Microsegmentation of Containers

Hi *,

I really like the whole rancher products. I have a little requirement from a security perspective. It concerns outgoing container connections. All my container are in the managed network. The Policy Rule states, only container within a label are allowed to communicate.

Question: How do I achieve this situation: Container C1 wants to communicate with an external Database. Container C2 running in the same environment is not allowed to do any outgoing communication?

The keyword here is “microsegmentation”. The whole environment is behind a firewall and I can not identify the container which wants to communicate with an external server.

Hopefully anybody has a similar requirement.


Short idea: Turning off the docker masquerade with option --ip_masq would possible show managed ip addresses for outgoing traffic… But seems to be complicated…

It’s not the same, but it might spark ideas:


I also thought this might be a solution but it is not. I will explain that a little bit:

My Problem is to restrict internal Services like mysql, mongodb, swift to be accessed. This happens by IP Address at the firewall. There are round about 50 services.

With the idea of node labels, I have to mark a host with for example mysql_access label… Would work BUT, there are much more combinations possible which would result in (n+k-1) out of k host nodes (hope that my memory of school mathematics is correct). TLDR; There are too much host nodes if I need one host for a label for each service who has access control enabled.

The easiest way would be, to reach out the internal managed ip addresses, so every container could be addressed by IP-Address. In order to do that I swichted off masquerade at the serving host and added a route to the network at the rancher server. Unfortunately the network manager containers do not come up and at the moment the log messages are not very helpful.

Is that however possible? Maybe I am just thinking too complicated… What do you think of this idea?

Another solution would be: Completely block any outgoing container traffic. Only allow external services defined in the stack to communicate outwards the container. I startet a discussion here: https://github.com/rancher/rancher/issues/8312

If anybody has the same requirement.

For anyone who is interested in this feature. I created a pull request where you can test this functionality: https://github.com/rancher/network-policy-manager/pull/7