Detailed explanation of five Docker container network modes

Docker networking sets up how containers communicate with other containers and external services. In order to gain network access, a container needs to be part of a Docker network. The way a container can communicate depends on its network connection. Docker provides five standard network modes to perform core network functions: Bridge, Host, Overlay, IPvLAN, Macvlan.

1. Bridge Network

Bridge networking forms a virtual bridge between the host machine and the container. Containers on this network can communicate with each other but are isolated from containers not connected to this network.

picture

Each container gets a unique IP address. Through a bridge connection to the host, these containers can also interact with each other, the local network (LAN), and the Internet. However, they do not appear on the LAN as physical devices.

2. Host Network

Containers using host networking mode use the same network settings as the host machine and are not isolated. They do not have separate IP addresses. Instead, any ports they use are directly linked to the host network. For example, if a container process uses port 8080, it can be accessed through 192.168.1.101:8080 (that is, the host's IP address and port number).

picture

Since the application container uses port 8080, no port mapping is required because the container uses the host port in this case. Our database uses port 5432, so it can be accessed through the host's IP address and port 5432.

3. Overlay Network

Overlay networks are networks that span multiple Docker hosts. They allow containers on those hosts to communicate with each other without the operating system managing routing.

Overlay networks are used for Docker Swarm clusters. However, if you have two separately running Docker engines and need to connect their containers directly, you can use them that way as well.

picture

The above diagram is simplified. In a real scenario, the host, like the container, will also get a virtual IP address from the overlay network, and their ranges will be the same.

4. IPvLAN Network

IPvLAN is an advanced mode that provides detailed control over the container's IPv4 and IPv6 addresses, and it also handles Layer 2 and Layer 3 VLAN tagging and routing.

This mode is useful if you need to connect your container service to an existing physical network. IPvLAN networks have their own interfaces and may perform better than bridge-based networks.

picture

The above diagram shows that everything in an IPvLAN setup, including the containers, has its own IP address and is part of the network.

5. Macvlan network

Macvlan is a more advanced option that allows containers to behave like physical devices on the network. It does this by assigning each container its own MAC address.

For this type of network, you need to assign one of the host's physical network interfaces to the virtual network. Additionally, the wider network should be set up to handle the many MAC addresses from a Docker host with a large number of containers.

6. Which network type to use

Bridge networks are suitable for most situations. Containers on these networks can communicate with each other using IP addresses and DNS names. They can also connect to the internet and local networks.

Host networking is useful when you need to use the host's network interfaces directly and do not need to separate container networking. This setup makes the containerized application run as if it is part of the host network.

Overlay networks are necessary when containers on different Docker hosts need to communicate directly. They are ideal for creating distributed applications for increased reliability.

Macvlan networks are useful when containers need to behave like physical devices on the network, such as monitoring network traffic. IPvLAN networks are suitable for advanced needs, such as specific control over container IP addresses, tags, and routing.

7. Create a network

Create a new network using the docker network create command. Specify the driver to use, such as bridge or host, by setting the -d flag. If the flag is omitted, a bridge network will be created.

Run the following command in the first terminal window:

 docker network create test-network -d bridge # 输出是50ed05634f6a3312e56700ef683ca39df44bfc826e2e4da9179c2593c79910f9

The ID of the created network will be displayed in the terminal. Currently, the new network is not usable because no containers are connected to it yet.

However, you can connect the new container to a network by setting the --network flag in the docker run command. Run the following command in a second terminal window:

 docker run -it --rm --name container1 --network test-network busybox:latest

Next, in a third terminal window, start another Ubuntu container, this time without the --network flag:

 docker run -it --rm --name container2 busybox:latest

Now, communicate between the two containers using their names:

 # 在container1中/ # ping container2 ping: bad address 'container2'

The containers are not yet joined to the same network, so they cannot communicate directly with each other.

Use the first terminal window to connect container2 to the network:

 docker network connect test-network container2

The containers now share the same network, which enables them to discover each other:

 # 在container1中/ # ping container2 PING container2 (172.22.0.7): 56 data bytes 64 bytes from 172.22.0.7: seq=0 ttl=64 time=2.205 ms

Docker gives you the freedom to manage network connections without restarting containers. Now that you've learned how to connect to containers after you've created them, you can also remove containers from networks they no longer need to participate in:

 docker network disconnect test-network container2

If you want to remove a network, you need to first disconnect or stop all Docker containers using the network, and then pass the network ID or name to network rm:

 docker network rm test-network

Summarize

Docker's networking system provides a variety of ways to manage how containers communicate with other containers, neighboring containers, and the Docker host. Containers in the same network can connect using their names or IP addresses.