Traefik architecture behind physical load balancer

We're currently in the process of introducing Traefik as our proxy to our UI/API microservices that live in Docker Swarm.

Currently, we have 15 web servers sitting behind a physical loadbalancer with a dedicated VIP. Right now, apache is running on the servers and proxying requests to physical ports that are being advertised by swarm to the different microservices. The load balancer is handling SSL and distributing load to the servers.

My question is what is the best way to set up Traefik to replace apache? Our current mindset is to spin up Traefik as a swarm service and run one instance per server. We'll move SSL handling from the physical load balancer to Traefik. Is this overkill? Do we need this many Traefik instances? Should we have fewer Traefik instances and shrink the physical load balancer pool? Should the Traefik instances be limited to running on swarm manager nodes?

Thank you!

This is not easily accomplished with Traefik CE.

Each instance would attempt to manage LetsEncrypt individually as well as rate limit accounting and a couple of other things.

Running one Traefik in the swarm would be fine. However to move from node to node the storage for Let Encrypt needs to be available on each one.

If you're using the docker socket then yes you will need to constrain Traefik to manager nodes.

TraefikEE is a good solution for a more robust setup.