Closed vlcinsky closed 4 years ago
baskinsy
commented
5 years ago Per default, Docker Swarm encrypts the traffic between the managers, you can also encrypt all overlay networks and you can be fine I think even when running on servers with only public ip available.
vlcinsky
commented
5 years ago @baskinsy thanks for your comment.
It is great that encryption can be or is in place. I was just thinking, that VPN is often in place to keep this communication private and if it is there, it seems better to use it.
Anyway, I do not feel like being a Docker and networking expert, so I am fine with closing this issue if others feel it is acceptable as it is.
tiangolo
commented
4 years ago Thanks for the discussion here everyone!
Yep, what @baskinsy said. On the other side, if you have a VPN in your infrastructure or any other requirements, you can easily adapt it to your needs. But I wouldn't assume it as the default for everyone as that's not the simplest use case/scenario.
Thanks for the note! I'll close this issue now, then.
On https://github.com/tiangolo/dockerswarm.rocks/blame/master/docs/index.md#L163
you recommend to use public IP for
--advertise-addr.My understanding is, it must be an IP visible to all other nodes, but if possible (e.g. on virtual machine with VPN), private network address is more secure as the swarm leader will not have to expose it's ports to public internet.
I would recommend following wording: