Absolutely, you can configure Traefik to expose its ports only on a targeted Docker network (even with dynamic IPs assigned to Traefik within that network). This is fully supported via Traefik's Docker provider settings and container network isolation—here's how to implement it properly:

Core Concept #

We’ll combine two key configurations:

1. Restrict Traefik’s Docker provider to only monitor services on your specific traefik-net network.
2. Isolate the Traefik container so its ports are only reachable within that network (no exposure to the host or other Docker networks).

Step-by-Step Configuration #

1. Launch Traefik with Target Network Only #

When starting your Traefik container, ensure it only joins your traefik-net network (avoid adding it to the default bridge or other networks). Also, skip port mapping to the host (this prevents exposing Traefik’s ports outside the Docker network):

docker run -d \
  --name traefik \
  --network traefik-net \
  -v /var/run/docker.sock:/var/run/docker.sock \
  traefik:v2.10 \
  # Configure Docker provider to only watch traefik-net
  --providers.docker=true \
  --providers.docker.network=traefik-net \
  # Disable automatic service discovery (only enable services with traefik.enable=true)
  --providers.docker.exposedbydefault=false \
  # Bind entrypoints to the container's internal interfaces (only reachable within the network)
  --entrypoints.web.address=:80 \
  --entrypoints.websecure.address=:443

2. Remove Traefik from Unwanted Networks (If Needed) #

If Traefik was previously connected to other networks (like the default bridge), disconnect it to enforce isolation:

docker network disconnect bridge traefik

3. Verify the Setup #

• Spin up a test container connected to traefik-net and try accessing Traefik’s internal IP (you can get this via docker inspect traefik | grep "IPAddress" for the traefik-net network) on port 80—this should work.
• Try accessing the same IP from a container not on traefik-net, or directly from your host—this should fail, confirming Traefik’s ports are only exposed within the target network.

Key Notes #

• The --providers.docker.network=traefik-net flag is critical: it tells Traefik’s Docker provider to only discover and route traffic for services connected to this network.
• Skipping -p port mappings ensures Traefik’s ports aren’t exposed to your host’s external interfaces.
• Using --providers.docker.exposedbydefault=false adds an extra layer of control—you’ll need to explicitly set traefik.enable=true on services you want Traefik to handle.

内容的提问来源于stack exchange，提问作者Bogdan