Docker Networking Guide

Docker networking enables containers to communicate with each other, with the host system, and with external networks. This guide covers Docker's networking model, network drivers, and best practices for container networking.

Networking Overview

Docker creates a virtual networking layer that allows containers to communicate. Each container gets its own network namespace with a virtual ethernet interface, IP address, and routing table.

Network Architecture

┌──────────────────────────────────────────────────────────┐
│                        Host Machine                       │
│                                                          │
│  ┌─────────────────────────────────────────────────┐     │
│  │              Docker Network (bridge)             │     │
│  │                  172.17.0.0/16                   │     │
│  │                                                   │     │
│  │  ┌──────────┐  ┌──────────┐  ┌──────────┐      │     │
│  │  │Container1│  │Container2│  │Container3│      │     │
│  │  │172.17.0.2│  │172.17.0.3│  │172.17.0.4│      │     │
│  │  └──────────┘  └──────────┘  └──────────┘      │     │
│  │                                                   │     │
│  └───────────────────────┬───────────────────────────┘     │
│                          │                                 │
│                     docker0 bridge                         │
│                          │                                 │
│                     eth0 (Host NIC)                        │
└──────────────────────────┼─────────────────────────────────┘
                           │
                      External Network

Network Drivers

Docker provides several built-in network drivers:

Driver	Description	Use Case
bridge	Default network driver. Isolated network on a single host.	Single-host container communication
host	Removes network isolation. Container shares host's network.	Maximum network performance
overlay	Multi-host networking for Docker Swarm services.	Multi-host container communication
macvlan	Assigns a MAC address to containers. Appears as physical device.	Legacy applications needing direct network access
ipvlan	Similar to macvlan but shares host's MAC address.	When MAC address limits are a concern
none	Disables all networking.	Complete network isolation

Bridge Networks

The bridge driver is Docker's default networking mode. It creates a private internal network on the host.

Default Bridge Network

# Containers on the default bridge can communicate via IP
docker run -d --name web1 nginx
docker run -d --name web2 nginx

# Inspect the default bridge network
docker network inspect bridge

# Get container IP address
docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' web1

User-Defined Bridge Networks

User-defined bridge networks are recommended over the default bridge:

# Create a custom bridge network
docker network create --driver bridge my-network

# Create with specific subnet configuration
docker network create \
  --driver bridge \
  --subnet 192.168.1.0/24 \
  --gateway 192.168.1.1 \
  --ip-range 192.168.1.128/25 \
  my-custom-network

# Run containers on the custom network
docker run -d --name api --network my-network my-api:latest
docker run -d --name db --network my-network postgres:16

# Containers can communicate by name (automatic DNS)
docker exec api ping db

Default vs User-Defined Bridge

Feature	Default Bridge	User-Defined Bridge
Automatic DNS resolution	❌ No (use --link legacy)	✅ Yes (by container name)
Isolation from other containers	❌ All containers share it	✅ Only connected containers
Connect/disconnect at runtime	❌ Must recreate container	✅ Dynamic connect/disconnect
Environment variable sharing	❌ No	✅ Yes
Configurable	❌ Limited	✅ Fully customizable

Host Network

The host network driver removes the network isolation between the container and the Docker host:

# Run a container using the host network
docker run -d --network host nginx

# The container's ports are directly available on the host
# No port mapping (-p) needed or allowed
curl http://localhost:80

WARNING

Host networking is only available on Linux. On Docker Desktop (macOS/Windows), the host network mode runs inside the VM, not on the actual host.

Port Mapping

Port mapping exposes container ports to the host:

# Map host port 8080 to container port 80
docker run -d -p 8080:80 nginx

# Map to a specific host interface
docker run -d -p 127.0.0.1:8080:80 nginx

# Map a range of ports
docker run -d -p 8080-8090:80-90 nginx

# Map a random host port
docker run -d -p 80 nginx

# Map UDP port
docker run -d -p 53:53/udp dns-server

# Multiple port mappings
docker run -d -p 80:80 -p 443:443 nginx

Port Mapping Summary

Syntax	Description
-p 8080:80	Map host:8080 → container:80 on all interfaces
-p 127.0.0.1:8080:80	Map only on localhost
-p 80	Map to random host port
-p 8080:80/udp	Map UDP port
-P	Map all exposed ports to random host ports

Overlay Networks

Overlay networks enable multi-host communication in Docker Swarm:

# Initialize Docker Swarm (required for overlay)
docker swarm init

# Create an overlay network
docker network create --driver overlay my-overlay

# Create an attachable overlay network (for standalone containers)
docker network create --driver overlay --attachable my-overlay

# Deploy services on the overlay network
docker service create --name web --network my-overlay --replicas 3 nginx
docker service create --name api --network my-overlay my-api:latest

Network Management Commands

# List all networks
docker network ls

# Create a network
docker network create my-network

# Inspect a network
docker network inspect my-network

# Connect a running container to a network
docker network connect my-network my-container

# Disconnect a container from a network
docker network disconnect my-network my-container

# Remove a network
docker network rm my-network

# Remove all unused networks
docker network prune

DNS and Service Discovery

Docker provides built-in DNS for user-defined networks:

# Create a network
docker network create app-net

# Run services
docker run -d --name api --network app-net node-api:latest
docker run -d --name redis --network app-net redis:7

# Inside the api container, 'redis' resolves to the redis container's IP
docker exec api node -e "console.log(require('dns').resolve('redis'))"

Custom DNS Configuration

# Set custom DNS servers
docker run -d --dns 8.8.8.8 --dns 8.8.4.4 nginx

# Set DNS search domain
docker run -d --dns-search example.com nginx

# Set hostname
docker run -d --hostname myapp.example.com nginx

# Add host entries
docker run -d --add-host myhost:192.168.1.100 nginx

Container Communication Patterns

Same Network Communication

# docker-compose.yml
services:
  frontend:
    image: nginx:latest
    ports:
      - "80:80"
    networks:
      - frontend-net

  api:
    image: my-api:latest
    networks:
      - frontend-net
      - backend-net

  database:
    image: postgres:16
    networks:
      - backend-net

networks:
  frontend-net:
  backend-net:

┌────────────────────────────────────┐
│         frontend-net               │
│  ┌──────────┐  ┌──────────┐      │
│  │ frontend  │──│   api    │      │
│  └──────────┘  └────┬─────┘      │
└──────────────────────┼────────────┘
                       │
┌──────────────────────┼────────────┐
│         backend-net  │            │
│                ┌─────┴────┐      │
│                │   api    │      │
│                └────┬─────┘      │
│                     │             │
│              ┌──────┴─────┐      │
│              │  database  │      │
│              └────────────┘      │
└────────────────────────────────────┘

Network Troubleshooting

# Inspect container networking
docker inspect --format='{{json .NetworkSettings}}' my-container | jq

# Check container connectivity
docker exec my-container ping -c 3 other-container

# Check DNS resolution
docker exec my-container nslookup other-container

# View network interfaces inside a container
docker exec my-container ip addr show

# View routing table
docker exec my-container ip route

# Check port bindings
docker port my-container

# Use a network debugging container
docker run -it --network my-network nicolaka/netshoot

Network Security

Isolate Sensitive Services

# Create isolated networks for different tiers
docker network create frontend-net
docker network create backend-net --internal  # No external access

# Only the API can communicate with the database
docker run -d --name db --network backend-net postgres:16
docker run -d --name api --network backend-net --network frontend-net my-api
docker run -d --name web --network frontend-net -p 80:80 nginx

Disable Inter-Container Communication

# Create a network with ICC disabled
docker network create --driver bridge \
  -o com.docker.network.bridge.enable_icc=false \
  isolated-net

Next Steps

• Storage Management — Learn about Docker volumes and storage
• Security Best Practices — Secure your container networks
• Container Orchestration — Network containers across multiple hosts
• Docker Compose Quick Start — Define multi-container networking with Compose
• Docker Engine Architecture — Understand Docker's networking internals