Swarm service ports and the Azure LoadBalancer

I’m using Docker for Azure as explained on the following page :

It works great. As explained, when a swarm service exposes a port, that port is automatically added as a load balancing rule on the external load balancer so that it is accessible from the internet.

This is great, but we have a number of services where we would like to expose a port on the host, but not on the internet. (We expose the port for convenience purposes, allowing us to ssh into the host and interact with the service). For these “internal” services, we don’t necessarily want to expose it on the internet.

I noticed that the “editions_controller” container is responsible for associating the exposed ports onto the external load balancer. If I stop that container the automatic port registration no longer happens and I can setup my own inbound rules using the azure CLI.

Is that the way to go or is there another way to configure docker for azure so that the load balancer doesn’t auto-register exposed ports, giving you more fine-grained control over what you want to see exposed via the external load balancer.

Is it for example possible to expose the ports on an internal load balancer, and have a separate external load balancer that you manage yourself ?

@ddewaele the editions_controller unfortunately does not have a setting at the moment that allows you to configure “internal” services. So stopping editions_controller with your own inbound rules is the only option now.

You can open a bug here https://github.com/docker/for-azure/ requesting this feature and we can plan on implementing it. One way could be to have a special tag on the internal services and editions_controller can check the presence of the tag before exposing the port in the cloud load balancer.