Home Explore Blog CI



docker
1st chunk of `content/manuals/engine/swarm/ingress.md`
ab2ad346f1be8a36d2efae1c7ef934a11a20b20cc916fe9a0000000100000c55
---
description: Use the routing mesh to publish services externally to a swarm
keywords: guide, swarm mode, swarm, network, ingress, routing mesh
title: Use Swarm mode routing mesh
---

Docker Engine Swarm mode makes it easy to publish ports for services to make
them available to resources outside the swarm. All nodes participate in an
ingress routing mesh. The routing mesh enables each node in the swarm to
accept connections on published ports for any service running in the swarm, even
if there's no task running on the node. The routing mesh routes all
incoming requests to published ports on available nodes to an active container.

To use the ingress network in the swarm, you need to have the following
ports open between the swarm nodes before you enable Swarm mode:

* Port `7946` TCP/UDP for container network discovery.
* Port `4789` UDP (configurable) for the container ingress network.

When setting up networking in a Swarm, special care should be taken. Consult
the [tutorial](swarm-tutorial/_index.md#open-protocols-and-ports-between-the-hosts)
for an overview.

You must also open the published port between the swarm nodes and any external
resources, such as an external load balancer, that require access to the port.

You can also [bypass the routing mesh](#bypass-the-routing-mesh) for a given
service.

## Publish a port for a service

Use the `--publish` flag to publish a port when you create a service. `target`
is used to specify the port inside the container, and `published` is used to
specify the port to bind on the routing mesh. If you leave off the `published`
port, a random high-numbered port is bound for each service task. You
need to inspect the task to determine the port.

```console
$ docker service create \
  --name <SERVICE-NAME> \
  --publish published=<PUBLISHED-PORT>,target=<CONTAINER-PORT> \
  <IMAGE>
```

> [!NOTE]
>
> The older form of this syntax is a colon-separated string, where
> the published port is first and the target port is second, such as
> `-p 8080:80`. The new syntax is preferred because it is easier to read and
> allows more flexibility.

The `<PUBLISHED-PORT>` is the port where the swarm makes the service available.
If you omit it, a random high-numbered port is bound.
The `<CONTAINER-PORT>` is the port where the container listens. This parameter
is required.

For example, the following command publishes port 80 in the nginx container to
port 8080 for any node in the swarm:

```console
$ docker service create \
  --name my-web \
  --publish published=8080,target=80 \
  --replicas 2 \
  nginx
```

When you access port 8080 on any node, Docker routes your request to an active
container. On the swarm nodes themselves, port 8080 may not actually be bound,
but the routing mesh knows how to route the traffic and prevents any port
conflicts from happening.

The routing mesh listens on the published port for any IP address assigned to
the node. For externally routable IP addresses, the port is available from
outside the host. For all other IP addresses the access is only available from
within the host.
Title: Publishing Ports in Docker Swarm Mode
Summary
Docker Engine Swarm mode allows publishing ports for services to be accessible from outside the swarm through an ingress routing mesh. This mesh enables any node to accept connections on published ports and routes requests to active containers. To use the ingress network, specific ports must be open between swarm nodes (TCP/UDP 7946 and UDP 4789). The `--publish` flag is used to specify the published and target ports when creating a service, directing traffic to the container's port. An example illustrates publishing port 80 of an nginx container to port 8080 on all swarm nodes.