IaC from the perspective of Docker network

The Docker network mechanism not only builds an efficient communication bridge between containers and external services, but also meets the network isolation and interconnection requirements in different application scenarios through flexible configuration options. Each Docker container can choose or specify to join one or more Docker networks when it is started. These networks can be the default networks automatically created by Docker (such as bridge mode networks) or user-defined networks (such as overlay networks, which are used to support cross-host container communication).

1. Docker Network

Docker comes with a powerful network management system that is designed to be both intuitive and flexible, and aims to simplify the complex communication process between containers, Docker hosts, and external networks. The system not only provides tools for network configuration, monitoring, and troubleshooting, but also allows users to choose the most suitable network type according to specific needs, thereby achieving efficient resource utilization and enhanced security.

Docker provides five standard network drivers for core networking functionality:

• Bridge
• Host
• Overlay
• IPvLAN
• Macvlan

The Docker network management system enhances the security of containers by isolating different networks. Each network can be regarded as an independent virtual network environment, and the communication between containers is limited to the network they join. In addition, the system also supports the configuration of network policies (such as firewall rules) to further control the traffic and access rights between containers and prevent potential security threats.

The network management system also provides a wealth of monitoring and debugging tools to help users understand network status, traffic distribution, and potential problems in real time. With these tools, users can quickly locate and solve common problems such as network latency and packet loss to ensure the stable operation of containerized applications. In addition, the Docker network management system supports dynamic network configuration, allowing users to modify network settings at runtime without stopping or restarting the container. This feature greatly improves the flexibility and scalability of applications.

1.1 Bridge Network

The bridge network builds a virtual communication bridge between the host system and the container environment, ensuring that containers on the network can communicate with each other seamlessly, while remaining isolated from containers that are not part of this network, maintaining clear boundaries of the network environment.

picture

Each container is assigned a unique IP address, which not only facilitates independent identification and interaction between containers, but also enables containers to access the local area network (LAN) and even the Internet through a bridge connection with the host. However, it is worth noting that although these containers can participate in network interactions, they are not directly exposed to the LAN in the form of physical entities, ensuring the flexibility and security of the network architecture.

1.2 Host network

The network configuration of containers using the host network mode is fully integrated into the network environment of the host machine, realizing non-isolated network sharing. These containers no longer have independent IP addresses, but directly use the host machine's network stack for communication. Therefore, when the process in the container listens on a certain port (such as port 8888), the port is considered as part of the host machine, and external users can directly access the services in the container through the host machine's IP address (such as 192.168.1.101) and the corresponding port number (6666), without the need for complex port mapping configuration.

picture

Similarly, if the database service listens on port 3300 in the container, the service can also be accessed externally through the host's IP address combined with port 3300, reflecting the high degree of integration between the container and host networks in the host network mode.

It is worth noting that in host network mode, any network activity initiated by the container will be performed directly as the host, which makes it difficult to distinguish from the network level whether these activities are initiated by the host or the container, further emphasizing that while this mode simplifies network configuration, it also requires additional consideration of network security and isolation.

1.3 Overlay Network

Overlay Networks are virtual network architectures built on multiple Docker hosts. They cleverly cross physical boundaries, allowing containers distributed on different Docker hosts to communicate with each other seamlessly without relying on the routing management of the underlying operating system. This network mode greatly improves the flexibility and efficiency of cross-host container communication.

picture

In the Docker Swarm cluster environment, overlay networks are widely used to achieve network interconnection between containers, but their use is not limited to cluster scenarios. Even when facing two independently running Docker Engine instances and containers that need direct communication, overlay networks can still show their prowess, allowing users to build network interconnection capabilities similar to cluster environments without relying on the complete cluster function of Docker Swarm, thereby achieving flexible customization and expansion of network configuration.

It is worth mentioning that in an overlay network environment, not only can the container obtain a virtual IP address to achieve cross-host communication, but even the Docker host itself has the opportunity to obtain a virtual IP address in the same network segment. This design makes the network topology clearer and management more convenient, while also providing solid network support for complex distributed application architectures.

1.4 IPvLAN Network

IPvLAN provides a highly flexible and powerful mechanism that allows for fine-grained configuration and control of IPv4 and IPv6 addresses within containers. It is not limited to address allocation, but also deeply handles VLAN tagging and routing logic at Layer 2 (L2) and Layer 3 (L3), ensuring efficient management and isolation of network traffic.

picture

In scenarios where containerized services need to be seamlessly integrated into the existing physical network architecture, IPvLAN demonstrates its unique advantages and convenience. By allocating independent interfaces to container networks, it achieves a closer and more efficient connection with the physical network, and its performance is often better than traditional bridge-based network configurations, providing containerized applications with lower latency and higher throughput.

Under the IPvLAN configuration, each container is assigned an independent IP address and exists as a direct member of the network. This design not only ensures the independence of containers, but also promotes seamless communication between them and the physical network, laying a solid foundation for building a complex, high-performance hybrid cloud environment.

1.5 Macvlan Network

Macvlan gives containers the ability to operate as physical devices in the network. The core is to assign a unique MAC address to each container. This design makes the container behave like an independent device directly connected to the physical network at the network level, greatly enhancing the flexibility and efficiency of interaction between containers and with external networks.

picture

To support this type of network, users need to allocate a physical network interface (such as an Ethernet interface) on the host as a resource to the virtual network, which serves as a bridge for containers to access the network. As the number of containers on the Docker host increases, managing and maintaining a large number of MAC addresses becomes a challenge. Therefore, it is particularly important to build a scalable network architecture that can efficiently handle a large number of MAC addresses to ensure the stability and performance of the network environment. Through careful planning and management, Macvlan can provide powerful and flexible network support for large containerized applications.

2. Which type of Docker network to use

Bridge networks have become the first choice in most containerized deployment scenarios due to their wide applicability and convenience. These networks build a virtual environment that allows containers to easily communicate with each other using IP addresses and DNS names, while maintaining smooth connections with the Internet and local networks, meeting diverse network requirements.

For specific scenarios, such as when the container is required to directly use the host's network interface without the need for additional network isolation, the host network mode is particularly suitable. In this mode, the containerized application seems to become part of the host network system, directly sharing network resources, simplifying configuration and improving efficiency.

Overlay networks are the key technology for enabling direct communication between containers across multiple Docker hosts. They provide powerful support for building distributed systems and are an ideal choice for improving application performance and service quality by enhancing system reliability and scalability.

In addition, when the application scenario requires more refined network control of the container, such as requiring the container to behave like a physical device in the network (for example, for network traffic monitoring), Macvlan network shows its unique value. IPvLAN network goes a step further and is designed to meet advanced network management needs, allowing users to implement precise customized configuration of the container's IP address, VLAN tag and routing policy to meet the most stringent network environment requirements.

3. Examples of using Docker network

Take bridge networking as an example. You can create a new Docker network using the docker network create command, specifying the type of network, such as bridge networking or host networking, by setting the -d flag. If you omit this flag, a bridge network is created by default.

Run the following command in a terminal window:

 $ docker network create kd-network -d bridge

Once the network is created, you will get the network ID. Since there is no container connected to it, the new network is not useful yet. However, you can attach a new container to the network by setting the --network flag with the docker run command.

 $ docker run -it --rm --name container1 --network kd-network busybox:latest

Now if we start another Ubuntu container, this time without the --network flag:

 $ docker run -it --rm --name container2 busybox:latest

The containers are not yet in the same network, so they cannot communicate directly with each other. You can connect Container 2 to the network:

 $ docker network connect test-network container2

The containers now share a network and can discover each other. Docker allows you to freely manage network connections without restarting the container, and you can also remove containers from networks they no longer need to participate in: $ docker network disconnect test-network container2

Also, any changes you make will take effect immediately. If you want to remove a network, disconnect or stop all Docker containers using it, this is also very convenient: $ docker network rm test-network

4. Summary in one sentence

Docker's network subsystem provides a variety of strategies to finely manage the communication between containers, their interoperability with adjacent containers, and their interaction with the Docker host. Containers in the same network domain can flexibly establish connections through their respective names or assigned IP addresses. This design greatly simplifies network configuration and promotes seamless collaboration between containers.

Although the degree of network isolation between Docker containers is relatively loose compared to traditional virtual machines (VMs), Docker still provides advanced network modes such as macvlan, which allows containers to behave like physical devices at the network level and directly participate in the forwarding and processing of network traffic, thus meeting the needs of deep network integration and flexible control in specific scenarios.