I have a Java application that is launched with a runtime variable as Dhttp.host=0.0.0.0 The HTTP server must be exposed for health check end-points. However, I would like to keep the exposure restrictive.
Does this mean all services across all networks in the Docker host have access to this application?
How do I restrict the visibility only to those services running in a give network?
Or, at least, not expose this server to outside of the Docker engine - let alone the Docker host?
Unless you are using the host network, processes inside containers can only listen on ip addresses available inside the container. 0.0.0.0 will mean it will listen on oopback interfaces and for example on 172.18.0.2 if that is the ip of the container. You can access it from the host or from another container in the same network. Even if you forward a port from the host to the container, you can forward it from a specific ip address:
Make it 127.0.0.1:80:80 and only your host will be able to access port 80 of the container. Docker has no control after the port level. So if you want just a specific url context to be not reachable, then you will need to implement it yourself with a reverse proxy.