Docker Community Forums

Share and learn in the Docker community.

How can I isolate docker containers that need to talk to a central container?

I have a reverse proxy nginx server container (jwilder/nginx-proxy), and a bunch of web server containers. Each web server has its own docker-compose file in its own folder, so from what I understand, they are considered to be in separate projects by docker. I like that, since I can start an stop new web services (containers) without stopping the nginx-proxy container.

How do I setup the docker networking so that the reverse proxy container can talk to all the web server containers (so it can forward requests to them), but the web server containers can’t talk to each other?

The point is to have it so that if one of the web servers gets hacked, and the hacker gets access to its container, and can run arbitrary commands, they have no IP connectivity to any of the other containers.

The easy way to set this up to just get it working is to create a single, external docker LAN, and put the reverse proxy container, and all the web server containers into it. This works, but then everything is on the same LAN.

The only way I can think of to isolate the web servers from each other is to:

  • Create a new, external docker LAN for each web server
  • Add each of these LANs to the reverse proxy container

This should work, but every time I have a new web server, I would need to:

  • Manually create the external LAN for that web server with “docker network create NEW_LAN”
  • Modify the reverse proxy’s docker-compose file to add that LAN to it
  • Either run the command that adds that LAN to the running nginx-proxy docker container, or restart the nginx-proxy to add that LAN to it

Is there an easier, more dynamic way to do this?