I am looking for a project that allows you to create isolated docker 'zones' (across servers preferably).

Imagine I say I have 3 zones foo, bar, baz.

In zone foo I want process a,b & c to all be able to communicate.

By example I have an application that needs 'mongo', I create a mongo container for zone bar and all containers in bar can see that mongo database, my my app can just connect to 'mongo' and all is well. No other zones can access that mongo container.

You could imagine a docker command line

docker run -z my_new_sealed_zone myimage

The new container can now access all the resources in that zone but nothing else can see in, likewise all the containers in that zone can see the new container in that zone with some DNS that allows the containers 'name' to be exposed to all other containers in the zone.

I would also like to specify zones permissions and interconnect, perhaps they can or can't access the outside world, or other zones.

Pipe dream - or is there something out there, is anyone working on this kind of structure? Is it completely unnecessary and misguided with some simple way to achieve?