Docker networking setup that is private and proxied

by Limnic   Last Updated July 07, 2018 18:00 PM - source

Desired schema

Above is a layout of the desired network. I am struggling with getting it just right. The internal link from the router is not relevant for this problem.


  1. The only container directly exposed to the public, should be the proxy.
  2. All containers can communicate with eachother, preferrably via host name (see user-defined docker network).
  3. Some services such as Portainer require internet access (outgoing) to retrieve some data from their servers but should otherwise not be directly accessible.
  4. The host may be allowed to access container services directly, but only from the host itself, not externally.

What I have achieved so far:

  1. The proxy correctly proxies the desired containers to the outside.
  2. All containers can communicate with eachother and their IP can be resolved via service name.


  1. All containers are still accessible directly, without using the proxy (by using their exposed ports)
  2. If they are not in a bridge network they don't have internet, but if they are, they are accessible directly.

I believe 3 networks are necessary:

  1. An internal network for the containers themselves
  2. A network that has internet (but somehow does not expose any ports)
  3. A network that will be used by the proxy that gets exposed to the public

I am configuring everything via Portainer, and the docker host is using Firewalld. Thanks in advance for any suggestions!

Related Questions

Create a Docker container without internet access

Updated January 15, 2018 02:00 AM

Fail2Ban with Kubernetes? or any other alternative?

Updated August 10, 2018 11:00 AM

Docker compose and FirewallD

Updated October 28, 2018 13:00 PM