Restrict service access

Hey there,

We are using traefik in docker swarm mode. Our goal is now to restrict service access from several networks.

We have 3 master nodes, on which keepalived service is running to provide a HAProxy for the solution. The cluster is so reachable over a Virtual IP adress which is redirected to a master node via VRRP. We would like to create more virtual IPs, and bind it to specific entrypoints in traefik. The services then are defining over which enrtypoint are they accessable. The idea is that the access from separate DMZ will be controlled and restricted in a firewall before the cluster (before the HAProxy), where the access to the specific Virtual IPs are set.

We tried to bind IP adresses directly to entrypoints in the toml file, but traefik sais that those external IP adresses are not reachable / bindable.

Our question would be: How to bind external IP adresses to traefik entrypoints hosted in a swarm cluster, so that the services can be restricted and bound to these IPs / entrypoints.

Thank you in advance

Hi @james.dean, this is because your VIP is most certainly defined at the VMs levels, e.g. has network interfaces of "hosts" newtrok stacks.
But Traefik, running in a container with its own network stack, isolated from host's. So Traefik cannot bind to the interfaces of another network stack.

You might want to define Traefik's service or container to use host's network instead of default container's, by setting networkto host, as described in https://docs.docker.com/network/host/ .

Let us know if you succeed ?