✦ For everyone, free.

Practical knowledge for real and everyday life

Home

7.1.2.4 Service Published Ports

A focused guide to Service Published Ports, connecting core concepts with practical Docker and container operations.

Service published ports are the specific subset of a multi-container application's ports that are deliberately exposed to the host (and potentially the external network), reserved for services that genuinely need to be reachable from outside the Docker network itself.

Deciding Which Services Need Published Ports

In a typical multi-container application, only the services directly facing external traffic — a web server, a public API — need their ports published; internal services like a database or cache typically do not.

docker run -d --name api --network app-network -p 8080:8080 myapi:1.0
docker run -d --name db --network app-network postgres:16

api is published to the host since external clients need to reach it; db is not, since only api (and other containers on the shared network) ever needs to reach it directly.

Why Minimizing Published Ports Improves Security

Every published port represents an additional point of entry from outside the Docker network; deliberately limiting published ports to only what genuinely needs external access reduces the application's overall externally reachable surface.

docker ps --format 'table {{.Names}}\t{{.Ports}}'

Reviewing which containers actually have published ports is a useful way to audit whether the current configuration matches the intended, minimal external exposure.

Publishing Different Services to Different Host Ports

When multiple services do need external access, each can be published to its own distinct host port, avoiding collisions while keeping each service's external entry point clearly identifiable.

docker run -d --name api -p 8080:8080 myapi:1.0
docker run -d --name admin-panel -p 8081:8080 admin-panel:1.0
Why Service Published Ports Matter

Deliberately and minimally choosing which services in a multi-container application actually need published ports — rather than publishing every container's ports by default — is an important security and architectural consideration, keeping the application's externally reachable surface limited to exactly what's genuinely needed.

Related content