Help me understanding external networking

Hello, I am evaluating Nomad as a lightweight Kubernetes alternative and so far, it looks very promising. One goal/constraint, I gave myself, is to just rely on Nomad features to further reduce complexity by omitting Consul and Vault.

Currently, I am working with a single node cluster and have deployed two “workload jobs”, one consisting of a Docker task and one consisting of a Java task, and a Traefik job as Docker. Everything works as expected and both services are reachable via Traefik, for instance http://<IP>/hello.

What I don’t understand is, how a service is isolated from being reached from outside the cluster? For instance, I can also call http://<IP>:28495 to reach one of the containers behind /hello directly without Traefik.

My first guess was to bind the service to localhost or to block each port except 80 on the node itself. But I guess this wouldn’t work in a real multi-node setup, especially when Traefik is not running on each client node?

Coming from Kubernetes, in my head there is this separation of “in-cluster” traffic via Kubernetes Services and “external-traffic” via Kubernetes Ingress.
Does this work in Nomad differently? Or is this a feature only available via Consul and sidecars?

Thanks for any help

One solution would be to have two networks on the hosts you are deploying the nomad jobs, a public one and a private one. You have then to use the internal network for your nomad job descriptions (see network Block - Job Specification | Nomad | HashiCorp Developer)

Ah, I see. Thanks for your solution @frank.wettstein