Develop Ingelligence – Docker Docker Networking

Agenda: Docker Networking Basics

 Overview and CLI Commands
 About Docker Network Drivers
 Using the default Bridge Network
 Using User-defined Bridge Network

Overview of Docker Networking

Docker container and services are so powerful that it itself takes care of the networking aspects so that the
containers can communicate with other containers, non-docker applications and also with the Docker Host.
Whether your Docker hosts run Linux, Windows, or a mix of the two, you can use Docker to manage them in a
platform-agnostic way.

C:\> docker info

Plugins:
Volume: local
Network: ics l2bridge l2tunnel nat null overlay transparent #For Windows
Network: bridge host ipvlan macvlan null overlay #For Linux

docker network ls will list all networks associated with Docker on the host.
docker network inspect bridge to see more details on the network associated with Docker.
Note: "Containers": {} => No container is running.
Run a Container:
docker run -it ubuntu:latest /bin/bash
Note: Now if we inspect our network name via the inspect command, you will now see that the container is
attached to the bridge.

Docker Network Drivers

Bridge networks (nat in windows)
 It’s a private network restricted to a single docker host.
 The bridge network is the default network for new containers. This means that unless you specify a different
network, all new containers will be connected to the bridge network.
 Each container will have its own IP and same can be used for communicating with other containers.
 Bridge cannot be used for communicating between containers in different bridge (either on same or different
hosts)
Develop Ingelligence – Docker Docker Networking

 docker run -dt --name c1 ubuntu

 docker run -dt --name c2 ubuntu
 docker network create --driver bridge mycustom-net
 docker run -dt --name c3 --network mycustom-net ubuntu
 docker run -dt --name c4 --network mycustom-net ubuntu
 docker inspect mycustom-net

 docker run -dt --name c3 ubuntu

 docker network connect mycustom-net c3
 docker inspect mycustom-net
 docker attach c3

To Install Ping:
apt-get update
apt-get install iputils-ping -y

Overlay networks
 Overlay networking is a method of using software to create network abstraction that can be used to run
multiple separate virtualized network layers on top of physical network.
 They are best when you need containers running on different Docker hosts/deamons to communicate, or
when multiple applications work together using swarm services.
 Data when transferred over the overlay network is secured.
 Works on any cloud / on-prem environments with little or no reconfiguration of existing physical network.
Develop Ingelligence – Docker Docker Networking

Walkthrough
 docker swarm init
 copy the swarm command and run on another node
o docker swarm <join-token> worker
 docker node ls
 docker network create --driver overlay my-overlay-network
 docker service create --name my-svc --network my-overlay-network --replicas 2 alpine sleep 1d
 docker service ps my-svc
 docker inspect my-overlay-network # We can only see containers on this host.
 docker exec -it a5 /bin/sh
 apt-get update
 apt-get install iputils-ping -y
 ping 10.0.1.3

Macvlan networks (Mac based VLAN)

 It’s a linux specific driver.
 Macvlan networks allow you to assign a MAC address to a container, making it appear as a physical device on
your network. The Docker daemon routes traffic to containers by their MAC addresses.
 They are best when you are migrating from a VM setup or need your containers to look like physical hosts on
your network, each with a unique MAC address.
 They are high performance as they don’t need any NAT or Linux bridge.
Develop Ingelligence – Docker Docker Networking

 Most public cloud providers including AWS or Azure cloud providers doesn’t support MACVLAN as it requires
PROMISCUOUS MODE for the network card.

Using the default Bridge Network

 In terms of networking, a bridge network is a Link Layer device which forwards traffic between network
segments. A bridge can be a hardware device or a software device running within a host machine’s kernel.
 In terms of Docker, a bridge network uses a software bridge which allows containers connected to the same
bridge network to communicate, while providing isolation from containers which are not connected to that
bridge network. The Docker bridge driver automatically installs rules in the host machine so that containers on
different bridge networks cannot communicate directly with each other.
 When you start Docker, a default bridge network (also called bridge) is created automatically, and newly-
started containers connect to it unless otherwise specified. You can also create user-defined custom bridge
networks.

Differences between user-defined bridges and the default bridge

 DNS Resolution: Containers on the default bridge network can only access each other by IP addresses. On a
user-defined bridge network, containers can resolve each other by name or alias.
 Better Isolation: Using a user-defined network provides a scoped network in which only containers attached
to that network are able to communicate.
 Attach and Detach: Containers can be attached and detached from user-defined networks on the fly.
o docker network connect my-network my-container
Develop Ingelligence – Docker Docker Networking

o docker network disconnect my-network my-container

Walkthrough to show how to use the default bridge network, that Docker sets up for you automatically.
In this example, you start two different containers on the same Docker host and do some tests to understand how
they communicate with each other.
1. List current networks
docker network ls
2. Start two containers c1 and c2.
docker run -dit --name c1 ubuntu
docker run -dit --name c2 ubuntu
3. Inspect the bridge network to see what containers are connected to it.
docker network inspect bridge
Note that the information about the bridge network is listed, including the IP address of the gateway between
the Docker host and the bridge network (172.17.0.1). Under the Containers key, each connected container is
listed, along with information about its IP address (172.17.0.2 for c1 and 172.17.0.3 for c3).
4. Find the IP address of container c2
docker inspect c2
5. The containers are running in the background. Use the docker attach command to connect to
docker attach c1
6. From within container c1, note that you will be able to ping google.com (internet)
apt-get update
apt-get install iputils-ping -y
ping -c 3 google.com
7. From within container c1, note that you will be able to ping container c2 by its IP address by not by its name
ping <IP of C2> => Success
ping c2 => Fails
8. Detach from c1 without stopping it by using the detach sequence Ctrl + P + Q
9. Stop and remove both the containers
docker container stop c1 c2
docker container rm c1 c2

To configure the Docker daemon using a JSON file, create a file at /etc/docker/daemon.json on Linux
systems, or C:\ProgramData\docker\config\daemon.json on Windows.
On MacOS go to the whale in the taskbar > Preferences > Daemon > Advanced.
Develop Ingelligence – Docker Docker Networking

To configure docker to use external DNS?

edit the /etc/docker/daemon.json
{
"dns": ["10.0.0.2", "8.8.8.8"]
}

Restart the docker:

sudo systemctl docker restart

Using User-defined Bridge Network

Walkthrough to show how to create and use custom bridge network to connect containers running on the same
Docker host.
10. List current networks
docker network ls
11. Create the alpine-net network. You do not need the --driver bridge flag since it’s the default, but this example
shows how to specify it.
For Linux: docker network create --driver bridge mycustom-net
For Windows: docker network create --driver nat mycustom-net
12. Inspect the mycustom-net network. This shows you its IP address and the fact that no containers are
connected to it:
docker inspect mycustom-net
13. Create your four containers. Notice the --network flags. You can only connect to one network during the
docker run command, so you need to use docker network connect afterward to connect alpine4 to the bridge
network as well.
docker run -dit --name c1 --network mycustom-net ubuntu
docker run -dit --name c2 --network mycustom-net ubuntu
docker run -dit --name c3 ubuntu
docker run -dit --name c4 ubuntu
docker network connect mycustom-net c4
14. Inspect bridge network and notice that containers c3 and c4 is connected to it.
docker network inspect bridge
15. Inspect mycustom-net network and notice that containers c1, c2 and c4 are connected to it.
docker network inspect mycustom-net
16. On user-defined networks like, containers can communicate by IP address and also resolve a container name
to an IP address. This capability is called automatic service discovery.
docker attach c1
Develop Ingelligence – Docker Docker Networking

ping <IP of C2> => Success

ping c2 => Success
17. From c1, you should not be able to connect to c3 at all, since it is not on the mycustom-net network.
ping <IP of C3> => Fails
Ctrl + P + Q
18. Detach from c1 without stopping it by using the detach sequence Ctrl + P + Q
19. Remember that c4 is connected to both the default bridge network and mycustom-net. It should be able to
reach all of the other containers. However, you will need to address c3 by its IP address. Attach to it and run
the tests.
docker container attach c4
ping c1 => Success
ping c2 => Success
ping c3 => Fails
ping <IPofC3> => Success
20. Stop and remove all containers and the network mycustom-net
Docker container stop c1 c2 c3 c4
Docker container rm c1 c2 c3 c4
Docker network rm mycustom-net