Isolating traffic between containers proxied by traefik

This may be more of a docker question, but my current solution is just to alter my traefik config so I figured I'd ask here.

My current deployment has all of my containers on a network called "traefik". Traefik is also on this network, and its the default docker network in traefik.toml, so it makes things really easy.

But it just occurred to me that all containers can communicate with each other, and not just with traefik. Is there an easy way to isolate the containers from one another?

So far my plan is to have each container on its own network, and have traefik connect to all of them, but this makes deployment a pain since I'd have to update traefik's docker compose any time I add a service. Would this also affect performance?

The only other thing I could think of was putting a dumb nginx reverse proxy in front of everything which is connected to traefik's network and the container's network, while the container is only on its own network.

Is there an easier way to do this?

Hello @kayson,

Usually the orchestration platform handles isolation in these scenarios.

In docker/docker swarm, networks are isolated, and therefore you are limited in this fashion.

You may want to look at Kubernetes, where isolation and namespacing are commonplace, and have solutions to the questions you are asking.

But as for docker, outside of using Docker Enterprise, you will not have many options as far as isolation and dynamic network discovery.


I figured that was the case. Thanks!