Docker Networking — Bridge, Host, Overlay
Sanjeev SharmaAdvertisement
Docker Networking — Bridge, Host, Overlay
Docker networking enables containers to communicate with each other and the outside world. Learn each network driver and when to use them.
Introduction
Docker provides multiple networking options for different use cases. Understanding these modes is essential for designing scalable, secure containerized applications.
- Docker Networking — Bridge, Host, Overlay
- Network Drivers
- Bridge Network
- Creating a Bridge Network
- Running Containers on Bridge Network
- Bridge Network with Docker Compose
- Service Discovery
- Host Network
- Running with Host Network
- Use Cases
- Example: Host Network
- Limitations
- Overlay Network
- Setup Overlay Network
- Deploying Services on Overlay
- Docker Compose with Overlay
- Advanced Networking
- Custom Bridge with Driver Options
- Multi-Network Setup
- Exposing Ports
- Service Discovery and DNS
- Built-in DNS
- DNS in Docker Compose
- Network Troubleshooting
- Inspect Network
- Test Connectivity
- View Network Traffic
- Network Security
- Restrict Traffic
- Default Security
- Performance Considerations
- Choosing a Network Driver
- FAQ
Network Drivers
Docker supports five network drivers:
- bridge: Default, isolated network
- host: Use host's network stack
- overlay: Multi-host networking
- macvlan: Assign MAC addresses
- none: No networking
Bridge Network
The default network driver. Each container gets an IP on the bridge network.
Creating a Bridge Network
# Create custom bridge network
docker network create myapp_network
# List networks
docker network ls
# Inspect network
docker network inspect myapp_network
Running Containers on Bridge Network
# Run container on custom bridge
docker run -d --name web --network myapp_network -p 8080:3000 myapp:1.0
docker run -d --name db --network myapp_network postgres:15
# Containers can communicate using service names
# In web container: psql -h db -U postgres
Bridge Network with Docker Compose
version: '3.8'
services:
web:
image: myapp:1.0
networks:
- app_network
ports:
- "3000:3000"
db:
image: postgres:15
networks:
- app_network
networks:
app_network:
driver: bridge
Service Discovery
Containers on the same bridge network can communicate using service names:
# Start Redis container
docker run -d --name cache --network myapp_network redis:7
# In application (Node.js)
const redis = require('redis');
const client = redis.createClient({
host: 'cache', # Service name, not IP
port: 6379
});
Host Network
Containers use the host's network stack directly. No isolation between container and host networking.
Running with Host Network
# Container uses host's network interfaces
docker run -d --network host myapp:1.0
# No port mapping needed
# Application directly on host port
Use Cases
- Maximum performance needed
- Port conflicts with host services
- Multiple network interfaces
Example: Host Network
# Without host network: accessible on localhost:8080
docker run -p 8080:3000 myapp:1.0
# With host network: accessible on 0.0.0.0:3000 (host's network)
docker run --network host myapp:1.0
Limitations
- Port conflicts if multiple apps use same port
- Cannot use port mapping (
-pflag ignored) - Less isolation from host
Overlay Network
For multi-host Docker Swarm clusters. Enables container communication across multiple Docker hosts.
Setup Overlay Network
# Initialize Docker Swarm
docker swarm init
# Create overlay network
docker network create --driver overlay --attachable myapp_overlay
# List networks
docker network ls
# Inspect overlay network
docker network inspect myapp_overlay
Deploying Services on Overlay
# Run containers on overlay network
docker run -d --name web --network myapp_overlay myapp:1.0
docker run -d --name db --network myapp_overlay postgres:15
Docker Compose with Overlay
version: '3.8'
services:
web:
image: myapp:1.0
deploy:
replicas: 3
networks:
- app_overlay
db:
image: postgres:15
networks:
- app_overlay
networks:
app_overlay:
driver: overlay
Advanced Networking
Custom Bridge with Driver Options
# Create bridge with specific subnet
docker network create \
--driver bridge \
--subnet 172.20.0.0/16 \
--gateway 172.20.0.1 \
myapp_network
Multi-Network Setup
version: '3.8'
services:
web:
image: myapp:1.0
networks:
- frontend
- backend
db:
image: postgres:15
networks:
- backend
cache:
image: redis:7
networks:
- backend
networks:
frontend:
driver: bridge
backend:
driver: bridge
// Web service connects to both networks
// Can reach frontend and backend services
// DB and cache on backend only, can't reach frontend
Exposing Ports
services:
web:
image: myapp:1.0
networks:
- app_network
# Port mapping: host:container
ports:
- "3000:3000" # Port 3000 on host → 3000 in container
- "8080:9000" # Port 8080 on host → 9000 in container
# Only port 3000 accessible from outside
expose:
- "3000"
Service Discovery and DNS
Built-in DNS
Docker has embedded DNS server for service discovery:
# All containers on same network can resolve service names
docker run -it --network myapp_network alpine sh
# Inside container:
ping web # Resolves to web container's IP
ping db # Resolves to db container's IP
DNS in Docker Compose
// Node.js service discovery
const axios = require('axios');
// Connect to 'web' service on same network
axios.get('http://web:3000/api/health');
// Works automatically with Docker Compose
Network Troubleshooting
Inspect Network
# View network details
docker network inspect myapp_network
# Shows connected containers and IPs
Test Connectivity
# Execute command in container
docker exec web ping db
# Get container IP
docker inspect --format='{{.NetworkSettings.Networks.myapp_network.IPAddress}}' web
# Check container network settings
docker inspect web
View Network Traffic
# Using tcpdump in container
docker exec web tcpdump -i eth0
# Monitor ports
docker exec web netstat -tlnp
Network Security
Restrict Traffic
services:
web:
image: myapp:1.0
networks:
- app_network
# Only expose necessary ports
ports:
- "3000:3000"
db:
image: postgres:15
networks:
- app_network
# Don't expose port externally
# Only accessible from web on 5432
Default Security
- Containers can't reach each other by default
- Must explicitly connect to same network
- Port mapping required for external access
- Firewalls protect container networks
Performance Considerations
| Network | Latency | Throughput | Use Case |
|---|---|---|---|
| Bridge | Low | High | Local containers |
| Host | Very Low | Very High | Performance critical |
| Overlay | Higher | Medium | Multi-host swarm |
| Macvlan | Low | High | Physical network access |
Choosing a Network Driver
- Bridge: Default choice for most applications
- Host: When maximum performance needed
- Overlay: Multi-host Docker Swarm deployments
- Macvlan: Connecting containers to physical networks
- None: When networking disabled intentionally
FAQ
Q: Can containers on different bridge networks communicate? A: Not directly. You must connect a container to both networks or use a router service on both networks.
Q: What's the performance difference between bridge and host networking? A: Host networking has lower latency and higher throughput because it bypasses Docker's network isolation layer.
Q: How do I debug network connectivity issues? A: Use docker exec to run commands inside containers: docker exec container_name ping another_container. Also inspect network settings with docker network inspect.
Advertisement
