TL;DR: I’d like a simple way to restrict access based on source IP in Mongo, but my client web containers are all on the same network and impossible to set their IP address static.
Here’s a architecture challenge for you:we have one Mongo DB service with many databases, one per customer.
Connected to that, we have many client web containers, one container per customer.Our goal is that web container A cannot access database B.
With standalone docker, it’s simple :
- you create web container B (with a fixed IP address in docker-compose.yml)
- set this source IP as ACL in MongoDB for database B.
Now for docker swarm, I cannot do that (set a fix IP address for the replicas of web container B)Here’s what I tried:
My idea is then to create one network per customer.
Web replicas B → overlay network B → Database B (ACL: CIDR adress of network B)
However, adding a new network to Mongo DB service means updating, means recreating new instances, means importing the encryption-at-rest key each time: I don’t want that So why not provision a bunch of network in advance, and use them as we add customer?
My problem here is that I cannot change name of networks
So I cannot rename say a network called provision-14 to network-B for example
Of course, there’s the option of a little RP between my networks and my MongoDB service, but I’d like to avoid adding a new component.
I don’t see anyone struggling with the same type of architecture issue online, so I wonder if I’m missing something here? Is there a simpler architecture solution?
Thanks in advance for anyone who reads and answers! (modifié)