one, using application-specific setup. I wouldn’t recommend host networking except in particular unusual situations.