Docker Networking — Part 1

Hi all,

In my previous article, we discussed on the Docker compose files and the architecture of Docker. Here, we’ll be discussing the different types of networks in Docker . A Network is a good way to isolate containers for your application, as well as considering the security aspect of it.

Prerequisites : Basic Networking Concepts

1a. Default bridge

1b. User-defined bridge

2. Host

3. None

4. Overlay

5a. MAClvan bridge

5b. MACvlan 801.1q

6a. IPvlan l2

6b. IPvlan l3

Types of networks

There are six common Docker network types —

bridge network, host and none - used within a single host.

overlay networks, for multi-host communication.

MACvlan networks which are used to connect Docker containers directly to host network interfaces

IPvlan networks which is used to connect Docker containers using the same MAC address (as that of the physical host) but different IP for each container.

Here, we’ll be exploring the first 2 types. Lets try to explore each one and what it solves.

NOTE : All networks and its attributes can be found using the command - docker network inspect

Current Architecture of my system where Docker is installed

1a. Default bridge:

This is the default network that is created when the docker is installed onto the system. Docker automatically creates a virtual ethernet interface to the docker0 bridge. By default, all the containers are mapped to this interface.

Regarding isolation, it provides high isolation. Let me explain a bit more. Suppose we deploy an Nginx container , whose default port value is 80. So we would assume (or maybe just me) that the port 80 of the host system would have the running container. But NO, we wont be able to find the Nginx running on port 80 of the host system, UNLESS we manually expose it.

The name -bridge,host and null are created by default. We will see how they differ in the coming sections.

To expose a container port, we could run a command like

docker run -it -d -p 81:80 --name nginx-server nginx

This command means that the port 81 of the host is mapped to port 80 of the Nginx container.

Default Network

Now, what if I want to create my on bridge with my custom name and isolates container? It brings us to the next type of network.

1b. User defined bridge

Here a user would create a custom bridge name, that we not be part of default bridge.

Here the containers connect to the network via interfaces. I haven’t added it for the sake of simplicity.

To create a custom bridge name, we would use the command :

docker network create myappbridge

To remove a bridge , you could simply use the command :

docker network rm <network name>

Here each container gets its own IP Address assigned by Docker . And not just that, it can even communicate to the other containers on its Network using just the container name.

So what actually happens?

Here , when new containers are brought up into the network, the new network copies some files from the host to its containers , so that it can enable DHCP protocol (which basically enables host to assign IP to containers connected in the same network, so that it can communicate. Just like how devices connect to the router at your home :) )

2. Host

Here the container is part of the host network, where it acts as a host. So it doesn’t really have any network, when it itself acts as a host. This means that it has the same IP as that of the host. Not just that , unlike the default bridge , it doesn’t have to expose any ports explicitly. It runs as if an application is installed in the host without docker.

docker container run -it -d --network=host nginx:alpine

In conclusion : No port exposure required but it doesn’t have any isolation.

enps03 is the ethernet peripheral which enables communication between devices.

3. Overlay network

Overlay network is used when multiple hosts are involved. This is similar to Docker Swarm concept. It is usually used in Production Environments.

docker network create -d overlay my-overlay-network

To create an overlay network which can be used by swarm services or standalone containers to communicate with other standalone containers running on other Docker daemons, we use the attachable attribute:

$ docker network create -d overlay --attachable my-attachable-overlay

4. None network

This mode will not configure any IP for the container and doesn’t have any access to the external network as well as for other containers.

Not every software you run needs network connections, lets suppose you’re running something that just processing files on disk or batch jobs, no network is necessary but you still benefit from resource isolation of cgroups.

docker container run -it --network=none nginx:alpine

Insights:

1. Adding new containers to the existing network using the command :

docker network connect <network-name> <container-name>

2. Automatic Service Discovery- It enables docker containers to communicate with each other.

To be continued…