Here is my configuration: I have set up two subnets, one for managers (10.1.1.0) and another for workers (10.1.0.0).

To test subnet connectivity initially, I followed these steps using only one manager and one worker:

Installation Steps:

1. On the inbound manager, I allowed the following inbound ports:

• Port 2377: Any protocol
• Port 4789: Any protocol
• Port 7946: Any protocol
• Port 50: Any protocol

2. On the worker, I allowed the following inbound ports:

• Port 7946: Any protocol
• Port 4789: Any protocol
• Port 50: Any protocol
• Port 2377: Any protocol

3. I initiated the Docker Swarm with the following command:
   docker swarm init --advertise-addr 10.1.1.1 --default-addr-pool 10.20.0.0/8 --default-addr-pool-mask-length

4. Workers joined the swarm.

5. I checked the status of the worker nodes using the command:
   docker node ls

6. I created an overlay network with the following command:
   docker network create --driver overlay --subnet 10.10.0.0/16 --attachable testnetwork

7.I deployed a service using Docker Compose with the following configuration:

version: "3.8"
services:
  test-image:
    deploy:
      mode: replicated
      placement:
        constraints:
          - node.Labels.Name == worker
        replicas: 2
        image: image:release.263
        etworks:
          - testnetwork
        ports:
          - 8080:8080
networks:
  testnetwork:
  external: true

8. I attempted to connect to the service using the Telnet command:
   On the worker: Connection established (200 connected).
   On the manager: Connection attempts timed out.

If you have any further questions or need clarifications, please let me know.

Interesting setup.

How do you execute the telnet? Do you run it inside of a container? You set the service to be replicated to two, but it will never run on the manager node, so how do you connect to it?

Something looks off…

The subnet 10.20.0.0/8 is actually the subnet 10.0.0.0/8 with ips in the range 10.0.0.1 - 10.255.255.254. The advertise address is in that range. It is probably not what you want.

You could use 10.16.0.0/12 with ips in the range 10.16.0.1 - 10.31.255.254. Though, as I don’t know which subnet cidr ranges actually exist in your network, I can only advise to use a subnet calculator (google should find plenty of them) to identify a suitable cidr range for the swarm networks that is not already used by an existing subnet.

Note: the default-addr-pool is used for overlay networks, when they are created without specifying a subnet.

When swarm is running on a Hyperscaler like AWS or Azure, the nodes are typically in different availability zones, each with their own subnet. Works like a charm, if the security groups (aka “firewall rules”) are configured properly. Though, it does not work stable cross regions as the RAFT consensus that Swarm uses requires a low latency network.

We had plenty of topics in the forum where a mismatch of the mtu size prevented the overlay network communication.

in the normal setup using swarm the service should be accessible from the managers and the workers if the ports are exposed you can telnet the service from the managers or the workers using telnet command on the machine itself.