Container Networking

On Cycle, containers are deployed into networks called environments. A container's specific network settings are managed using the container's network configuration.

Each container is assigned an IPv6 /96 address block, and each instance of the container is assigned a /112 subset of that block.

Private Traffic

Containers in an environment can communicate with other containers in the same environment over a private, encrypted network that is implicitly built when the environment is created. Containers utilize the discovery service for container-to-container communication via hostname.

Public Ingress Traffic

Inside an environment, the container sits behind a load balancer, which acts as the ingress and web application firewall (WAF) for all public traffic destined for the container.

Container Public Network Mode

A container can have its public network configured in one of three ways.

• disable (default): The container will never be allowed to talk to the internet, and the load balancer will never forward traffic to this container. Only communication with other containers in the same environment over the private network is allowed.
• egress-only: The container can send outbound traffic to the internet (and receive responses), but the load balancer will never forward traffic to this container.
• enable: The container can send traffic to the internet, and the load balancer will forward requests to the container.

Connecting to the Load Balancer

A container will receive public traffic from the load balancer automatically when

1. The public network mode is set to enable
2. A LINKED record is pointed at the container
3. A port is open on the container

Cycle handles the complexity of building and managing the underlying networking to make this work, even across cloud providers. No special configurations need to be done on the load balancer for the vast majority of cases.

Container Ports

Containers define their ports in the network configuration. A container port mapping follows the format:

[external port]:[container internal port]

such as

80:80
3000:80
7777:7777

When receiving public traffic, the left side is the port the load balancer accepts traffic on and the right side is the port inside the container. This is an important distinction when dealing with https traffic.

Opening ports on a public container automatically configures the load balancer to forward traffic over those ports to the container (assuming the traffic is directed to the container via a LINKED record). No customization on the load balancer is necessary to receive public traffic over a specific port.

Managing HTTPS Traffic

A special feature of the load balancer on Cycle is the automatic TLS termination for LINKED records. When a LINKED record is configured with TLS generation, the certificates are installed into the load balancer. The load balancer decrypts the traffic, and forwards the decrypted traffic to the container.

To configure a container to take advantage of this, the port configuration can be set to 443:80 to allow encrypted traffic via the load balancer on port 443, and forwarded to the container over port 80, with decryption happening in the middle.

This eliminates the need for applications to be concerned with decrypting TLS traffic.

Advanced Networking with SDNs

For more advanced container networking between environments, see Networks (SDNs).

Get Started with Container Networking on Cycle

For an in-depth guide on configuring a publically accessible container, see our getting started guide.

For accessing container network configurations on Cycle, check out the interface-specific documentaion:

• Portal
• API