How to expose the entire docker swarm cluster to the external world via a public IP?

Question

Am trying to implement a cluster of containerised applications in the production using docker in the swarm mode.

Let me describe a very minimalist scenario. All i have is just 5 aws-ec2 instances. None of these nodes have a public IP assigned and all have private IPs assigned part of a subnet.

For example,

Manager Nodes

172.16.50.1
172.16.50.2

Worker Nodes

172.16.50.3
172.16.50.4
172.16.50.5

With the above infrastructure, have created a docker swarm with the first node's IP (172.16.50.1) as the --advertise-addr so that the other 4 nodes join the swarm as manager or worker with their respective tokens.

I didn't want to overload the Manager Nodes by making them doing the role of worker nodes too. (Is this a good idea or resource under-utilization?).

Being the nodes are 4 core each, am hosting 9 replicas of my web application which are distributed in the 3 worker nodes each running 3 containers hosting my web app.

Now with this setup in hand, how should i go about exposing the entire docker swarm cluster with a VIP (virtual IP) to the external world for consumption?

please validate my below thoughts:

1. Should I have a classic load-balancer setup like keeping a httpd or nginx or haproxy based reverse proxy which has a public IP assigned and make it balance the load to the above 5 nodes where our docker-swarm is deployed?

One downside I see here is that the above reverse-proxy would be Single Point of Failure? Any ideas how this could be made fault-tolerant/hightly available? should I try a AnyCast solution?

2. Going for a AWS ALB/ELB which would route the traffic to the above 5 nodes where our swarm is.

3. If keeping a separate Load Balancer is the way to go, then what does really docker-swarm load-balancing and service discovery is all about?

what is docker swarm's answer to expose 1 virtual IP or host name to the external clients to access services in the swarm cluster?

Docker-swarm touts a lot about overlay networks but not sure how it relates to my issue of exposing the cluster via VIP to clients in the internet. Should we always keep the load balancer aware of the IP addresses of the nodes that join the docker swarm later?

please shed some light!

can you share your yaml configuration of the deployment – Kusal Hettiarachchi May 21 '20 at 07:20 — Kusal Hettiarachchi, May 21 '20 at 07:20

score 1 · Answer 1 · answered Jul 11 '19 at 13:40

On further reading, I understand that the Overlay Network we are creating in the swarm manager node only serves inter container communication.

The only difference from the other networking modes like bridge, host, macvlan is that the others enables communication among containers with in a single host and while the Overlay network facilitates communication among containers deployed in different subnets too. i.e., multi-host container communication.

with this knowledge as the headsup, to expose the swarm to the world via a single public IP assigned to a loadbalancer which would distribute requests to all the swarm nodes. This is just my understanding at a high level.

This is where i need your inputs and thoughts please...explaining the industry standard on how this is handled?

How to expose the entire docker swarm cluster to the external world via a public IP?

Manager Nodes

Worker Nodes

1 Answers1