Profile Applicability:

  • Level 1

Description:

You should separate management plane traffic from data plane traffic. This ensures that the management functions (e.g., swarm management) are isolated from the regular application traffic, which enhances security and performance.

Rationale:

Separating management plane traffic from data plane traffic ensures that these two types of traffic are segregated. This allows for individual monitoring and management, helping to prevent issues in data traffic from affecting management operations. It also ensures that the management plane remains reachable even if there is high traffic on the data plane.

Impact:

This requires two network interfaces per node, one for management plane traffic and one for data plane traffic.

Default Value:

By default, Docker does not separate management plane traffic from data plane traffic.

Pre-requisites:

  • You must have access to configure network interfaces and Docker swarm nodes.

  • Administrative privileges on the Docker swarm.

Remediation:

Test Plan:

Using AWS Console:

  • Navigate to each swarm node.

  • Verify that the management plane and data plane are using separate IP addresses. You can use the following command to check:

    • docker node inspect --format '{{ .Status.Addr }}' self

Using AWS CLI:

  • Connect to the EC2 instance.

  • Run the following command to check the swarm node's address:

    • docker node inspect --format '{{ .Status.Addr }}' self

Implementation Plan:

Using AWS Console:

  • Connect to the swarm manager node.

  • Initialize the swarm with dedicated interfaces for management and data planes by running the following command:

    • docker swarm init --advertise-addr=192.168.0.1 --data-path-addr=17.1.0.3

Using AWS CLI:

  • Use SSM to run the command to initialize the swarm with separate interfaces for management and data plane traffic:

    • aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker swarm init --advertise-addr=192.168.0.1 --data-path-addr=17.1.0.3"]'

Backout Plan:

Using AWS Console:

  • Connect to the swarm manager node.

  • Revert the swarm configuration to default by removing the --data-path-addr option:

    • docker swarm leave --force
docker swarm init --advertise-addr=192.168.0.1


Using AWS CLI:

  • Use SSM to run the command to revert the configuration:

    • aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker swarm leave --force && docker swarm init --advertise-addr=192.168.0.1"]'

References: