This is a very weird phenomenon that I found out the other day. When people make container images they usually EXPOSE certain ports by default.

I used to think that if you don’t publish this ports (with the -p flag in the docker run; or the ports section in the docker-compose) you won’t be able to access them. Turned out that this is wrong.

When your a container is in a docker network, even if it does not publish any ports to the localhost, it will still hear and receive connections from containers in the same docker network, through the default ports specified in the docker image.

This comes quite handy to create an additional layer of security for ElasticSearch –which does not possess an authentication protection of its own (at least in the free version). You can simply not publish ElasticSearch’s ports (so that it doesn’t receive external connections), but still use them inside a docker network. In this framework, tools like Grafana can still query ElasticSearch while protecting ElasticSearch from intruders.