[FIXED] What is the defacto way to control ingress traffic for containers in VIC (VMware vSphere Integrated Containers) for each VCH?

Issue

I am deploying Docker containers on VCHs (Virtual Container Hosts) in VMware VIC on vCenter. I would normally use Traefik as a proxy to control the ingress, but this is not possible in VIC, as VIC does not allow access to the docker.sock API. What is the defacto way to control ingress traffic for each container?

Solution

I think I figured this out. The answer lies in container networks. There is really no need to use NAT or a proxy server to publish ports when it comes to VIC.

1. The first step is to create a layer 3 routable container port group in vSphere (the port group that I created in vSphere is called 'vic-containers'.

2. The second step is to then create a VCH with a layer 3 routable container network that is attached to the newly created container port group

vic-machine-operating_system create
--target 'Administrator@vsphere.local':password@vcenter_server_address/dc1
--compute-resource cluster1
--image-store datastore1
--bridge-network vch1-bridge
--public-network vic-public
--public-network-ip 192.168.1.10/24
--public-network-gateway 192.168.1.1
--client-network vic-client
--client-network-ip 192.168.2.10/24
--client-network-gateway 192.168.2.0/24,192.168.128.0/24:192.168.2.1
--management-network vic-management
--management-network-ip 192.168.3.10/24
--management-network-gateway 192.168.3.0/24,192.168.128.0/24:192.168.3.1
--dns-server 192.168.10.10
--dns-server 192.168.10.11
--container-network vic-containers:container-network
--container-network-gateway vic-containers:192.168.100.1/24
--container-network-dns vic-containers:192.168.100.10
--container-network-dns vic-containers:192.168.100.11
--container-network-ip-range vic-containers:192.168.100.0/24
--container-network-firewall vic-containers:outbound
--thumbprint *certificate_thumbprint*
--name vch1
--asymmetric-routes

3. The third step is to then create a docker container, publish a port, attach it to the container network and assign it a static IP address.

docker -H 192.168.3.10:2375 create -p 80 --name nginx nginx
docker -H 192.168.3.10:2375 network connect --ip 192.168.100.11 container-network nginx
docker -H 192.168.3.10:2375 start nginx

Answered By - Shōgun8

Answer Checked By - Terry (PHPFixing Volunteer)