Network between to different docker hosts

Hi, I have two different servers each one running some containers and I want to know what’s the best approach to make the containers communicate from one host to the other. Is this a scenario where I can deploy consul connect?


Consul connect will certainly help with ensuring the traffic is encrypted between services, from a micro-segmentation approach you also have the ability to control which service is allowed to talk to another service.

Running Consul in this environment would need a consul server and an agent deployed to each virtual machine. The Consul server could reside on one of the Virtual Machines where your workload is.

One thing to note about this approach is that there is no redundancy, if the Consul server fails, all of your service mesh will eventually fail. I say eventually as data is cached on the agent and will tolerate temporary outages.

When you register a container on a virtual machine you register it with the local consul agent, the IP address and port the service in the container runs on is registered in Consul. The registration of all these services forms the service catalog which is used by the service mesh.

Something to think about when using Docker containers is that Docker containers by default will run in their own virtual network. A container in a docker network on one machine will not be accessible from a docker container in another machine unless you are doing one of three things.

  1. Docker host network
  2. Docker network plugin
  3. Exposed ports to host via port mapping

In your setup to keep things simple you could do the following:

  1. Consul server on one node
  2. Consul client on every node
  3. Host networking for containers
  4. Firewall rules only allowing ingress connections between the two machines for containers

You then have to slightly modify the way your applications run in the container by using a sidecar for the Service Mesh data plane. Ingress is only allowed to the data plane the service itself is not directly accessible.

This is by no means a comprehensive overview of what needs to be done to secure the system and implement a service mesh.

If you do not need a service mesh from the perspective of service routing, security, and observability there may be a simpler option to achieve what you are after. Have you looked at Docker Network plugins?

Check out Weave, Weave is an overlay network which allows you to link n+1 docker hosts into a single virtual network.

One more thing to check out is Nomad

You might find using Nomad a nice upgrade on scheduling containers with pure docker.

Thanks Nicholas for the answer with all the detail :slight_smile:

If I go for the approach of having consul I will create a cluster outside this scenario, having only the agents on this scenario communicate with consul server cluster.

Gonna check weave also. Once again, thanks for the answer.