software

🚀 Secure Your Microservices: API Gateway + Docker Private Networks

Published: (December 10, 2025 at 09:51 AM EST)
3 min read
Source: Dev.to

Source: Dev.to

🚀 A practical guide for developers building their first distributed system

When building microservices for the first time, most developers focus on features, scaling, or breaking the monolith — but almost nobody talks about security architecture. That’s where things can go wrong. While developing my own distributed system, I discovered that several internal APIs — and even the PostgreSQL database — were accidentally exposed to the public. 😬

So I implemented a simple, production‑ready pattern: API Gateway + Docker Private Networks. This post shows how (and why) I did it, and how you can use the same approach in your own projects.

The Real Problem: Microservices Accidentally Exposing Everything

Diagram of exposed services

Typical beginner setups look like this:

  • Each service is exposed on its own port
  • The client talks to everything directly
  • The database may also be exposed
  • No central control or routing

This creates security issues, debugging complexity, and a messy architecture.

Part 1 — The API Gateway: Your Single Entry Point

Why the API Gateway is critical

API Gateway concept

How it works

  • The client sends a single request to the Gateway.
  • The Gateway decides which service should handle it.
  • It forwards the request inside the private Docker network.
  • Internal URLs are never exposed to the outside world.

A Gateway is not just a fancy router — it becomes the front door to your entire system.

Why it matters

  • One place for authentication
  • One place for routing
  • Internal services remain hidden
  • Cleaner code and better control

Instead of calling each service directly:

http://localhost:3000/orders
http://localhost:4000/reports

the client only calls:

http://gateway/api/orders

The Gateway forwards the request internally, so your services never need to be exposed.

Part 2 — Docker Private Networks (The Physical Security Layer)

How Docker networks protect your system

Docker private network diagram

Why this matters

Without a private network, Docker exposes containers to the host machine. With a private network:

  • Only the Gateway is reachable from outside
  • All internal traffic stays inside the network
  • Databases cannot be accessed directly

Putting services into a private Docker network prevents the outside world from reaching anything except what you explicitly expose.

Benefits

  • Internal‑only communication
  • Zero accidental port exposure
  • Database fully isolated
  • Clean, professional architecture

Even if someone bypasses the Gateway (rare), they still can’t access Service A, B, or the database because those containers are not on a public network.

Combining the Two: A Simple, Solid Security Pattern

How the full architecture works together

Full architecture diagram

When you combine:

  • Logical Security (API Gateway)
  • Physical Security (Private Network)

you get a microservices architecture that is both simple and robust — without Kubernetes, a service mesh, or heavy DevOps tooling.

Client

API Gateway

Private Docker Network
 ├── Service A
 ├── Service B
 └── Database

Only the Gateway is public; everything else is safely tucked away behind it.

Minimal Docker Compose Example (Copy/Paste Ready)

services:
  api-gateway:
    build: ./gateway
    ports:
      - "8080:8080"
    networks:
      - public_net
      - private_net

  service-a:
    build: ./service-a
    expose:
      - "3000"
    networks:
      - private_net

  service-b:
    build: ./service-b
    expose:
      - "4000"
    networks:
      - private_net

  internal-db:
    image: postgres:16
    expose:
      - "5432"
    environment:
      POSTGRES_PASSWORD: password
    networks:
      - private_net

networks:
  public_net:
  private_net:

Key takeaways

  • Only the Gateway has published ports → public
  • Internal services use expose → private
  • Everything sits inside private_net
  • Clean, secure architecture with minimal configuration

What I Learned

  • Zero accidental exposure of internal services
  • A secure, predictable entry point
  • Faster debugging
  • Easier onboarding for teammates
  • A scalable foundation for future services
  • Professional‑level architecture with beginner‑friendly tools

Final Thoughts

This architecture may look simple — and that’s exactly why it works. You don’t need Kubernetes, a service mesh, or complex DevOps setups to build a secure and scalable distributed system.

Start with:

  • One API Gateway
  • One private Docker network

This foundation will naturally support your system as it grows.

Simple. Clean. Secure. Effective.

Back to Blog

Related posts

Read more »