Docker Compose is a powerful tool for defining and running multi-container Docker applications. Two important concepts in Docker Compose are ports and expose, which are used to control how containers communicate with each other and the outside world. In this tutorial, we will explore the differences between ports and expose and learn how to use them effectively in our Docker Compose configurations.
Ports
The ports directive in a Docker Compose file is used to expose a container’s port to the host machine. This allows external traffic to reach the container. When you specify a port mapping using ports, Docker will create a forwarding rule that directs traffic from the specified host port to the corresponding container port.
For example, consider the following docker-compose.yml snippet:
mysql:
image: mysql:5.7
ports:
- "3306"
In this case, the MySQL container will listen on port 3306, and Docker will forward traffic from the host machine’s port 3306 to the container’s port 3306.
You can also specify a range of ports or use a random available port by omitting the host port. For instance:
mysql:
image: mysql:5.7
ports:
- "3306-3310"
or
mysql:
image: mysql:5.7
ports:
- "3306"
In the latter case, Docker will choose an available host port and forward traffic to the container’s port 3306.
Expose
The expose directive in a Docker Compose file is used to expose a container’s port to other containers within the same network. This allows containers to communicate with each other without exposing their ports to the outside world.
For example, consider the following docker-compose.yml snippet:
mysql:
image: mysql:5.7
expose:
- "3306"
In this case, the MySQL container will listen on port 3306, but only other containers within the same network can access it.
Note that expose does not publish the port to the host machine. If you want to access the container from outside the Docker network, you need to use ports.
Key differences
Here are the key differences between ports and expose:
- Purpose:
portsis used to expose a container’s port to the host machine, whileexposeis used to expose a container’s port to other containers within the same network. - Accessibility: Ports exposed using
portsare accessible from outside the Docker network, while ports exposed usingexposeare only accessible from within the Docker network. - Security: Using
exposeinstead ofportscan improve security by limiting access to sensitive services and reducing the attack surface.
Best practices
Here are some best practices for using ports and expose:
- Use
portssparingly, only exposing ports that need to be accessed from outside the Docker network. - Use
exposeto expose ports to other containers within the same network, reducing the attack surface and improving security. - Consider using a user-defined bridge network to isolate your containers and limit access to sensitive services.
By following these best practices and understanding the differences between ports and expose, you can create more secure and scalable Docker Compose configurations that meet your application’s needs.