Estou usando um cluster do Docker Swarm e estou tentando descobrir a melhor maneira de interconectar e colocar alguns contêineres implementando meu aplicativo.
A arquitetura ainda é praticamente "monolítica" (ou controlador de exibição de modelo clássico), ou seja, existe um proxy reverso da web, um servidor de aplicativos e um banco de dados; o servidor de aplicativos pode precisar se conectar à internet; Vamos supor que haja um segundo servidor de aplicativos que se conecte ao banco de dados e que também precise se conectar à Internet. Assim:
} -> web revproxy -> app1-> db <- app2
internet } / /
} <=================='------------'
Estou pensando nessas melhorias, especialmente com a segurança em mente:
- 1.0. regarding components, I see one missing: the connections out from app1 and app2 should not be done directly; a forward proxy with a fixed ACL is needed.
- 2.0. regarding networking, I should create as many docker user-defined networks as needed to reach a situation where the only containers sharing a network are provider and consumer of a service in that network. So:
- 2.1. a network for revproxy and app1
- 2.2. a network for app1 and db
- 2.3. a network for app2 and db
- 2.4. a network for app1, app2 and fwproxy. But since this might be too many different containers in the same net, I can split further and have two different fwproxy containers, one authorizing the internet connectoins from app1 and one authorizing the connections of app2 and so this network will be split in two:
- 2.4.1. a network for app1 and fwproxy1
- 2.4.2. a network for app2 and fwproxy2
- 3.0. regarding placement, I should place web revproxy and the new fwproxy(s) in a docker node that is in the outer DMZ network (so I am not talking in this point about the docker networks I described before, this DMZ is the DMZ where you can put your docker nodes, your machines)
- 3.1. this way revproxy can get ingress traffic (from an outer load balance, for instance).
- 3.2. or fw rules are simpler to manage (if for example the fwproxy would be placed in internal networks instead of DMZ, it connections to internet would need to directly traverse two firewall edges).
Então, minha pergunta é, basicamente, que alguma parte dos meus raciocínios está incorreta?
Obrigado antecipadamente.