Docker Networking
Categories:
8 minute read
Docker networking is an important part of managing and deploying Docker containers, as it enables communication between containers and with the outside world.
Docker networking options
Docker provides several networking options, including:
Bridge network: This is the default network that is created when Docker is installed. It provides a private network for Docker containers to communicate with each other. Each container on the bridge network gets its own IP address, and they can communicate with each other by their IP address or container name.
Host network: This allows a container to share the network stack of the host machine, rather than having its own isolated network namespace. This can provide better performance in some cases, but it can also be less secure.
Macvlan network: This allows a container to be attached to a specific physical network interface on the host machine, rather than using a virtual network.
Overlay network: This allows Docker containers to communicate with each other across multiple Docker hosts. It uses a virtual network that spans multiple hosts, allowing containers to communicate with each other as if they were on the same physical network.
Default container network behavoir (Bridge network)
By default, each Docker container runs in its own isolated network, with its own IP address and networking stack. This isolation provides a layer of security and allows multiple containers to run on the same host without conflicting with each other. The containers can communicate with each other on this network.
When a Docker container is started, it is assigned an IP address on the host machine’s network, and all outbound traffic from the container is routed through the host machine’s network interface.
This is called the bridge network
The default network CIDR is
172.17.0.0/16
Outbound traffic from the container for Docker containers are configured to use the host machine’s network for , which means that containers can access the internet and other network resources that are available to the host machine.
Inbound network traffic to the container is not allowed by default, unless you explicitly publish container ports using the -p option when starting the container or use host networking mode with the –network host option. This means that external network resources cannot initiate connections to the container by default
Allow inbound network access
To allow inbound access to a Docker container on the bridge networ
, you need to publish container ports using the -p option when starting the container. This tells Docker to forward traffic that is received on a specific port on the host machine to a port on the container. This is a port forwarding setup.
The syntax for the -p option is as follows:
-p <host_port>:<container_port>
Where <host_port> is the port number on the host machine that you want to map to <container_port>, which is the port number on the container that you want to expose.
For example, to publish port 8080 on the host machine and map it to port 80 on a container that is running a web server, you can use the following command:
docker run -p 8080:80 <image>
This command starts a new container based on the specified image and publishes port 8080 on the host machine, which maps to port 80 on the container. Now, when you access port 8080 on the host machine, the traffic is forwarded to port 80 on the container, allowing inbound access to the web server running inside the container.
The host machine is the server running the Docker service.
Run the container on the Docker host IP (Host network)
The host network mode --network host option
allows a container to share the same network namespace as the host machine. When you start a container in host network mode, it uses the network interfaces of the host machine, which means that the container can use the same IP address and network interfaces as the host.
You should use host network mode only when you have a specific need for it, such as when you need to use a network service that requires a fixed IP address or broadcast/multicast traffic. In most cases, using Docker networks or port mappings is a more secure and flexible way to connect containers.
Benefits
- Improved performance: Since the container is directly connected to the host network, it can communicate with other devices more efficiently than when connected to a Docker network.
- Simplified networking: In host network mode, you don’t need to configure port mappings or network interfaces because the container shares the same network stack as the host. This can simplify networking configuration, especially for applications that require a fixed IP address or that rely on broadcast or multicast traffic.
Negatives
- Security risks: Since the container is directly connected to the host network, it has access to all the services and devices on the network, which can pose a security risk.
- Port conflicts: If you start multiple containers in host network mode, they will all try to use the same ports as the host machine, which can cause port conflicts and prevent some containers from starting.
Create virtual NIC on the Docker host (Macvlan)
Macvlan (short for “MAC Virtual LAN”) is a virtual network interface type in Docker that allows you to create multiple virtual network interfaces that each has their own unique MAC address. Macvlan interfaces can be used to connect Docker containers or other networked devices to a physical or virtual network, allowing them to communicate with other devices on that network.
Macvlan creates a new virtual network interface attached to a physical network interface on the Docker host system. Each macvlan interface is assigned a unique MAC address distinct from the MAC address of the physical interface. This allows the virtual interfaces to appear as separate devices on the network.
There are two main types of macvlan interfaces: bridge mode
and private mode
.
Bridge mode; the virtual interface is connected to a physical switch and can communicate with other devices on the same network.
Private mode; the virtual interface is isolated from the physical network and can only communicate with other macvlan interfaces on the same Docker host.
Macvlan can be helpful in various scenarios, such as isolating network traffic between containers running on the same Docker host or creating multiple virtual network interfaces on a Docker host to provide different network services.
However, configuring macvlan interfaces can be complex, and it’s essential to understand the underlying network infrastructure and configuration requirements before implementing macvlan in a production environment.
To create a macvlan interface in Docker, you need to use the docker network create command with the --driver macvlan
option, followed by the name of the network, the parent network interface, and the mode (either “bridge” or “private”). For example, to create a macvlan network named my-macvlan-network that uses the eth0 interface in bridge mode, you can use the following command:
You can specify a CIDR range for the network using the –subnet option. The CIDR range defines the IP address range that can be assigned to containers on the Macvlan network.
docker network create -d macvlan --subnet=<subnet> --gateway=<gateway> -o parent=eth0 -o macvlan_mode=bridge my-macvlan-network
This command creates a new macvlan network that uses the eth0
interface as the parent interface, and it assigns a subnet
and gateway
to the network. Once the macvlan network is created, you can use the --network
option when starting a container to connect it to the network:
docker run --network my-macvlan-network <image>
This will start a container and connect it to the my-macvlan-network
network, allowing it to communicate with other devices on the same network.
Connect multiple Docker hosts (Overlay network)
An overlay network is a virtual network that spans multiple Docker hosts and allows containers running on different hosts to communicate with each other. Overlay networks use the VXLAN (Virtual eXtensible Local Area Network) protocol to encapsulate network traffic and transport it over the physical network.
Overlay networks are abstracted from the physical network, meaning you can move containers between different hosts without changing their network configuration.
To create an overlay network, you need to use the docker network create command with the --driver
overlay option, followed by the network name. For example, to create an overlay network named my-overlay-network, you can use the following command:
docker network create --driver overlay my-overlay-network
Once the overlay network is created, you can use the docker run command to start containers and connect them to the network using the --network option
. For example, to start a container and connect it to the my-overlay-network
network, you can use the following command:
docker run --network my-overlay-network <image>
When the container starts, it is assigned an IP address on the overlay network, and it can communicate with other containers on the same network, regardless of which Docker host they are running on.
Overlay networks, you need to have a Docker Swarm cluster configured, as overlay networks are primarily designed for use with Swarm mode. Additionally, overlay networks require additional configuration and network infrastructure, such as a key-value store for storing network state and a properly configured network infrastructure to support VXLAN encapsulation.