Docker Swarm mode internal network able to ping host and external network

[Deepak-Vohra]

The Docker Swarm mode internal network is designed to be internal to the service, but is able to ping host and external network.

1. Create a 3 node Swarm on CoreOS.

core@ip-172-30-2-7 ~ $ docker node ls
ID                           HOSTNAME                      STATUS  AVAILABILITY  MANAGER STATUS
1v5xo9a5qotjqby4tm22oxr6h    ip-172-30-2-171.ec2.internal  Ready   Active        
3ncsjq5v2urg78jjm75aydldi *  ip-172-30-2-7.ec2.internal    Ready   Active        Leader
ae9jr8vj6s3hpy2v6yjmcmdst    ip-172-30-2-163.ec2.internal  Ready   Active   

2. List default networks.

core@ip-172-30-2-7 ~ $ docker network ls
NETWORK ID          NAME                DRIVER              SCOPE
a28b3d48c764        bridge              bridge              local               
07b1daefd44a        docker_gwbridge     bridge              local               
e361ccca6077        host                host                local               
01tcqnl6eclq        ingress             overlay             swarm               
ed5e712689cd        none                null                local       

3. Create an internal network.

core@ip-172-30-2-7 ~ $ docker network create \
>    --subnet=10.0.0.0/16 \
>    --gateway=10.0.0.100 \
>    --internal  \
>    --label HelloWorldService \
>    --ip-range=10.0.1.0/24 \
>   --driver overlay \
>   hello-world-network
58fzvj4arudk2053q6k2t8rrk
core@ip-172-30-2-7 ~ $ docker network ls
NETWORK ID          NAME                  DRIVER              SCOPE
a28b3d48c764        bridge                bridge              local               
07b1daefd44a        docker_gwbridge       bridge              local               
58fzvj4arudk        hello-world-network   overlay             swarm               
e361ccca6077        host                  host                local               
01tcqnl6eclq        ingress               overlay             swarm               
ed5e712689cd        none                  null                local         

4. Create a service with internal network.

core@ip-172-30-2-7 ~ $ docker service create \
>   --name hello-world \
>   --network  hello-world-network \
>   --publish 8080:80 \
>   --replicas 1 \
>   tutum/hello-world
3xtja44kx7m0ok9krpl8b6tdm

5. List service container.

core@ip-172-30-2-7 ~ $ docker ps
CONTAINER ID        IMAGE                      COMMAND                  CREATED             STATUS              PORTS               NAMES
522d573fb8bf        tutum/hello-world:latest   "/bin/sh -c 'php-fpm "   22 seconds ago      Up 19 seconds       80/tcp              hello-world.2.6c7vp3um58h0bmc4yo04tapjh

6. Ping external network from service container in internal network.

core@ip-172-30-2-7 ~ $ docker exec -it  522d573fb8bf  ping -c 1 google.com
PING google.com (172.217.5.238): 56 data bytes
64 bytes from 172.217.5.238: seq=0 ttl=47 time=0.977 ms

--- google.com ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.977/0.977/0.977 ms

7. Similarly ping host