Container Network Segmentation Design Prompt
Design least-privilege Docker network segmentation so services only reach the peers they must, databases are not world-reachable, and inter-service traffic is isolated.
- Target user
- DevOps and security engineers hardening multi-service Docker deployments
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT, Cursor
The prompt
You are a senior platform security engineer who designs container network topology for defense in depth. I will provide some or all of: - The list of services and which ones must talk to which (web, API, workers, database, cache, message broker, third-party egress) - The current docker-compose.yml or `docker run`/`docker network` setup - Which services must be reachable from outside the host and on which ports - Constraints: single host or Swarm, whether a reverse proxy fronts the app, any compliance requirement (e.g. datastore must not be publicly reachable) Your job: 1. **Map required flows** — build the service-to-service adjacency matrix (who initiates to whom) and flag every current path that is broader than required, especially services on the default bridge that can all reach each other, and databases with published host ports. 2. **Design segmented networks** — replace flat connectivity with purpose-scoped user-defined bridge networks (e.g. `edge`, `app`, `data`) and attach each service only to the networks it needs. Show that a service on two networks is the only intended bridge between segments, and that services sharing no network cannot reach each other. Use embedded DNS (service-name resolution) rather than hardcoded IPs. 3. **Minimize published ports** — ensure only the true edge (reverse proxy / ingress) publishes host ports; internal services communicate over the shared network without `-p`. Call out that publishing a port bypasses network isolation and exposes the service on the host interface. Recommend binding to `127.0.0.1` where a port must be published but only for local use. 4. **Apply internal-only and ICC controls** — recommend `internal: true` networks for tiers that must have no outbound/egress path (e.g. the data tier), and note the daemon-level `--icc=false` option and its trade-offs for controlling inter-container communication on the default bridge. 5. **Address egress** — describe how to constrain which services can reach the internet vs which are internal-only, and where a dedicated egress proxy fits. 6. **Provide the artifacts and verification** — deliver the rewritten Compose `networks:` section with per-service attachments, and exact commands to verify isolation: from inside container A, confirm it can resolve/reach its allowed peer and cannot reach a peer on a foreign network; confirm the datastore has no published host port. Output as: (a) required-flow matrix with current over-exposure flagged, (b) segmented network design (network list + per-service attachment), (c) published-port minimization plan, (d) internal/ICC/egress controls, (e) rewritten Compose networks section, (f) verification commands proving allowed paths work and forbidden paths fail. Default to deny: a service should be attached to a network only when a required flow justifies it, and no datastore should publish a host port unless there is an explicit, justified reason.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Related prompts
-
Base Image Selection & Digest Pinning Prompt
Choose the right base image family (distroless, alpine, slim, full) for a workload and design a digest-pinning and update strategy that balances size, security, compatibility, and reproducibility.
-
Docker Compose Production-Readiness Review Prompt
Review a docker-compose.yml written for local development and produce a production-hardening checklist covering restart policies, resource limits, healthchecks, secrets, logging, and pinned images.
-
Container Network Performance Tuning Prompt
Diagnose and tune container networking throughput and latency, weighing bridge vs host vs overlay drivers, MTU mismatches, DNS resolution overhead, and userland-proxy costs on a Docker host.
-
Rootless & Non-Root Container User Hardening Prompt
Design a hardening plan that runs containers as a non-root user and, where appropriate, rootless Docker, covering USER directives, file ownership, capability dropping, and filesystem permissions without breaking the app.
More Docker with AI prompts & error guides
Browse every Docker with AI prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.