Docker documentation for external load balancer to docker hosts in swarm mode (why?)

dockerdocker-swarm

In reading the documentation for Docker Swarm 1.12 there is a section describe how to configure HAProxy to load balance traffic to swarm hosts.

https://docs.docker.com/engine/swarm/ingress/#/configure-an-external-load-balancer

If I understand Docker Swarm > 1.12 there shouldn't be a need to setup a load balancer in this way because Swarm has an internal load balancer and DNS.

Wouldn't a proper approach be to stand up a reverse proxy to the service name (DNS alias) and let the Swarm load balancer do the work?

For example in nginx you could do:

location /somepath/ {
    proxy_read_timeout 900;                
    proxy_pass http://service-name/;
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
}

My assumption is that the service is deployed to a private network overlay and the service that needs to be exposed externally is deployed to the private network and a proxy network where the nginx or haproxy service is also deployed.

docker service create 
 --name recurrence-service \
 --replicas 3 \
 --network my-service \
 --network proxy  \
 mycompany/my-web-server

Best Answer

I think your approach sounds good and I don't think there is any requirement for an external LB. We put an ELB in front of ours but that's more to keep it standard with other services and have a central place where we do SSL.

Related Solutions

Docker – we (not) load balance across multiple hosts in a Docker Swarm cluster

I think this a comment on option 1.

I'm looking at this also and from what I can tell in Docker Swarm > 1.12 all you have to do is create a reverse proxy to the service/website. What I did in my proof of concept is, 1) create two overlay networks, one for a proxy network which will be external facing and one for my service network which is internal only then 2) deployed 3 replicas of the service attaching it to the service overlay and the proxy overlay network (--network proxy --network my-service). Finally, I stood up an nginx reverse proxy that is bound to my corporate alias which will accept incoming connections on port 80 and 443.

sudo docker service create --name proxy \ 
-p 80:80 \
-p 443:443 \
--network proxy \
--mount type=volume,source=reverse-proxy,target=/etc/nginx/conf.d,volume-driver=azurefile \
--mount type=volume,source=ssl,target=/etc/nginx/ssl,volume-driver=azurefile \
nginx

The mounts are simply there so I don't have to copy files to each host. This mount is pointing to an Azure File Storage account which makes spinning up more containers much more maintainable.

The reverse proxy looks like this:

location /my-service/ {
    proxy_read_timeout 900;                
    proxy_pass http://my-service/;
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
}

http://my-service is an internal to swarm DNS record that always points to a VIP where my service is hosted whether that be 1 node or 1,000 nodes. From what I can tell, every service you deploy gets it's own subnet range and the master nodes keep track of where the containers are running and handle the routing for you.

Currently we have multiple A-records pointing at the different host IPs and that uses round robin however we might move this from Windows Server managed DNS to Azure Traffic Manager for more control.

Nginx in front of docker swarm services

I'd recommend swapping out the statically defined nginx reverse proxy for traefik which is swarm aware and can dynamically reconfigure itself as services are deployed and destroyed.

Here's a sample implementation:

create a network for the traefik to talk to containers: docker network create proxy
Make a traefik.toml, here's an example:

traefik.toml

accessLogsFile = "/proc/1/fd/1"
defaultEntryPoints = ["http"]
[entryPoints]
  [entryPoints.http]
  address = ":80"
[web]
address = ":8080"
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "localhost"
watch = true
swarmmode = true
constraints = ["tag==frontend"]

Sample compose file for traefik:

docker-compose.traefik.yml

version: '3'

networks:
  proxy:
    external:
      name: proxy

services:
  traefik:
    image: traefik:latest
    volumes:
    - ./traefik.toml:/etc/traefik/traefik.toml:ro
    - /var/run/docker.sock:/var/run/docker.sock
    ports:
    - 80:80
    - 8080:8080
    networks:
    - proxy
    restart: unless-stopped

Configure your app with labels and on the same network.

docker-compose.app.yml

version: '3'

networks:
  proxy:
    external: true

services:
  webtest:
    image: nginx:latest
    networks:
    - default
    - proxy
    labels:
    - traefik.frontend.rule=PathPrefixStrip:/webtest
    - traefik.port=80
    - traefik.docker.network=proxy
    - traefik.tags=frontend
    restart: unless-stopped

The rule above uses path prefixes for the container for simplicity, but you can use any rule you prefer to proxy your application.

Best Answer

Related Solutions

Docker – we (not) load balance across multiple hosts in a Docker Swarm cluster

Nginx in front of docker swarm services

Related Topic