Docker Community Forums

Share and learn in the Docker community.

Container route all ports except one to one network and the single port to a second one


I’m rather new to Docker albeit I have already set up some virtuallans with macvlan and different private networks within docker compose.

But now I want to route just one port of a container to a different network.

Basically one container should route all its traffic to an openvpn proxy instance but one port should be routed to the hostnet without exposing the whole openvpn network to the hostnet or the whole hostnet to the source container.

Could someone point me to the right direction. Maybe it is obvious but I’m just a bit paralized. Or is that even possible?


Encrypt traffic on an overlay network🔗
All swarm service management traffic is encrypted by default, using the AES algorithm in GCM mode. Manager nodes in the swarm rotate the key used to encrypt gossip data every 12 hours.

To encrypt application data as well, add --opt encrypted when creating the overlay network. This enables IPSEC encryption at the level of the vxlan. This encryption imposes a non-negligible performance penalty, so you should test this option before using it in production.

When you enable overlay encryption, Docker creates IPSEC tunnels between all the nodes where tasks are scheduled for services attached to the overlay network. These tunnels also use the AES algorithm in GCM mode and manager nodes automatically rotate the keys every 12 hours.

Do not attach Windows nodes to encrypted overlay networks.

Overlay network encryption is not supported on Windows. If a Windows node attempts to connect to an encrypted overlay network, no error is detected but the node cannot communicate.

You can use the overlay network feature with both --opt encrypted --attachable and attach unmanaged containers to that network:

$ docker network create --opt encrypted --driver overlay --attachable my-attachable-multi-host-network
Customize the default ingress network
Most users never need to configure the ingress network, but Docker 17.05 and higher allow you to do so. This can be useful if the automatically-chosen subnet conflicts with one that already exists on your network, or you need to customize other low-level network settings such as the MTU.

Customizing the ingress network involves removing and recreating it. This is usually done before you create any services in the swarm. If you have existing services which publish ports, those services need to be removed before you can remove the ingress network.

During the time that no ingress network exists, existing services which do not publish ports continue to function but are not load-balanced. This affects services which publish ports, such as a WordPress service which publishes port 80.

Inspect the ingress network using docker network inspect ingress, and remove any services whose containers are connected to it. These are services that publish ports, such as a WordPress service which publishes port 80. If all such services are not stopped, the next step fails.

Remove the existing ingress network:

$ docker network rm ingress

WARNING! Before removing the routing-mesh network, make sure all the nodes
in your swarm run the same docker engine version. Otherwise, removal may not
be effective and functionality of newly created ingress networks will be
Are you sure you want to continue? [y/N]
Create a new overlay network using the --ingress flag, along with the custom options you want to set. This example sets the MTU to 1200, sets the subnet to, and sets the gateway to

$ docker network create
–driver overlay
Note: You can name your ingress network something other than ingress, but you can only have one. An attempt to create a second one fails.

1 Like

Thank you very much for your very thorough explanation!