1

I have a classic segmented network (a DMZ network and an internal LAN network with a router/firewall in between) and a Docker Swarm cluster compound by 3 nodes, all managers (Dm).

The way we have currently placed the docker manager nodes is this (look at the "Dm's" in the DMZ):

           |  / \
Internet: \|/  |
----------------------------------------------------
DMZ     : Dm Dm Dm
----------------------------------------------------
LAN     : (some non containerized backend services)

I wanted to know about the real benefit of investing in expanding this single cluster with some extra nodes as workers (Dw) in the DMZ and moving the managers (Dm) inside the LAN, like this:

           |  / \
Internet: \|/  |
----------------------------------------------------
DMZ     : Dw Dw
----------------------------------------------------
LAN     : Dm Dm Dm + (some non containerized backend services)

My reasoning for the change is:

  1. As mentioned, avoid having docker manager nodes in the DMZ, instead move your managers to the internal LAN and place 2 workers in the DMZ.
  2. Place reverse or forward proxies containers in the worker nodes, so they are listening for request in the DMZ as usual; place app servers or NoSQL caching in the managers so they are in the internal LAN, again as usual.
  3. Even if you are adding two extra nodes (workers in the DMZ), don't use less than 3 manager nodes, for HA reasons. If any do the opposite: add more worker nodes in the internal LAN so your managers don't run any container at all.

Do my points make sense? If OK, do you agree from a previous experience (so this is the way you deploy Docker Swarm)? Any potential problems?

user3677920
  • 11
  • 3
  • Your wording is a bit strange. Did you copy your reasoning from somewhere? Why would I move my Docker Managers if you want to change your setup? – Seth May 09 '18 at 08:14
  • Hi Seth, my main worry is to have docker manager nodes in the DMZ, I think those are too sensible so I should put them in the internal LAN, behind the firewall in between. (this is point 1 in my initial message). P.S. sorry Seth for the wording, I took the reasoning from my notes, that have a slightly different context. I can comment further below. – user3677920 May 09 '18 at 11:05
  • (I clarify point 2) But that moving to the DMZ has some implications for the containers I want to run (a couple of reverse and forward proxies, an app server, a database...). For example the reverse proxies should be in the DMZ, and so I thought of adding two docker workers in the DMZ so I can place there my reverse proxy containers, listening for service requests from internet. --- While other containers such as my db, should be placed in the docker managers, since they are in the internal LAN. – user3677920 May 09 '18 at 11:07
  • (I clarify point 3) I already mentioned that all started because I wanted to add extra protection to the docker managers, so I want to move them to the internal LAN. Now, another way of protecting them would be not to run any container in them, instead they would do just cluster control functions while I would add some extra docker workers in the LAN. This is expensive but I wanted to ask anyway about how much beneficial it is seen. – user3677920 May 09 '18 at 11:07

0 Answers0