✦ For everyone, free.

Practical knowledge for real and everyday life

Home

12.1.3.4 Dev Exposed Ports

A focused guide to Dev Exposed Ports, connecting core concepts with practical Docker and container operations.

Dev exposed ports make a development service's internal port directly accessible from the host, a convenience commonly applied to databases, caches, and similar dependencies during local development, distinct from production where most internal services typically don't need this same direct host-level exposure.

Why Direct Port Exposure Is Convenient During Development

A developer often wants to connect directly to a local database or cache using their own preferred client tool, something only possible if that service's port is actually exposed to the host.

services:
  db:
    image: postgres:16
    ports:
      - "5432:5432"

This exposure allows a developer to connect with psql or a GUI database client directly from their own machine, independent of the application itself.

Why Production Typically Doesn't Need This Same Exposure

In production, a database is typically only accessed by the application services that need it, communicating over the internal Compose (or equivalent) network — there's usually no legitimate need to expose its port directly to anything outside that internal network.

services:
  db:
    image: postgres:16

Without an explicit ports entry, this production database remains reachable only by other services on the same internal network, a more appropriately scoped configuration for that context.

Why Exposing Ports Unnecessarily in Production Would Be a Security Concern

Directly exposing a database's port to the broader network in production would create unnecessary attack surface, providing a potential point of unauthorized access that simply isn't needed for the application to function correctly.

nmap -p 5432 production-host

A production host responding on this port, when it shouldn't need to, would represent exactly this kind of unnecessary exposure.

Documenting Why Dev-Specific Port Exposure Exists

Making clear, through comments or documentation, that a given ports entry is specifically a development convenience helps avoid it being inadvertently carried over into a production configuration.

services:
  db:
    ports:
      - "5432:5432"  # dev convenience only; not needed in production
Why Dev Exposed Ports Matter

Deliberately exposing ports for development convenience, while ensuring this exposure doesn't carry over into production where it would represent unnecessary attack surface, is an important distinction to maintain clearly between these two different deployment contexts.

Related content