In this article, you are going to learn Docker container networking and We will cover different types of networks used in the Docker world and how to create your own, user-defined networks. Please, read our previous article before proceeding to this article where we learn How to Mount Docker Volume into a Container.
Understand the Default Docker Network Model
Let’s start by taking a look at Docker’s default network model.
Docker uses the networking capabilities of the host machine operating system to provide networking support for the containers running on the host machine.
Once the Docker daemon is installed on the host machine, A bridge network interface “Docker 0” is provisioned on the host which will be used to bridge the traffic from the outside network to the internal containers hosted on the host machine.
Each container connects to the bridge network through its container network interface. Containers can connect to each other and connect to the outside world through this bridge network interface. This is how the default Docker network model called bridge network looks like.
Docker Network Types
There are actually four different types of Docker networks:
1] Closed network which is also called none network.
2] Bridge network
3] Host network
4] Overlay network.
We will deep dive into each of those four different Docker networks in the following examples So, that you can make a decision to choose which Docker network model to use when creating Docker containers.
here, we’ll show you how to check the existing Docker networks on your system. Let’s go and open the terminal and type “Docker network ls” command.
By default, there should be three Docker network created out of the box when Docker is installed on your system. The bridge network, the host network, and the none network.
Understand the None Network Model
Actually, we are going to understand the none network. This network does not have any access to the outside world.
Actually, the none network adds a container to a container-specific network stack. That container lacks a network interface, so it is totally isolated. This kind of container is called a closed container.
Let’s see in below example, In order to create a closed container, we can use the “–net none” option in the “docker run” command.
This should start up a closed container in the none network from the BusyBox image “Sleep 1000” should keep the container in a running state.
Now, let’s log in to the container and verify that this is indeed an isolated container.
We copy the container ID first, do “docker exec -it”, paste the container ID, and do “/bin/ash”. In case you don’t know ash, ash is a very lightweight Unix shell. Busybox is a tiny Linux distribution that comes with ash instead of the bash shell.
Now, we are logged inside the container. To verify that we are disconnected from the outside world.
We can ping Google public DNS IP which is 18.104.22.168, If we ping this IP from our host machine, as you see, there is no problem to reach Google public DNS.
If we ping this IP from the closed container, the IP is unreachable.
This container is isolated from the outside world. Now, we run ifconfig command inside the container to list all the network interfaces of the container.
As you see, there is only one network interface. This is a special type of interface called the loopback interface. It is not connected to any docker network and it is assigned a special IP address 127.0.0.1. It is mainly used by internal applications on the local host machine to communicate with each other.
The benefit of this isolated network model
The biggest benefit of this isolated network model is that,
- It provides the maximum level of network protection because the containers can not be reached from outside the host.
- However, this network model won’t be a good choice if the network or Internet connection is required. For example, if the application requires making HTTP requests to the outside world.
- This isolated network suites well where the container requires the maximum level of network security and network access is not necessary.
Understand the Bridge Network Model
Here, we are going to understand about another network model, the bridge network model. This is the default type of network in Docker containers.
All the containers in the same bridge network are connected with each other and they can connect to the outside world via the bridge network interface.
Let’s go and open a new terminal. then, We execute the “Docker network ls” command to list all the Docker networks on my localhost.
Docker Network Inspect
Docker creates a default bridge network called bridge when Docker daemon is initialized. We can check out the details of this bridge network by running the “docker network inspect” command.
As you see, the subnet “172.17.0.0/16” is allocated for this bridge network. The IP range of this subnet is from 172.17.0.0 to 172.17.255.255
Now, let’s execute our first container on this bridge network.
In this docker run command, we don’t specify the “–net” flag, the built-in bridge network will be automatically chosen for the container.
Now, the container is up running. Let’s run ifconfig inside the container to list all the network interfaces of the container.
As you see, there are two network interfaces. A loopback interface and a private network interface.
The loopback interface is the same as one of the closed containers of 127.0.0.1 and it is used for internal applications and can’t be connected to the outside world.
The private network interface is connected to the bridge network.
As we have demoed previously, the bridge network on the host machine has the IP range between 172.17.0.0 to 172.17.255.255. This network interface is exactly within the range. It can be used to access other containers in the same bridge network.
Let’s understand that.
Here, we create another container “container_2” in the same bridge network and If we list all the network interfaces of this container.
As you see the private network interface of the second container is 172.17.0.3 which is also within the IP range of the bridge network.
Now, let’s ping container2 from container1.
As you see, container1 can reach container2 by IP via the private network interfaces of each other. Containers can also use this private network interface to connect to the outside world.
Let’s ping 22.214.171.124 from container1. We can reach the public DNS from this container.
Now we have demoed containers within the same bridge network that can connect to each other. They can also connect to the outside world.
Bridge to Bridge networks connection
However, by default different bridge networks are isolated from each other; containers within one bridge network can’t access containers within another bridge network.
Let’s see in the below example. Here we create another custom bridge network. The command to create a Docker network is “docker network create“.
The “docker network create” command takes a –driver option, which specifies the driver of the network, we use the bridge driver to create a bridge network. Then we need to give the new network a name. Just name it my_bridge network.
Now, the network has been created. If we do “docker network ls”
We can find out the newly created Docker network. Let’s check out the IP range of this new network. The subnet is 172.18.0.0/16. And the IP range is from 172.18.0.0 to 172.18.255.255.
Let’s create a container3 from the new bridge network. Just add a “–net” option, and add the name of the new bridge network.
Now, if we check the IP of container3, we can see it is within the IP range of the new bridge network.
Next, we get the IP of container 1. And ping container 1 from container 3.
As you see, we can’t reach container 1 from container 3, because they are within different bridge networks, and each bridge network is isolated from each other.
But, Docker has a feature that allows us to connect a container to another network. Once connected, the container can communicate with other containers in the same network.
Benefits of the bridge network model
1] In a bridge network model, containers have access to two network interfaces: the loopback interface, which does not have network access to the outside, and a private interface that is connected to the bridge network of the host. This is the one used to connect to the outside network.
2] All containers in the same bridge network can communicate with each other.
So, the Containers from different bridge networks can’t connect with each other by default. But we can manually connect a container to another bridge network.
3] Bridge network is the most common network-model in Docker. Comparing with the none network.
4] The Bridge network reduces the level of network isolation in favor of better outside connectivity.
5] A bridge network is most suitable where you want to set up a relatively small network on a single host.
Thank you for reading this article, I hope you will understand the Docker Networking. We’ll get into more details about this when we’ll learn How to Build Docker Images by using Dockerfile in the next article.