Consul Connect Upstream Interfaces in Docker Containers

Question

is it possible to bind consul connect upstreams to another interface besides 127.0.0.1 loopback?

Consul Connect - Nomad This article says you can run the connect proxy within the official Docker container but then there is an issue where the upstream dependencies can't be exposed. Running the raw_exec version I see the upstreams available on the host machine 127.0.0.1. But if i run the same config within a container other containers can't connect to those ports.

Example configuration:

    task "proxy" {
      driver = "docker"

      config {
        image = "consul:1.4.0"
        force_pull = true
        network_mode = "host"

        args = [
          "connect", "proxy",
          "-service", "api",
          "-log-level", "debug",
          "-upstream", "upstream:${NOMAD_PORT_tcp}"
        ]
      }

      env {
        "CONSUL_HTTP_ADDR" = "${NOMAD_IP_tcp}:8500"
      }

      resources {
        network {
          port "tcp" {}
        }
      }
    }

In this configuration the service called upstream is only available if you sh into the container itself and check with netcat. Is there a way to force Consul Connect to bind the upstream service to 0.0.0.0 so it can be exposed on the local Docker network?

Answer 1

The trick here was to use network_mode = "host" for both the sidecar container and any other containers that want to utilize the sidecar. The host Docker network makes this possible:

"RABBITMQ_HOST" = "localhost"
"RABBITMQ_PORT" = "${NOMAD_PORT_proxy_rabbitmq}"

since the Consul Connect sidecar is binding all upstreams to localhost and the Docker host network exposes all ports within a container as if the container was running as a raw process on the host machine.