I am trying to mock up a deployment where, I want an AppServer in my 172.21.* network to connect to a DB in 172.22.* network.
I can definitely ping the DbNetwork i the use the Host-IP: DbPort exposed on the host. However, I want to be able to ping directly from my AppOS to DbOS IP without using the Host-DbPort.
My understanding is I can use DOCKER-USER to make this happen, but have not found a good example for this.
By “DOCKER-USER” do you mean the iptables chain? I never needed that. You can add multiple networks to one container. If you want a container to be able to access the DB, you can attach the DbNetwork to that container.
I am trying not to add the containers to the same network. The idea is to be able to mimic two subnets, one for the App and one for the Db and let the App reach the Db only through selective IP and Port rules between the networks.
My understanding is that DOCKER-USER chain on the Host can be updated with rules to allow this. Right now each container is able to ping external websites (like cnn.com, google.com), but are unable to ping each other.
Can you explain why you don’t want the containers to share the same network? The way you seem to want to do may be counter productive.
The ideal method would be to create a private internal network between your DB and your APP, another network for your app to talk to the outside world. There is no reason to expose ports to your DB from the outside world if you don’t need to, and normally your DB shouldn’t be able to connect out.
I was probably stuck on the thought of a single network interface for the App Instance and therefore a single network only. I should be able to add the App to two networks, one internal with the Db and one external.