What is the best way to use docker swarm mode to provide multiple services to the internet or an intranet and meet these requirements?
The services may scale to multiple containers.
The services may use non-HTTP protocols.
The services should be available using the native application ports (80, 443) even though they overlap between services.
The published service IP addresses should be different from the IP addresses used to manage the infrastructure, preferably on a separate network (security policy).
It would also be nice to bring up a test environment in parallel on the same docker infrastructure without conflicts between production and test services.
Swarm overlay networks seemed promising. Service virtual IPs are load balanced (IPVS?) to all the service’s own containers so scaling is pretty easy (requirement 1). There are internal and external virtual IPs for each service. The service load balancer is agnostic with respect to protocols so HTTP and non-HTTP services both supported (requirement 2). Overlay networks could meet requirements (3) and (4) if I could just configure a service to use a different external virtual IP from other services or from the host. I haven’t figured out how to do this yet.
I looked at the Traefik reverse proxy including some work by Bret Fisher (Docker Captain). Traefik can meet requirements 1 & 3 for HTTP and HTTPs (with the same certificate for all services). I don’t think it helps with non-HTTP protocols (requirement 2). It doesn’t separate service traffic from management traffic (requirement 4). All, Traefik interprets HTTP and HTTPs protocols – if some thing breaks you may have to investigate the proxy as well as the service. (For example, how well does Traefik scale itself.) I’d prefer to use a reverse proxy where there are distinct advantages, not for every web service.