Skip to content

Private Networking

It's good practice to put servers behind reverse proxies that can act at bastions hosts. These reverse proxies take the hits while allowing legitimate traffic to your important services.

In a fully featured cloud provider, you are able to set up a virtual private cloud (VPC) where your servers only have private, non-routable IP address and you can only reach them through a proxy. This ability is great and convenient but, for our cases, we don't want all our services to be hosted by a single cloud provider if our priorities are cost and control.

This situation is common to "multi-cloud" or "hybrid cloud" environment and there are many solutions in practice. Our solution to this is to use an overlay network platform called Netbird.

About Netbird

How Netbird is leveraged for organizational privacy

To mitigate against some of the treats an organization can face like deplatforming and cyberattacks, we can

To access to our services over the Netbird network, we must make a few changes to the docker-compose.yml files for the applications.

1. Add Netbird container to stack.

Add this under the services: of the docker-compose.yml file. Note: There are three lines commented-out in this example, but they can be used for troubleshooting if needed.

  netbird:
    image: netbirdio/netbird:latest
    container_name: netbird
    restart: unless-stopped
    network_mode: container:<name of container providing the service>
    environment:
      - NB_MANAGEMENT_URL=https://netbird.example.com
      - NB_SETUP_KEY=<your setup key>
    volumes:
      - ./netbird-client:/etc/netbird
    cap_add:
#      - SYS_RESOURCE
#      - SYS_ADMIN
      - NET_ADMIN
#    sysctls:
#      - net.ipv4.conf.all.src_valid_mark=1
    depends_on:
      <name of container providing the service>:
        condition: service_healthy

2. Make Netbird share the network stack of the service

We are able to limit the access that the Netbird agent has to just the internal Docker network by using network_mode: container: and referencing the container that provides the services.

If the service container doesn't have a container_name line, then add one and apply that name to the network_mode: container: line and the depends_on: part of the Netbird block.

3. Restrict ports

We must close of external access to the service's ports by simply adding 127.0.0.1: before the host port, resulting in a line that looks like - 127.0.0.1:80:80.

    ports:
      - "127.0.0.1:80:80"

4. Test updated configuration

docker compose up -d
If the agent container was configured successfully, you will see the new entry in your Netbird management console. Feel free to change the peer name to something more recognizable.

5. Configure NGINX Proxy Manager

Lastly, you must configure NGINX Proxy Manager to route a new subdomain to the Netbird IP and port of the service.

Managed versus Self-hosted