securely access docker container from the outside without exposing it

Question

I'm currently setting up a docker swarm mode cluster with multiple nodes and stacks running on said nodes.

The only entry points of the nodes are the ports 80, 443 (front proxy) and 22 (ssh). All all of my containers are isolated from the outside and connected to docker overlay networks (private vlan between nodes) for inter-container communications. It works great as long as I don't have to access a service from the outside.

My current dilemma is how to securely administrate a mysql database running on my swarm mode cluster from a remote workstation without exposing the 3306 port to the Internet. Ideally I'd like to be able to simply type the container/service name into Workbench to reach the desired container instead of manually having to figure out the ip. Giving SSH access to the end computer isn't acceptable.

So far my lead would be to setup an openvpn server on my cluster that can reach all the container' networks I wish to access from the outside and login to this vpn on my workstation but i'm not sure if that's the best approach

How would you securely remote into your services without exposing them ?

Answer 1

One convenient approach is VPN. But you need to expose your services and then on gateway/node firewall disallow from internet to internal access. If you are doing destination NAT, just dont publish the internal services(like mysql).

Then you could assign an internal DNS name for each service which points to all nodes in the cluster, so no matter which node the container is running you could connect to the DNS name. This way you just have to connect your VPN (which will add the internal DNS settings to your workstation) and connect workbench to mysql or any other internal application.