I am building a new microservice which is a Python Flask app that is fronted by gunicorn and can take and respond to HTTP get requests. It’s kinda like a local proxy service to an external API. I run the gunicorn app on port 5000. I want to remap the port to something similar with my other services but I also want to restrict this container so it is only accessible by other containers on my host, I never want this container to be accessible by the outside world. However, it needs to be able to go to the outside world to make the API request.
So I thought I would bind a port that is in line with what my containers use and restrict it to localhost by running the container like below:
docker run --name proxy-app --env SECRET="MYSECRET" -p 9000:5000 -d killerkode/proxy-app
On the host system, I can successfully send requests to the container by running something like:
curl -XPOST -H "Content-type: application/json" -d '{"message": "test"}' 'http://127.0.0.1:9000/send_message'
But then I run another container and when I exec into that container and run the same curl command, it can’t see localhost – I assumed this is because insider the container the localhost is different to outside the container.
So I looked into docker networks and decided to create a bridge network. I put both containers on the same bridge network and then I tried the same command using the proxy containers IP (which for arguments sake lets say is 172.30.1.2
), but the problem I have is the request works on port 5000 but not port 9000. I don’t want the second container to see port 5000 at all, I want it to only see port 9000 and have that as it’s only access to the proxy container. Just like the host system cannot see port 5000 but can send requests to port 9000.
curl -XPOST -H "Content-type: application/json" -d '{"message": "test"}' 'http://172.30.1.2:5000/send_message'
TL;DR; is, I am trying to get 2 containers running on 1 host. The first container (proxy container) needs to remap it’s app port from 5000 to 9000 and then it should only be accessible by the host system or other containers on the host system from port 9000 only. How do I achieve this?