Nomad with docker secure client ports strategy

After having tried several deployment strategies with Nomad, consul, docker containers and traefik on the front (gateway and load balancer), I’m encountering the unresolved problem of ports on clients dynamically opened by services that are directly accessible from the Internet and with no possibility of closing them.

So I tried

  • mode bridge,
  • consul mesh connect
  • user network docker
  • even if I don’t declare a port, one is assign. each time a host port is opened on the client (node) and be seen inside consul dashboard.

what poses a problem, for example, is the case of hosting a backend and a database, I don’t want these services to be accessible directly from the client ip but for everything to go through the gateway.

So what do you recommend please? Should I protect each client with a vpn and a firewall that only authorizes internal requests between clients?

Thank you for your advice,


A good solution is to add a firewall and/or VPN. Besides, you can use network policies, TLS client certificate, custom deployment scripts to manage configuration, for example using iptables.