Skip to content

Warning

Our understanding of Docker networking is probably wrong. We're working on it.

Traefik networking

When a new Co-op Cloud instance is made, we make a "global" overlay network which traefik sits on. This is the network that other apps use to speak to traefik and get traffic routed to them. Not every service in every app is also included in this network and hence not internet-facing.

App networking

One service in an app, typically the one called app, sits on the "global" traefik network. This container is the one that should be publicy reachable on the internet. The other services in the app such as the database and caches should be not be publicly reachable or visible to other apps on the same instance.

To deal with this, we make an additional "internal" network for each app which is namespaced to that app. So, if you deploy a Wordpress instance called my_wordpress_blog then there will be a network called my_wordpress_blog_internal created. This allows all the services in an app to speak to each other but not be reachable on the public internet.

Avoiding namespace conflicts

When referencing an app service in a config file, you should prefix with the STACK_NAME to avoid namespace conflicts (because all these containers sit on the traefik overlay network). You might want to do something like this {{ env "STACK_NAME" }}_app (using Golang templating).