Docker (compose) networking - service isolation not working

67 Views Asked by At

I have three docker-compose files. Each containing a single service, all spanning up their own network and only referencing the other necessary network via "external".

ARCHITECTURE
The folowing communications shell be allowed:

  • Frontend <-> Service
  • Service <-> Backend
  • BUT NOT Frontend <-> Backend

PROBLEM
Unfortunately, if I execute docker exec frontend ping backend it works!
Same for docker exec backend ping frontend.

What is wrong with my setup?

docker-compose.yaml for Frontend:

services:
  frontend:
    image: alpine
    container_name: frontend
    networks:
      - frontend_net
      - service_net
    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do echo alive; sleep 10m & wait $${!}; done;'"

networks:
  frontend_net:
    name: frontend_net
    attachable: true
    #internal: true
  service_net:
    external: true

docker-compose.yaml for Service:

services:
  service:
    image: alpine
    container_name: service
    networks:
      - service_net
    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do echo alive; sleep 10m & wait $${!}; done;'"

networks:
  service_net:
    name: service_net
    #internal: true

docker-compose.yaml for Backend:

services:
  backend:
    image: alpine
    container_name: backend
    networks:
      - backend_net
      - service_net
    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do echo alive; sleep 10m & wait $${!}; done;'"

networks:
  backend_net:
    name: backend_net
    attachable: true
    #internal: true
  service_net:
    external: true

If everything is spanned up and running, my networks look like this:

# docker network list
NETWORK ID     NAME                     DRIVER    SCOPE
4b162b628e76   backend_net              bridge    local
f118e228948d   bridge                   bridge    local
b3bf160b09a3   frontend_net             bridge    local
45ff3d4f66d0   host                     host      local
8eedcf91c792   none                     null      local
a745922e2eea   service_net              bridge    local
1

There are 1 best solutions below

0
On

Every container can connect to other containers on the same shared network, and in this case the frontend and backend share the service network. If you want to ensure two containers cannot connect to each other, then ensure they have no common networks.

In this case, I'd remove the service network from the frontend and backend. You can either place the service container (not a great name) on both the frontend and backend networks, or create additional networks just for each of these interconnects so the service container cannot reach other containers on those networks.