Docker Network Issue: two VNICs for one host with two SWAG Containers

Hey everybody,

i need your help.
My setup consists of one ubuntu instance with two VNICs attached to it. Each VNIC has one public IP and one private IP (VNIC1 = IP1; VNIC2 = IP2).
My plan is that i have one SWAG-Container (Secure Web Application Gateway) for each IP.
IP1 with SWAG 1 is up and running.
IP2 with SWAG 2 is up, but noch reachable through the internet (Time Out).

I deployed the containers like that:
SWAG 1
-ports:
- Private IP1 :443:443

SWAG 2
-ports:
-private IP2:443:443

Both containers run on their own user-defined-bridge network

The fun part is, that i can reach the second IP (IP2) with SSH (port 22) and ping (IMCP). I even can use telnet to reach the IP on port 80. (I still get “Connection Refused”, but that is supposed to happen)

I think I have to change something with my docker network.
Do you have any idea ?

Thanks :slight_smile:

Docker is neither involved, nor responsible for firewall rules of the host, with the exception of published ports (in your case port 443 for IP1 and IP2).

It is either up to the host’s firewall or a security group (in case your vm is a compute node on a hyperscaler plattform like AWS or Azure) to block traffic to port 22 and icmp traffic.

Probably I completly missunderstood and you mean something entirely different. If so please elaborate more on it, as the objective of your post is unclear (at least to me).

Hello @meyay,

thank you for your fast answer and I’m really sorry for my description. I am really bad at describing my problems.
Yes i use a Oracle Cloud instance.
Both VNIC are attached to this instance and use a security group, that allow traffic on port 443, 80 (HTTP redirect to HTTPS), 22 and ICMP.
My first thought was also, that it has to be a problem with the firewall, but it confuses me, that port 22 and 80 are working.

My question is, if docker knows exactly where to route the trafiic, if a packet arrives with IP2.
Maybe I have to change something in the docker iptables ?

When you publish a port with -p ip:hostport:containerport, docker will make sure to only bind the host port on the specified ip and make sure the iptables rules are added to forward incomming traffic on that ip and port to the container port. Afaik no routing is involved between host ip and container ip; also a published port does not magicaly bind a container to a specific host interface.