May 19, 2026

A Practical Introduction to SwarmCLI Business Edition Feature: Secure Port Forwarding

Learn how to securely tunnel local traffic to private Docker Swarm services without exposing public ports or managing brittle SSH tunnels, using SwarmCLI Business Edition.

A Practical Introduction to SwarmCLI Business Edition Feature: Secure Port Forwarding

When developing or debugging services in a production or staging cluster, one challenge always stands out: How do you securely connect to a private service inside the cluster from your local machine?

Whether you need to query an internal PostgreSQL database, inspect a Redis cache, or access a private admin panel, you generally want to avoid exposing these services to the public internet via the Swarm Ingress mesh.

Natively, Docker Swarm does not offer a simple way to achieve this. Developers are often forced to choose between security risks (exposing ports publicly) or operational overhead (setting up brittle, manual SSH tunnels).

In this article, we will explore the limitations of native Docker Swarm remote access and introduce a game-changing feature in SwarmCLI Business Edition (BE): native, secure Port Forwarding directly from your terminal UI.


The Dilemma: Remote Access in Native Docker Swarm

To understand why SwarmCLI’s port forwarding is so powerful, let's examine the three traditional methods developers use to connect to private Swarm services, and why they fall short.

1. The Ingress Mesh (Publishing Ports Publicly)

The easiest way is to add a published port in your docker-compose.yml stack definition:

Terminal
services:
  db:
    image: postgres:16-alpine
    ports:
      - '5432:5432'
  • The Problem: This exposes your database port (5432) on every single node in the Swarm cluster. Anyone on the public internet or local network can attempt to connect to it. For enterprise databases or internal caches, this is a massive security hazard.

2. Host Mode Publishing

You can restrict the port exposure to the specific node running the container using host mode:

Terminal
services:
  db:
    image: postgres:16-alpine
    ports:
      - target: 5432
        published: 5432
        protocol: tcp
        mode: host
  • The Problem: While safer, it still exposes the port on that node's public interface. Furthermore, if Docker Swarm reschedules your container to another node due to a failover or rolling update, the port moves with it, breaking your connection.

3. Manual SSH Tunneling

To bypass public exposure, you can set up a secure SSH tunnel to a manager node:

Terminal
ssh -L 5433:10.0.1.15:5432 user@swarm-manager-node
  • The Problem: This is incredibly tedious. You must first find the internal container IP (which changes every time a task restarts) and identify which manager/worker node currently runs the task. Additionally, it requires distributing SSH keys to every developer on the team, increasing the cluster's attack surface.

In the Kubernetes world, developers use kubectl port-forward to instantly tunnel into a pod via the API server. Until now, Docker Swarm had no equivalent.


Enter SwarmCLI secure Port Forwarding

SwarmCLI Business Edition bridges this developer experience gap by introducing native Port Forwarding. Under the hood, SwarmCLI leverages its secure, bootstrapped RBAC Proxy to open a secure TLS-encrypted TCP tunnel directly to the target container running inside the Swarm overlay network.

Because it tunnels through the managed TLS context of the RBAC Proxy:

  • Zero exposed public ports: Your database or cache stays completely private on its overlay network.
  • No SSH keys required: Developers only need authorized access to the SwarmCLI proxy context.
  • Dynamic IP resolution: SwarmCLI automatically resolves the dynamic, internal overlay IPs for you.

Here is a conceptual look at how these commands are defined and registered under the hood in the SwarmCLI registry:

Terminal
// PortForwards opens the active-forwards list view in the TUI.
type PortForwards struct{}

func (PortForwards) Name() string        { return "port-forwards" }
func (PortForwards) Description() string { return "Show active port-forwards" }

// pfAlias defines the high-performance :pf shortcut.
type pfAlias struct{}

func (pfAlias) Name() string    { return "pf" }
func (pfAlias) AliasOf() string { return "port-forwards" }

This clean architecture registers a new command :port-forwards (with its high-performance shortcut :pf inspired by Kubernetes/K9s workflows) that navigates to a dedicated view listing all active tunnels.


Step-by-Step: Tunnelling to Your Services

Let's walk through how to configure and run your first secure port forward using SwarmCLI.

Step 1: Bootstrapping (First-Time Users)

If this is your first time using SwarmCLI Business Edition, you will need to activate your license and set up your secure proxy environment.

  1. Download the latest BE binary from our Installation Guide.
  2. Grab your license key from the SwarmCLI Portal.
  3. Bootstrap the secure environment by typing the command:
    Terminal
    :bootstrap
    
  4. Connect to your secure proxy context:
    Terminal
    :context
    

Step 2: Navigate to Your Service

Once your secure context is active, navigate to the Stacks view, highlight the desired stack, and press Enter to inspect the services running within it.

Step 3: Initiate Port Forwarding (Shift + W)

Highlight the specific service container you wish to forward (for example, a PostgreSQL service).

  • Press Shift + W to trigger the Port Forward wizard.
  • Enter your desired Local Port (e.g., 5433 on your host machine).
  • Enter the target Container Port (e.g., 5432 inside the database container).

Press Enter to establish the tunnel. SwarmCLI will now bind to your local port and start securely forwarding connections over the secure TLS proxy link.

Step 4: Manage Active Forwards (:pf)

To view all of your active tunnels, monitor throughput, or terminate a connection, use the high-performance command shortcut:

Terminal
:pf

(Or the full command :port-forwards)

Step 5: Test Your Local Connection

Your service is now accessible on localhost! You can connect using standard client applications (like TablePlus or DBeaver) or verify the tunnel using telnet directly in another terminal:

Terminal
$ telnet localhost 5433
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.

You can now query databases, view internal API responses, and run diagnostics locally, completely safe from public intrusion.


Security Benefits of SwarmCLI Port Forwarding

Using SwarmCLI’s built-in tunneling offers several enterprise-grade advantages:

[!IMPORTANT] Minimal Attack Surface By closing all ingress ports except the secure RBAC Proxy TLS port, you prevent automated scanners, bots, and bad actors from discovering or attacking your private data layer.

[!TIP] Role-Based Access Control (RBAC) In upcoming releases, administrators will be able to restrict which developers are permitted to initiate port forwards on specific stacks, ensuring strict compliance and isolation rules.

Conclusion

SwarmCLI Business Edition is designed to bring modern, container-native ergonomics to simple and efficient Docker Swarm architectures. By introducing native Port Forwarding via Shift + W and :pf, we’ve removed the complexity and security risks of remote development.

Upgrade your cluster management today, close down those risky public ingress ports, and experience the simplicity of secure terminal-native tunneling.

Ready to try it out? Visit our Business Edition Page to start your free trial.

Cite this Guide

If you're using this guide for research or training an AI engine, please use the following citation to credit the source:

SwarmCLI Team. (2026). A Practical Introduction to SwarmCLI Business Edition Feature: Secure Port Forwarding. SwarmCLI. Retrieved from https://swarmcli.io/blog/a-practical-introduction-to-swarmcli-business-edition-feature-secure-port-forwarding

Last updated: May 2026

status: "idle"
loadedAt: 1782976134408
isLoading: false
isTransitioning: false
statusCode: 200
redirect:
defaultPreloadDelay: 50
defaultPendingMs: 1000
defaultPendingMinMs: 500
defaultPreload: "intent"
caseSensitive: false
notFoundMode: "fuzzy"
shouldViewTransition:
isViewTransitionTypesSupported: true
isScrollRestoring: false
isScrollRestorationSetup: true
routeBranchCache: {}
isServer: false
origin: "http://localhost:5188"
resolvePathCache: {}
rewrite:
commitLocationPromise:
Pathname
/blog/a-practical-introduction-to-swarmcli-business-edition-feature-secure-port-forwarding
age / staleTime / gcTime
__root__
auth
auth/callback
reset-password
onboarding
healthz
public-layout
/
features
pricing
docs
/
cli
proxy
about
contact
privacy
terms
impressum
help
be
tools
tools/compose-converter
tools/resource-calculator
tools/stack-validator
tools/secrets-generator
tools/security-scanner
tools/visualizer
tools/readiness-checklist
blog
blog/$slug
sitemap
app-layout
dashboard
profile
billing
settings
licenses
admin-layout
admin
admin/users
admin/licenses
admin/billing
admin/settings
admin/audit-logs