Docker makes it amazingly easy to build and deploy services. If you’re not ready to commit to Kubernetes, there is a way to run your Docker containers with full security and policy management – deploy your container into a MicroPerimeter™ Edge network.
In a very simplified view, you deploy MicroPerimeter™ Edge in Standalone mode on your host, then you deploy your docker container into the same docker network without exposing it to the host: that is, the only way you can reach your docker container is through a MicroPerimeter™ Security layer.
This means you can add any security policy you want to your target container without having to change your code or bake in any other security.OAuth/OIDC, custom security policies, or even tie back to the CIAM server to require MFA or other IDP attributes to secure services.
This document goes through a quick, step by step, to set up MicroPerimeter™ Edge in a way that lets you deploy your docker container, identify it in Edge, and start applying security to your docker containers.
Step 1: Get the demo code
You can get going with our free demo — just click on the Try Now button, submit your name and email, and activate your account to get the download.
Download the bundle, and go to the ./standalone folder — from there you can run a command (./bin/verify_prerequisites.sh) which will show you what you may be missing from the build. In particular, you will need
You will also need to make sure you give your Docker at least 6GB of RAM, 8 is better.
Step 3: Configure for Static IPs
Usually we just let Docker assign the IP addresses inside of its network, but because we’re going to want to find our specific docker container later, we’ll want to give it a static IP address. This will allow us to keep our configuration the same no matter how we move it from host to host — MicroPerimeter™ Edge will always be able to route the traffic the same way.
To do this we need to modify the two docker-compose files to include subnet details — you will need to edit external-services.yaml and
standalone.yaml by adding the ipam declaration:
networks: system: driver: bridge ipam: config: - subnet: 172.16.238.0/24 gateway: 172.16.238.1
This will allow us to add a specific IP to our container later and identify it in MicroPerimeter™ Edge.
At this point, we follow the steps to install Edge that we have in our tutorial at https://docs.microperimeter.cloudentity.com/tutorials/edge_example/1-instalation/ .
Log into Cloudentity’s artifcatory reporsitory:
echo "HnqXgjVD2ty8QQQIBuaGI6mXoKl7PzCb" | docker login -u microperimeter docker-microperimeter.artifactory.cloudentity.com --password-stdin
Run the docker compose command:
CURRENT_UID=$(id -u) docker-compose -f external-services.yaml -f standalone.yaml -p standalone up -d --build
and apply the security policies Edge needs to operate:
./bin/mpctl.sh import -d policies/system/standalone.yaml -d policies/scopes.yaml policies/system/default.yaml
Everything should run the same, only now it’s running in the subnet we specified in step 3.
In this step we create the simplest, custom docker container to test — it builds nginx and let’s you put any HMTL init you want. The Dockerfile is two lines:
FROM nginx COPY my-html /usr/share/nginx/html
and you can put any HTML content you want into a folder caled my-html. In our example we have a few files that describe cats and dogs, so when we built the docker image, all we had to do was
docker build -t catsdogs .
Because we’ve already defined a docker network in the docker-compose step, we can now deploy this image directly into that same network and specify an IP address we can use to find it later:
docker run --ip 172.16.238.20 --network="standalone_system" catsdogs
This runs the container without exposing any external ports to the host, which means the only way we can reach it is through something that knows how to talk to it on the inside, but is routed to the outside — i.e. MicroPerimeter™ Edge.
Now we go into the UI and configure Edge to route traffic to that internal IP address.
- Create a new Service by clicking on “Services”
- Add an instance — we use the docker internal IP address 172.16.238.20
- Add a healthcheck so Edge can confirm the target is alive — http://172.16.238.20/
- Finally, click on API & Protection and add an endpoint, in our case we’re allowing all GET requests to pass so we added<GET /.*/li>
Edge can now talk to the internal container, so we just need to enable traffic. To do this we go to “Edge Gateway” in the menu on the left, then click on “API & Protection” where you can enable traffic.
Because we used the /.* routing, it is strongly recommended that you add a prefix to the group, in this case we added /catsdogs. This means that all traffic will be routed from http://localhost:8000/catsdogs/ to the target /.
From here you can require the traffic be Authenticated, which will require a vaild OAuth token, or you can create custom policies in the Access Policies tab.