Encryption of network traffic between services #

Docker Swarm can optionally encrypt network traffic - both for stack-internal networks, and for networks that span stacks and/or nodes.

That will result in IPSEC tunnels being used, using AES encryption with automatically rotated keys.

To quote the Docker docs:

This encryption imposes a non-negligible performance penalty, so you should test this option before using it in production.

That perfomance penalty is also why the public network that comes on Planetary Quantum nodes with a load balancer is not encrypted by default.

You can create encrypted networks via the Quantum Console, by going to Networks => Add Network, choosing the overlay driver, and adding an option encrypted: true:

Alternatively, you can set that option directly in your stack files:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

version: '3.8'
services:
  web:
    image: nginx
    networks:
      - public
      - encrypted
    deploy:
      labels:
        - traefik.port=80
        - traefik.docker.network=public
        - traefik.enable=true
  db:
    image: mysql
    command: --default-authentication-plugin=mysql_native_password
    networks:
      - encrypted
    environment:
      MYSQL_ROOT_PASSWORD: example

networks:
  public:
    name: public
    external: true
  encrypted:
    driver_opts:
      encrypted: "true"