Docker Community Forums

Share and learn in the Docker community.

Publish Docker Swarm Services in multiple VLANs (Informational question)

swarm

(Mobernberger) #1

Hi,
we are having different development teams inside our company which are working with docker containers and want to centralize all of the development on a centralized Docker Swarm Cluster right now on Windows Server 1803.
So our plan for the infrastructure is the following:

  • Right now 3 Windows Server 1803 Docker hosts
  • Each of them has two NICs (One for management only and one were all the different development VLANs will be passed trough

Our business wants to isolate the containers from one development team against the other teams so our plan is, that we add overlay networks for every team and join there containers to the corresponding overlay network to get it isolated but there is still one open question for us:

Is it possible to publish Docker services to a specific ip-address of the host which is only in the VLAN for the corresponding dev team?

If there are any additional questions or my request is unclear, please reach out to me.

Thanks,
Michael


(Daschott) #2

This should be possible. Can you use
docker network create -o “com.docker.network.windowsshim.interface=Ethernet 2” -d overlay MyOverlay

to select a specific development NIC to create a overlay network on top of?


(Daschott) #3

Perhaps these following docs explain it with a bit more detail as well:


(Mobernberger) #4

Hi David,

thanks for the links I have gone through all of them and now having the following problems.

My current infrastructure looks like this:
2 physical hosts with Windows Server 2019 (also tested with 1803) with the following network configuration:

  • 2 physical NICs which are connected only via tagged VLANs to our backend network
  • 2 physical NICs which are tagged in our different deployment VLANs where we should publish services.

So I am creating two different NIC Teams with the command:
New-NetLbfoTeam -Name Infra -TeamingMode SwitchIndependent -TeamMembers “Ethernet 1”,“Ethernet 2”
New-NetLbfoTeam -Name Customer -TeamingMode SwitchIndependent -TeamMembers “Ethernet 3”,“Ethernet 4”

After this I am adding the VLAN ID and an ip-address to our Infra Team with the following commands:
Set-NetLbfoTeamNic -Name Infra -VlanID 532
New-NetIPAddress -InterfaceAlias "Infra - VLAN 532" -IPAddress "172.18.90.10" –PrefixLength 24 -DefaultGateway "172.18.90.1"

After this I am creating the swarm with
docker swarm init --advertise-addr=172.18.90.10 --listen-addr 172.18.90.10:2377

After this is done, I am losing the network connection to host because there is a new NIC activated which is losing the VLAN configuration and no connections available.
The problem is that the the default Ingress network which is created isn’t correctly mapped with the VLAN Id and the correct NIC. When I delete the Ingress network and create a new one which is mapped to a specific VLAN and NIC the network do not work.

Thanks,
Michael


(Daschott) #5

Hi Michael,

Hi Michael,

  1. When you created a new ingress network after deleting the old one, have you passed the --ingress flag to the new overlay network as specified in https://docs.docker.com/v17.09/engine/swarm/networking/#customize-the-ingress-network?

  2. Upon doing so, what networking flow did not work?


(Mobernberger) #6

Hi David,

yes I have done that. As soon as I create the ingress network the network connection to the host is lost and you could only do local stuff on this host. Also no pubplishing is working on this host.

BR
Michael