May 19, 2026
A Practical Introduction to SwarmCLI Business Edition Feature: Secure Port Forwarding
Learn how to securely tunnel local traffic to private Docker Swarm services without exposing public ports or managing brittle SSH tunnels, using SwarmCLI Business Edition.

When developing or debugging services in a production or staging cluster, one challenge always stands out: How do you securely connect to a private service inside the cluster from your local machine?
Whether you need to query an internal PostgreSQL database, inspect a Redis cache, or access a private admin panel, you generally want to avoid exposing these services to the public internet via the Swarm Ingress mesh.
Natively, Docker Swarm does not offer a simple way to achieve this. Developers are often forced to choose between security risks (exposing ports publicly) or operational overhead (setting up brittle, manual SSH tunnels).
In this article, we will explore the limitations of native Docker Swarm remote access and introduce a game-changing feature in SwarmCLI Business Edition (BE): native, secure Port Forwarding directly from your terminal UI.
The Dilemma: Remote Access in Native Docker Swarm
To understand why SwarmCLI’s port forwarding is so powerful, let's examine the three traditional methods developers use to connect to private Swarm services, and why they fall short.
1. The Ingress Mesh (Publishing Ports Publicly)
The easiest way is to add a published port in your docker-compose.yml stack definition:
services:
db:
image: postgres:16-alpine
ports:
- '5432:5432'
- The Problem: This exposes your database port (
5432) on every single node in the Swarm cluster. Anyone on the public internet or local network can attempt to connect to it. For enterprise databases or internal caches, this is a massive security hazard.
2. Host Mode Publishing
You can restrict the port exposure to the specific node running the container using host mode:
services:
db:
image: postgres:16-alpine
ports:
- target: 5432
published: 5432
protocol: tcp
mode: host
- The Problem: While safer, it still exposes the port on that node's public interface. Furthermore, if Docker Swarm reschedules your container to another node due to a failover or rolling update, the port moves with it, breaking your connection.
3. Manual SSH Tunneling
To bypass public exposure, you can set up a secure SSH tunnel to a manager node:
ssh -L 5433:10.0.1.15:5432 user@swarm-manager-node
- The Problem: This is incredibly tedious. You must first find the internal container IP (which changes every time a task restarts) and identify which manager/worker node currently runs the task. Additionally, it requires distributing SSH keys to every developer on the team, increasing the cluster's attack surface.
In the Kubernetes world, developers use kubectl port-forward to instantly tunnel into a pod via the API server. Until now, Docker Swarm had no equivalent.
Enter SwarmCLI secure Port Forwarding
SwarmCLI Business Edition bridges this developer experience gap by introducing native Port Forwarding. Under the hood, SwarmCLI leverages its secure, bootstrapped RBAC Proxy to open a secure TLS-encrypted TCP tunnel directly to the target container running inside the Swarm overlay network.
Because it tunnels through the managed TLS context of the RBAC Proxy:
- Zero exposed public ports: Your database or cache stays completely private on its overlay network.
- No SSH keys required: Developers only need authorized access to the SwarmCLI proxy context.
- Dynamic IP resolution: SwarmCLI automatically resolves the dynamic, internal overlay IPs for you.
Here is a conceptual look at how these commands are defined and registered under the hood in the SwarmCLI registry:
// PortForwards opens the active-forwards list view in the TUI.
type PortForwards struct{}
func (PortForwards) Name() string { return "port-forwards" }
func (PortForwards) Description() string { return "Show active port-forwards" }
// pfAlias defines the high-performance :pf shortcut.
type pfAlias struct{}
func (pfAlias) Name() string { return "pf" }
func (pfAlias) AliasOf() string { return "port-forwards" }
This clean architecture registers a new command :port-forwards (with its high-performance shortcut :pf inspired by Kubernetes/K9s workflows) that navigates to a dedicated view listing all active tunnels.
Step-by-Step: Tunnelling to Your Services
Let's walk through how to configure and run your first secure port forward using SwarmCLI.
Step 1: Bootstrapping (First-Time Users)
If this is your first time using SwarmCLI Business Edition, you will need to activate your license and set up your secure proxy environment.
- Download the latest BE binary from our Installation Guide.
- Grab your license key from the SwarmCLI Portal.
- Bootstrap the secure environment by typing the command:
Terminal
:bootstrap - Connect to your secure proxy context:
Terminal
:context
Step 2: Navigate to Your Service
Once your secure context is active, navigate to the Stacks view, highlight the desired stack, and press Enter to inspect the services running within it.
Step 3: Initiate Port Forwarding (Shift + W)
Highlight the specific service container you wish to forward (for example, a PostgreSQL service).
- Press
Shift + Wto trigger the Port Forward wizard. - Enter your desired Local Port (e.g.,
5433on your host machine). - Enter the target Container Port (e.g.,
5432inside the database container).
Press Enter to establish the tunnel. SwarmCLI will now bind to your local port and start securely forwarding connections over the secure TLS proxy link.
Step 4: Manage Active Forwards (:pf)
To view all of your active tunnels, monitor throughput, or terminate a connection, use the high-performance command shortcut:
:pf
(Or the full command :port-forwards)
Step 5: Test Your Local Connection
Your service is now accessible on localhost! You can connect using standard client applications (like TablePlus or DBeaver) or verify the tunnel using telnet directly in another terminal:
$ telnet localhost 5433
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
You can now query databases, view internal API responses, and run diagnostics locally, completely safe from public intrusion.
Security Benefits of SwarmCLI Port Forwarding
Using SwarmCLI’s built-in tunneling offers several enterprise-grade advantages:
[!IMPORTANT] Minimal Attack Surface By closing all ingress ports except the secure RBAC Proxy TLS port, you prevent automated scanners, bots, and bad actors from discovering or attacking your private data layer.
[!TIP] Role-Based Access Control (RBAC) In upcoming releases, administrators will be able to restrict which developers are permitted to initiate port forwards on specific stacks, ensuring strict compliance and isolation rules.
Conclusion
SwarmCLI Business Edition is designed to bring modern, container-native ergonomics to simple and efficient Docker Swarm architectures. By introducing native Port Forwarding via Shift + W and :pf, we’ve removed the complexity and security risks of remote development.
Upgrade your cluster management today, close down those risky public ingress ports, and experience the simplicity of secure terminal-native tunneling.
Ready to try it out? Visit our Business Edition Page to start your free trial.