How to isolate bridges against each other?


I am thinking about perform following setting for load balanced websites with LXD containers:

  • container 1 - haproxy
  • container 2 … n - apache
  • container n+1 - mysql

For this approach I created 1 bridge called wanbr0 which is connected to the physical eth0 of the server and to eth0 of the haproxy container. A second bridge is created called webbr0 to connect haproxy at eth1 and the apache containers at eth0. A thrid bridge called dbbr0 should connect the apache containers with the mysql container.

The reason is to ensure that all traffic from outside is routed through haproxy and to ensure that only the apache containers can access the databases.

Actually each container can access each service on all other containers. How can I get the containers only accept input from within their bridges?

Thanx in advance!


Right now all your containers can talk to each other because your host is acting as a router.
You’d need to setup firewalling on your host to prevent this from happening.

Thank you for the reply. Are there any plans to add a feature that the interconnect between the containers can be controlled via bridges?


We’ve been trying to stay away from having to implement advanced firewalling and routing in LXD itself as that does tend to get very complicated very quickly :slight_smile:

It’s not to say we won’t do it eventually, but right now, you’re better off doing it yourself through whatever firewall mechanism is provided by your distro.

We also have an open Github issue to better integrate OpenVswitch, including OVN support. My understanding is that the OVN SDN would give us some of those firewalling features as well as cross-host networking.

You could also remove the ip address on the dbbr0 and webbr0, so your host doesn’t know how to get to the webbr0 and dbbr0.
You need to use fixed ip adresses and assign them yourself in the containers.
At last you should offcourse then attach the webbr0 and dbbr0 to the haproxy container. So the only one who knows how to get to the dbbr0 and webbr0 subnets is the haproxy.

@stgraber: I was already thinking about setting up openVswitch. As far as I read, it can be very complicated to setup and actually my setup is more simple.

@idef1x: Thank you! That was it . . . I just unset the ipv4.address with lxc network for the networks that should not be available from outside. Static IPs where already given within the haproxy config to all containerized apaches that have been served to the world by haproxy.