Introduction
Sometimes it's necessary to route the traffic of a docker container through another container, such as a VPN container for security, other most common use cases include:
- Content Filtering: Rerouting traffic of a container through another container can be used to act as a content filtering proxy. This allows for more control over the type of content that a container can access from the internet.
- Load Balancing: You can set up a load balancer container that will spread traffic across multiple other containers, allowing for increased performance and reliability.
- Monitoring and Logging: You can configure the container so that its traffic is routed through another container, acting as a monitoring proxy. This allows you to track and log network communication for the container.
- Ad blocking: Rerouting traffic from a container can be achieved by using another container to act as an ad blocker. This way, ads won't appear on the web pages that the container accesses.
- Network segmentation: Network segmentation is a practice of using smaller sub-networks to improve security and performance. Containers can be used to route traffic between networks, thus enforcing this form of network segmentation.
- Network address translation: A container can be routed through another container that acts as a network address translator, allowing for an internal network structure and IP addresses of containers to be securely hidden from outside sources.
Route one container through another Docker container
docker run method
Start the VPN container, use the following command:
docker run -it --name vpn --cap-add=NET_ADMIN vpn-imageTo connect the second container to the network stack of the VPN container, use the --network option when starting the second container.
docker run -it --name some-app --network container:vpn some-app-imageTest the routing by accessing a service or website from the app container and checking that the traffic is being routed through the VPN container. You can do that by running:
docker exec -it <container_name> sh -c "wget -qO- icanhazip.com"To find the public IP address of the Docker host, replace <container_name> with the name of the running container.
docker compose method
Example 1: All services are in one docker-compose.yml file
version: "2"
services:
somevpn:
image: some/vpn
container_name: somevpn
cap_add:
- NET_ADMIN
devices:
- "/dev/net/tun:/dev/net/tun"
privileged: true
restart: unless-stopped
app:
image: some/app
container_name: someapp
network_mode: service:somevpn
restart: unless-stoppedExample 2: Your VPN is somewhere else (docker run, or another docker-compose.yml)
version: "2"
services:
app:
image: some/app
container_name: someapp
network_mode: container:somevpn
restart: unless-stoppedWhat about ports?
If you want to send traffic from one container to another through a VPN, you need to make sure that all the ports are exposed on the VPN container. Otherwise, people won't be able to access your app.
Summary
So if you're looking for an easy way to route docker containers without manual port configuration and complex network setup with iptables, docker-compose is your best bet. With docker-compose, you can effortlessly connect docker containers and route traffic between them with just a few simple steps. Try it today and see how much time and effort you can save!
Further Reading
262588213843476