1

I am trying to restrict access to Windows docker containers to specific IP(s). Looks like this can be easily done with iptables on Linux containers, but I'm having a difficult time finding a proper solution for Windows Server containers. A similar thing I'm trying to do on a Windows container is described on the first answer on THIS StackOverFlow question but that's Linux.

For starters, I cannot seem to start the Windows Defender Firewall service INSIDE the container (not on the host). What exactly happens is described in THIS StackOverFlow question. But in short, Start-Service -Name MpsSvc simply does not work. Modifying registry keys don't work. It's described in that post. So does this mean using Windows Firewall inside a container to restrict access is out of the question?

Network isolation and security document states that default Outbound/Inbound traffic on Windows Server containers is ALLOW ALL. I want to lock it down so that traffic to the container only comes from one source.

Orchestrator we're using is Azure Service Fabric. In the cluster, there's a main SYSTEM node/host. That node hosts Traefik (it's like a traffic manager/load balancer). Traefik instances are running on each subsequent nodes in the cluster as well. And each node has a bunch of containers - simple. So basic idea here is, I want only traffic from the primary SYSTEM node to hit the containers. All else needs to be blocked.

How can I achieve this?

Base Image for the container we're using is mcr.microsoft.com/windows/servercore:ltsc2019. I'm trying to create our own version of the base image with some modifications (like this security hardening, logging, etc.), publish that to our Azure Container Registry (ACR), and plan is for developers to PULL from our ACR instead of Microsoft's public hub.

As for the network, not sure if it matters or not but it's using the default NAT network.

docker network inspect nat

[
    {
        "Name": "nat",
        "Id": "78l2lk902jsxu82jskais92alxp51mcf2907djsla81m154985snjo1d69xh51da",
        "Created": "2020-04-15T20:18:39.9097816-07:00",
        "Scope": "local",
        "Driver": "nat",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "windows",
            "Options": null,
            "Config": [
                {
                    "Subnet": "172.27.128.0/20",
                    "Gateway": "172.27.128.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {},
        "Options": {
            "com.docker.network.windowsshim.hnsid": "5045b0b6-d9a6-4b50-b1da-f66b0b770feb",
            "com.docker.network.windowsshim.networkname": "nat"
        },
        "Labels": {}
    }
]
DivZ
  • 678
  • 12
  • 20

0 Answers0