SH
SHELL
AI Powered Learning Portal
Module 15 Lesson 2: Capstone: The Infrastructure
·DevOps

Module 15 Lesson 2: Capstone: The Infrastructure

Laying the groundwork. Build the complex Docker Compose and networking YAML that will power the GlobalHealth Connect platform.

capstonedocker-composenetworkinginfrastructure

Module 15 Lesson 2: Capstone - The Infrastructure

Today we build the "Skeleton" of the GlobalHealth platform. We will use Multiple Networks and Docker Secrets to ensure the data is safe.

1. The Multi-Network Compose File

version: '3.8'

services:
  gateway:
    image: nginx:alpine
    ports:
      - "80:80"
    networks:
      - public_net

  frontend:
    build: ./frontend
    networks:
      - public_net
      - api_net

  backend:
    build: ./backend
    secrets:
      - db_password
    environment:
      - DB_URL=postgres://health_user:$(cat /run/secrets/db_password)@db:5432/patients
    networks:
      - api_net
      - data_net
    depends_on:
      db:
        condition: service_healthy

  db:
    image: postgres:15-alpine
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U postgres"]
      interval: 5s
    networks:
      - data_net
    volumes:
      - pg_data:/var/lib/postgresql/data

networks:
  public_net:
  api_net:
  data_net:
    internal: true  # NO INTERNET access for the database!

volumes:
  pg_data:

secrets:
  db_password:
    external: true # We will create this manually on the host

2. Why this is Secure

  1. Isolation: If a hacker breaks into the gateway, they can ONLY see the frontend container. They cannot even "Ping" the db because they are on different virtual subnets.
  2. Internal Flag: Even if someone hacks the db container, it cannot "Call home" to send your patient data to an external server. It has no internet gateway.
  3. Secrets: The password never touches your hard drive in plain text (if using Swarm) and is never visible in docker inspect.

Visualizing the Process

graph TD
    Start[Input] --> Process[Processing]
    Process --> Decision{Check}
    Decision -->|Success| End[Complete]
    Decision -->|Retry| Process

3. Preparing the Secrets

On your host machine, you must create the secret file before the stack can start:

echo "Sup3rS3cur3P4ssw0rd" > db_password.txt

Exercise: The Network Test

  1. Write the docker-compose.yml above.
  2. Try to add a 5th container called hacker to the public_net.
  3. Try to ping db from the hacker container. It should fail.
  4. Why is the depends_on: db: condition: service_healthy (Section 1) better than just a simple depends_on: [db]?
  5. What would happen if you forgot to create the db_data volume? (Hint: Restart your container and see if your patients still exist).

Summary

Infrastructure is the silent protector of your code. By architecting your networks and secrets before you write a single line of application code, you ensure that your platform is "Secure by Design."

Next Lesson: Hardening the Code: Building Protected Images (Hardening, Multi-stage).

Previous LessonModule 15 Lesson 1: Capstone Project: Enterprise System
Next LessonModule 15 Lesson 3: Capstone: Protected Images

Subscribe to our newsletter

Get the latest posts delivered right to your inbox.

Subscribe on LinkedIn