Introduction

Nomad provides powerful networking capabilities, including support for multi-interface configurations in Docker containers. This article guides you through a practical example of setting up such a network environment.

Expected Outcome

After completing the steps outlined in this guide, you will have:

• Successfully configured a Nomad client with multi-interface networking. This allows your Nomad client to communicate on multiple networks, providing flexibility and isolation for your applications.
• Deployed a Traefik job that leverages multi-interface networking. Traefik will be able to listen for HTTP traffic on your public network interface and admin traffic on your private network interface.
• Gained a practical understanding of how to use Nomad's host_networks feature. This knowledge can be applied to other use cases where you need to give your Nomad jobs access to multiple networks.

Prerequisites

Before you begin configuring multi-interface networking in Nomad, ensure you have the following:

• Nomad environment with CLI access: A running Nomad cluster with at least one client node.
• Docker installed: Docker should be installed on the Nomad client node where you intend to run the Traefik container.
• Network interfaces: The Nomad client node should have multiple network interfaces configured.

Use Case

Imagine you need to expose a service to the public internet while keeping its management interface secure and accessible only within your private network. This example shows how Nomad's multi-interface networking enables you to achieve this with Traefik. We'll configure a Nomad client with two interfaces and set up Traefik to listen for traffic on both networks, ensuring secure access control.

• Nomad Client Configuration: We'll assume a Nomad client with two network interfaces:
  • eth1: 10.10.51.211 (private network)
  • eth2: 10.10.40.222 (public network)
• Traefik Configuration: We'll configure Traefik, a popular reverse proxy and load balancer, to:
  • Listen for HTTP traffic on the public interface (eth2, 10.10.40.x network).
  • Listen for admin traffic on the private interface (eth1, 10.10.51.x network).

Procedure

1. Configure Host Networks in Nomad Client
   • To enable multi-interface networking, define the host_networks in your Nomad client configuration. Add the following to the client block of your Nomad client configuration file, replacing the example values with your actual network interface names and CIDR blocks:
     

     client {
      host_network "public" {
      cidr = "10.10.40.0/24"
      }
      host_network "private" {
      cidr = "10.10.51.0/24"
      }
     }

2. Deploy the Traefik Job
   • Deploy the Traefik job specification using Nomad. This job spec should configure Traefik to listen for HTTP traffic on the public network interface and admin traffic on the private network interface. You can use the host_network parameter within the Traefik job specification to specify which interface to use for each listener.
     

     job "traefik" {
       region      = "global"
       datacenters = ["dc1"]
       type        = "service"
       group "traefik" {
         count = 1
         network {
           port "http" {
             static = 8080
             host_network = "public"
           }
           port "admin" {
             static = 8081
             host_network = "private"
           }
         }
         service {
           name = "traefik"
           check {
             name     = "alive"
             type     = "tcp"
             port     = "http"
             interval = "10s"
             timeout  = "2s"
           }
         }
         task "traefik" {
           driver = "docker"
           config {
             image        = "traefik:v2.2"
             network_mode = "host"
             volumes = [
               "local/traefik.toml:/etc/traefik/traefik.toml",
             ]
           }
           template {
             data = <<EOF
     [entryPoints]
         [entryPoints.http]
         address = ":8080"
         [entryPoints.traefik]
         address = ":8081"
     # Enable Consul Catalog configuration backend.
     [providers.consulCatalog]
         prefix           = "traefik"
         exposedByDefault = false
         [providers.consulCatalog.endpoint]
           address = "127.0.0.1:8500"
           scheme  = "http"
     EOF
             destination = "local/traefik.toml"
           }
           resources {
             cpu    = 100
             memory = 128
           }
         }
       }
     }

3. Verify Traefik Configuration
   • Navigate to the Nomad UI. You should now see that Traefik is listening for admin traffic on the private interface's IP address (10.10.51.x) and HTTP traffic on the public interface's IP address (10.10.40.x).
     

Reference Information

• Load balancing with Traefik

• Nomad network Block