I am seeking guidance or suggestion on how to best implement this scenario:
- a large number of remote “workers” that are behind NAT/Firewall where no control is possible (so no port forwarding, opening, etc.)
- a number of central “workers” where the remote “workers” connect to
- there is no communication needed between the remote “workers”
the communication from remote to central is over the Internet so the traffic need to be encrypted.
The remote “workers” is built (compose) from a number of containers, so of which need to be addressable (and discoverable) from the central “workers”. Of course, the central “workers” are also multi-container.
By large I mean 10 to 100ks, so very large. It is so large that a single network per remote “workers” is not possible; the central “workers” are unlikely to support the corresponding large number of resulting interfaces. Even by splitting the load amongst a cluster of services.
I say “workers” using quote because docker-swarm is a possibility (to manage the whole thing, including discovery, etc.). But this is not an absolute must. However, alternative will be needed to manage the inventory.
I do not think the overlay network works here. First, it is unlikely to support the NAT traversal option for IPSEC. But more importantly, since it is a mesh network (unless I miss the concept of a tree, if it exists) it just does not scale.