An Introduction to Docker Networking

by Gautham Pai
← Back to Articles

Docker networks are a crucial component of containerized applications, enabling communication between containers and with the outside world. This guide will walk you through the basics of Docker networking, covering various network types and how to use them effectively.

Docker Networking

Default Bridge Network

When you install Docker, it automatically creates a default bridge network. All containers are connected to this network by default unless specified otherwise.

Default Bridge Network in Docker

Let's start with an example:

# Create a simple Docker image with networking tools
mkdir -p ~/data/ping
cd ~/data/ping
cat > Dockerfile <<DELIM
FROM ubuntu:24.04
RUN apt-get update \
 && apt-get -y install iputils-ping net-tools \
 && rm -rf /var/lib/apt/lists/*
DELIM
docker build -t ping .

# Create two containers
docker run -itd --name c1 ping
docker run -itd --name c2 ping

# Check the containers
docker ps

Now, let's examine the network communication:

# Ping from host to container
ping 172.17.0.2

# Access container c1
docker exec -it c1 /bin/bash

# Inside the container, try pinging:
ping 172.17.0.3 # This is container c2
ping 172.17.0.1 # This is the host
ping 8.8.8.8 # This is the internet
ping google.com # This demonstrates DNS resolution

In the default bridge network, containers can communicate with each other using IP addresses. However, there's no built-in service discovery, meaning containers can't resolve each other by name.

Custom Bridge Networks

Custom bridge networks, introduced in Docker 1.9, provide better isolation and come with automatic DNS resolution for container names.

Docker - Custom Bridge Networks

Let's create and use a custom bridge network:

# Create a custom bridge network
docker network create mynet1

# List networks
docker network ls

# Create containers in the custom network
docker run -itd --name c3 --net mynet1 ping
docker run -itd --name c4 --net mynet1 ping

# Check container IP addresses
docker inspect c3 | grep IP
docker inspect c4 | grep IP

In a custom bridge network, containers can communicate with each other using their names as hostnames, which is not possible in the default bridge network.

Let's demonstrate this with some ping examples:

# Access container c3
docker exec -it c3 /bin/bash

# Inside container c3, ping c4 by name (this should work)
ping c4

# Try pinging a container in the default bridge network (this should fail)
ping c1

# Exit container c3
exit

# Now, try pinging from a container in the default bridge network
docker exec -it c1 /bin/bash

# Ping c2 by IP (this should work)
ping 172.17.0.3

# Try pinging c2 by name (this should fail)
ping c2

# Try pinging c3 in the custom network (this should fail)
ping c3

Communication Between Networks

Containers in different networks cannot communicate directly with each other. This provides an additional layer of isolation.

Let's demonstrate this:

# Create a second network
docker network create --driver bridge --subnet 172.19.0.0/16 mynet2

# Create containers in the second network
docker run -itd --name c5 --net mynet2 ping
docker run -itd --name c6 --net mynet2 ping

Containers c5 and c6 can communicate with each other, but not with c3 and c4 from mynet1.

Let's verify this with some ping tests:

# Access container c5
docker exec -it c5 /bin/bash

# Ping c6 (this should work)
ping c6

# Try pinging c3 from mynet1 (this should fail)
ping c3

# Exit container c5
exit

# Access container c3 from mynet1
docker exec -it c3 /bin/bash

# Try pinging c5 from mynet2 (this should fail)
ping c5

Connecting a Container to Multiple Networks

A single container can be connected to more than one network. This is useful when you need a container to communicate across different network segments.

Docker - Containers in Multiple Networks

# Connect container c5 to mynet1
docker network connect mynet1 c5

Now, c5 can communicate with containers in both mynet1 and mynet2.

Let's verify this with some ping tests:

# Access container c5
docker exec -it c5 /bin/bash

# Ping c6 in mynet2 (this should work)
ping c6

# Ping c3 in mynet1 (this should now work)
ping c3

# Ping c4 in mynet1 (this should also work)
ping c4

# Exit container c5
exit

# Access container c3 in mynet1
docker exec -it c3 /bin/bash

# Ping c5 (this should now work)
ping c5

# Try pinging c6 (this should still fail as c3 is not connected to mynet2)
ping c6

These examples demonstrate that c5 can now communicate with containers in both networks, while containers in each network can reach c5 but not containers in the other network.

Host Network

The host network mode allows containers to use the host's network stack directly. This can be useful for specific use cases where you need maximum performance or direct access to the host's network interfaces.

# Run a container using the host network
docker run -it --name c7 --net host ping /bin/bash

In this mode, the container shares the host's network namespace, and there's no network isolation between the container and the host.

Let's demonstrate the characteristics of the host network:

# Access container c7
docker exec -it c7 /bin/bash

# Check the network interfaces
ifconfig

# You should see all of the host's network interfaces

# Compare the container's hostname with the host's hostname
hostname

# They should be identical

# Check if the container can access a service running on the host
# For example, if you have a web server running on port 80 on the host:
curl localhost:80

# This should return the same result as if you ran it on the host

# Ping another container (e.g., c1 from the bridge network)
ping c1

# This should work without needing to use the container's IP address

# Check the listening ports
netstat -tuln

# You should see all ports that are open on the host

# Exit the container
exit

These examples demonstrate that a container running in the host network mode:

  1. Has access to all of the host's network interfaces
  2. Shares the same hostname as the host
  3. Can access services running on the host without any port mapping
  4. Can communicate with containers in other networks using their names
  5. Can see all open ports on the host

The host network mode provides the best networking performance as it skips Docker's network isolation, but it also reduces the level of container isolation from the host system.

None Network

The none network mode creates containers with no network interface except for the loopback interface.

# Run a container with no network
docker run -it --name c8 --net none ping /bin/bash

Let's demonstrate the isolation of the none network:

# Access container c8
docker exec -it c8 /bin/bash

# Try pinging localhost (this should work)
ping localhost

# Try pinging an internet address (this should fail)
ping 8.8.8.8

# Try pinging a domain name (this should fail due to no DNS resolution)
ping google.com

# Check network interfaces
ifconfig

# You should only see the loopback interface (lo)

# Exit the container
exit

These examples show that in the none network mode, the container can only communicate with itself via the loopback interface. It has no access to external networks or other containers.

Test Your Knowledge

No quiz available

Tags

dockerdocker-networkingcontainersdevops