Nomad with docker secure client ports strategy

Question

After having tried several deployment strategies with Nomad docker containers with traefik on the front, I'm encountering the unresolved problem of ports on clients dynamically opened by services that are directly accessible from the Internet and with no possibility of closing them.

So I tried

• mode bridge,
• consul mesh connect
• user network docker
• even if I don't declare a port, one is assign. each time a host port is opened on the client (node) and be seen inside consul dashboard.

what poses a problem, for example, is the case of hosting a backend and a database, I don't want these services to be accessible directly from the client ip but for everything to go through the gateway.

So what do you recommend please? Should I protect each client with a vpn and a firewall that only authorizes internal requests?

Thank you for your advice,

Answer 1

For interjob communication within the same job group, you would pass ${NOMAD_ADDR_label} to the dependent service configuration, either as command line option or as template, see https://developer.hashicorp.com/nomad/docs/runtime/environment . No traefik involved. No services block in job specification. Communicate straight to the service.

If communicating to a different job or group, you can generate a template using the registered services matching a label. Then this template should be used for dopendent service configuration. Again no treafik involved. See https://developer.hashicorp.com/nomad/docs/job-specification/template#consul-services for an example. See also https://stackoverflow.com/a/77423649/9072753 .