Hello, I am evaluating Nomad as a lightweight Kubernetes alternative and so far, it looks very promising. One goal/constraint, I gave myself, is to just rely on Nomad features to further reduce complexity by omitting Consul and Vault.
Currently, I am working with a single node cluster and have deployed two “workload jobs”, one consisting of a Docker task and one consisting of a Java task, and a Traefik job as Docker. Everything works as expected and both services are reachable via Traefik, for instance http://<IP>/hello.
What I don’t understand is, how a service is isolated from being reached from outside the cluster? For instance, I can also call http://<IP>:28495 to reach one of the containers behind /hello directly without Traefik.
My first guess was to bind the service to localhost or to block each port except 80 on the node itself. But I guess this wouldn’t work in a real multi-node setup, especially when Traefik is not running on each client node?
Coming from Kubernetes, in my head there is this separation of “in-cluster” traffic via Kubernetes Services and “external-traffic” via Kubernetes Ingress.
Does this work in Nomad differently? Or is this a feature only available via Consul and sidecars?
Thanks for any help