I'm starting to get into Docker networking and want to securely isolate my application stacks. I've hit a snag because some of my services need to connect to external endpoints, so relying solely on an `internal` network isn't working for me. However, I feel like an `external` network is too wide-reaching. I've attempted a two-network setup where each container connects to both `container_internal` and `container_external`. This seems to work because other containers can access my services through `container_internal`, and the services can access the internet via `container_external`. But I'm not entirely sure if this approach is equivalent to just having one broad external network.
I suspect that a better solution might come from using `iptables`, which I'm beginning to explore, but I'd appreciate any guidance or resources you could suggest.
1 Answer
You could keep your containers on an internal network and configure `iptables` to block inbound connections while allowing outbound ones. This way, you manage access without exposing anything externally. What do you think?
That sounds like a solid approach! I was hoping for something simpler directly within Docker, but I guess I should dive deeper into `iptables` as it plays a big role in Docker networking.