External load balancer should route to swarm managers, workers or both?

Question

I have an architecture of microservices running into a docker swarm stack. My swarm stack is composed with :

• 3 Managers (manager only)
• 3 workers

I have an external load-balancer to dispatch requests on the nodes of my stack with a single public IP.

I'm wondering if my external load-balancer should route traffic only to the managers, only to the workers or to all nodes.

I didn't find any direct answers to this question in the swarm documentation but i think it is better to route traffic to wokers only in order to save resources of managers. Is it the right way to do it ?

Answer 1

yes. no. maybe.

If you have only one vip, you probably want it to point to the managers, because you want HA access to the managers to manage the swarm.

i.e. with my internal swarm, "swarm.example.com" is a vip that points to the managers. My CI/CD pipelines use that as their target when doing docker stack deploy operations, and this means I can perform node maintenance without breaking pipeline deployments. "*.swarm.example.com" is also, for convenience a CNAME to swarm.example.com, so all my http (and other) ingress arrives on the managers, which is where I deploy traefik (which needs access to the manager api via /var/lib/docker.sock) for ingress routing to services.

Now, a more sophisticated setup would be to use separate vip pools to manage the control plane and ingress routing, and having traefik on the manager nodes is a security concern, but that speaks to a much larger setup with greater security concerns than an on prem swarm running ci/cd for devs.