Is network security / encryption provided by default in docker swarm mode?

1.3k views Asked by At

In this document it says that:

Overlay networking for Docker Engine swarm mode comes secure out of the box. You can also encrypt data exchanged between containers on different nodes on the overlay network. To enable encryption, when you create an overlay network pass the --opt encrypted flag:

> $ docker network create --opt encrypted --driver overlay my-multi-host-network

So if all the containers are running on the my-multi-host-network is all the traffic between the containers encrypted automatically? In other words it's as if all the containers were running SSL and if rest is used to communicate from container A to container B, the REST request (Or requests via any other communication protocol - AMQP, etc) is encrypted?

1

There are 1 answers

0
Frank Louwers On

There are three networking planes in any orchestrator:

  • Management plane (the "brains")
  • Control plane (the "discovery")
  • Data plane (the "move-packets")

The first two are encrypted by default in Swarm, you don't need to do anything special. The data plane is not encrypted by default, for performance reasons. However, you can easily encrypt it, using the --opt encrypted option.

If you create an encrypted network, an IPSEC tunnel will be enabled for the data-plane. So yes, all communication between containers on that network will be encrypted.