Day 18 - Docker Networking
Bridge vs Host vs Overlay Networks
Secure Containers Using Custom Bridge Network
1️⃣ Introduction — Why Docker Networking?
Docker Networking (or container networking) enables communication:
Between containers.
Between containers and the host system.
Every Docker container requires networking to send and receive data.
Networking in containers is similar in concept to traditional networking in virtual machines but lighter and more flexible.
2️⃣ Why Do We Need Docker Networking?
🧩 Scenario 1 — Containers Need to Communicate
Example:
- Frontend container ↔ Backend container.
These containers must exchange data (e.g., API calls, responses).
Networking allows this communication using IPs or service names.
🔒 Scenario 2 — Containers Need Isolation
Example:
- A login container and a payment container.
Payment container stores sensitive information (credit cards, user data).
We need logical isolation — login users must not access the payment container.
So, Docker networking helps achieve both:
Connectivity, and
Isolation.
3️⃣ Networking Basics — Containers vs Virtual Machines
| Feature | Virtual Machine | Docker Container |
| OS | Each VM has its own OS | Containers share the host OS |
| Subnet | Can have separate subnets | Use Docker-managed subnets |
| Isolation | Built-in via hypervisor | Achieved via Docker networks |
4️⃣ How Containers Communicate with the Host
🔧 Default Host Interface
Every host (server or laptop) has a network interface like:
eth0 → 192.168.1.10Each container also gets its own interface:
eth0 → 172.17.0.2These two belong to different subnets — so, direct ping fails.
🌉 The Solution — Virtual Ethernet Bridge
Docker automatically creates a virtual bridge called
docker0.This bridge acts like a router between the host and containers.
When you create a container, Docker links its virtual ethernet (
veth) to this bridge.
✅ Result: Containers can now communicate with the host and each other.
5️⃣ Default Docker Network — The Bridge Network
⚙️ What Is Bridge Networking?
A bridge connects containers to the host through a virtual switch (
docker0).It provides:
Communication between containers.
Communication between container and host.
Internet access (via NAT).
🧩 Example:
docker network ls
Shows:
NETWORK ID NAME DRIVER SCOPE
abcd1234 bridge bridge local
📦 Behavior:
Containers connected to the same bridge can ping each other.
All containers share the same subnet.
This network is created automatically by Docker.
6️⃣ Other Docker Network Types
1. 🧱 Bridge Network (Default)
Virtual bridge (docker0) created automatically.
Containers communicate using internal IPs.
Suitable for single-host setups.
2. 🌐 Host Network
The container shares the host’s network stack.
No separate IP; it uses the host’s IP.
Example:
docker run -d --network=host nginxPros: Faster, direct access.
Cons: No isolation; insecure (container = host access).
3. 🕸️ Overlay Network
Used for multi-host communication (in Docker Swarm or Kubernetes).
Creates a network that spans across multiple Docker hosts.
Allows containers on different machines to communicate securely.
Common in container orchestration platforms.
7️⃣ Networking Deep Dive — How Communication Works
Example setup:
Host eth0: 192.168.1.5
docker0 (bridge): 172.17.0.1
Container 1 eth0: 172.17.0.2
Container 2 eth0: 172.17.0.3
Both containers use the same bridge (
docker0).Hence:
They can ping each other.
They share the same communication channel.
⚠️ Problem:
All containers use the same bridge.
A security risk — if one container is compromised, others are accessible.
8️⃣ Custom Bridge Networks — Securing Containers
To isolate sensitive containers, you can create custom bridge networks.
🧱 Why Create Custom Bridges?
The default bridge (
docker0) allows all containers to communicate.A custom bridge provides:
Network segmentation.
Security boundaries.
Controlled communication.
🧰 Create a Custom Bridge
docker network create secure_network
🧪 Verify
docker network ls
Output:
bridge
host
none
secure_network
9️⃣ Attach Containers to Custom Bridge Networks
Example:
Step 1 — Run Normal Containers
docker run -d --name login nginx
docker run -d --name logout nginx
Both use default bridge network.
Can ping each other.
Step 2 — Create a Secure Network
docker network create secure_network
Step 3 — Run Secure Container
docker run -d --name finance --network=secure_network nginx
Step 4 — Verify
docker inspect finance
You’ll see:
"Networks": {
"secure_network": {
"IPAddress": "172.19.0.2"
}
}
✅ Result:
login→bridge→ 172.17.x.xfinance→secure_network→ 172.19.x.xThey cannot ping each other.
Finance container isolated successfully.
🔒 Summary of Isolation
| Container | Network Type | Communication |
| login | default bridge | Can talk to logout |
| logout | default bridge | Can talk to login |
| finance | custom bridge | Isolated from others |
This achieves network-level security while staying within Docker itself.
🔍 Host Network Example
docker run -d --name host_demo --network=host nginx
Container uses host’s IP (
192.168.1.5).docker inspect host_demoshows:"NetworkMode": "host"No separate IP address.
⚠️ No isolation — directly exposed on host’s interface.
🔚 Recap — Docker Networking Summary
| Network Type | Description | Use Case | Security |
| Bridge | Default virtual network via docker0 | Single-host apps | Medium |
| Host | Shares host network | Performance-critical or testing | Low |
| Overlay | Cross-host networking | Multi-node clusters (Swarm/K8s) | High |
| Custom Bridge | User-created network | Secure container isolation | High |
🧠 Key Takeaways
Docker networking lets containers communicate or isolate as needed.
Bridge Network → Default communication method.
Host Network → Shares host network; faster but insecure.
Overlay Network → For multi-host clusters (Docker Swarm/Kubernetes).
Custom Bridge Network → Best way to isolate secure containers on a single host.