Skip to content

8.05 Prerequisite: Docker Networking

Abstract

Docker networking defines how containers communicate with each other, the host, and external networks.

This page explains Docker network modes such as none, host, and bridge, and connects them to Linux concepts like network namespaces, veth pairs, bridges, and iptables NAT.

These basics help in understanding Kubernetes networking and CNI.

Docker Networking Overview

When you run a Docker container, Docker gives you different networking options.

Common network modes:

Network Mode Description
none No network connectivity
host Container shares host network
bridge Container connects to Docker bridge network

Note

Docker networking is built using Linux networking features such as network namespaces, virtual ethernet pairs, Linux bridges, and iptables.

Docker Host Example

Assume a Docker host has:

Interface IP Address
eth0 192.168.1.10

The host is connected to the LAN through eth0.

Containers can use different networking modes depending on how they are started.

Network Mode: None

In none mode, the container is not attached to any network.

Run container:

docker run --network none nginx

Behavior:

  • no external connectivity
  • no container-to-container connectivity
  • no access from outside
  • isolated network namespace

Warning

none mode is useful for strict isolation, but the application cannot communicate over the network unless you configure networking manually.

Network Mode: Host

In host mode, the container shares the host network stack.

Run container:

docker run --network host nginx

Behavior:

  • no network isolation from the host
  • container uses host IP directly
  • application port is exposed directly on the host
  • no port mapping required

Example:

http://192.168.1.10:80

Danger

Host networking removes network isolation. Use it carefully in production.

Host Mode Port Conflict

If one container is already using port 80, another container cannot bind to the same host port.

Example:

docker run --network host nginx
docker run --network host nginx

The second container may fail if port 80 is already in use.

Note

Two processes cannot listen on the same IP and port at the same time.

Network Mode: Bridge

Bridge mode is Docker’s default networking mode.

Run container:

docker run nginx

Docker creates an internal private network:

172.17.0.0/16

Containers get IPs like:

172.17.0.2
172.17.0.3

Success

Bridge mode provides network isolation while still allowing controlled communication.

Docker Bridge Network

When Docker is installed, it creates a default bridge network.

List Docker networks:

docker network ls

Example output:

NETWORK ID     NAME      DRIVER    SCOPE
xxxx           bridge    bridge    local
xxxx           host      host      local
xxxx           none      null      local

Note

Docker calls the default network bridge, but on the Linux host it appears as the interface docker0.

View Docker Bridge on Host

View interfaces:

ip link

You should see:

docker0

View IP address:

ip addr show docker0

Example:

inet 172.17.0.1/16

Tip

docker0 acts like a virtual switch for containers and an interface for the host.

Docker Uses Linux Bridge

Docker internally creates a Linux bridge similar to:

ip link add docker0 type bridge

The bridge network:

docker0 → 172.17.0.1

Containers attach to this bridge using veth pairs.

Container Network Namespace

For each container, Docker creates a network namespace.

Inside that namespace, the container gets:

  • its own interface
  • its own IP address
  • its own routing table
  • its own ARP table

Note

A container’s network namespace is isolated from the host network namespace.

Docker veth Pair

Docker connects a container to the bridge using a veth pair.

Flow:

Container eth0
veth pair
docker0 bridge
host eth0

Example:

container eth0@if8
host vethxxxx@if7

Tip

veth interface pairs often appear as matching odd/even interface numbers.

Container IP Assignment

Docker assigns each container an IP from the bridge network.

Example:

Container IP: 172.17.0.3
Bridge IP:    172.17.0.1

Check container IP:

docker inspect <container-id>

or from inside the container:

ip addr

Container-to-Container Communication

Containers on the same bridge network can communicate using their private IPs.

Example:

curl http://172.17.0.3:80

Success

Containers attached to the same Docker bridge can communicate with each other by default.

Accessing Container from Host

If an nginx container is running on port 80, the Docker host can access it using the container IP:

curl http://172.17.0.3:80

But external systems cannot directly access this private container IP.

Warning

Container bridge IPs are private to the Docker host network.

Port Publishing

To expose a container to external users, publish a host port to a container port.

Example:

docker run -p 8080:80 nginx

This maps:

Host port 8080 → Container port 80

Access from outside:

curl http://192.168.1.10:8080

Note

Port publishing is also called port mapping.

How Docker Port Mapping Works

Docker uses iptables NAT rules to forward traffic.

Conceptually:

Host IP:8080
iptables DNAT
Container IP:80

Docker creates NAT rules automatically when you use:

docker run -p 8080:80 nginx

Tip

If port publishing is not working, inspect Docker container ports and iptables NAT rules.

View iptables NAT Rules

Check NAT table:

iptables -t nat -L

Or with more details:

iptables -t nat -L -n -v

Docker usually creates rules in the DOCKER chain.

Warning

Avoid manually editing Docker-managed iptables rules unless you fully understand the impact.

Docker Networking Modes Comparison

Feature None Host Bridge
Network isolation High None Medium
External access No Direct Through port mapping
Container IP No useful external IP Uses host IP Private bridge IP
Port conflicts No Possible Avoided with port mapping
Default mode No No Yes

Bridge Mode Packet Flow

When external traffic reaches a published container port:

External Client
Docker Host IP:8080
iptables NAT
docker0 bridge
veth pair
Container eth0:80

Example

docker run -p 8080:80 nginx allows users to reach nginx at http://<host-ip>:8080.

Relation to Kubernetes CNI

Docker bridge networking helps understand Kubernetes CNI.

Both rely on similar Linux networking concepts:

  • network namespaces
  • veth pairs
  • bridges or routing
  • iptables
  • NAT
  • port forwarding

Note

Kubernetes does not simply use Docker bridge networking for Pod networking. CNI plugins implement Kubernetes networking requirements.

Production Best Practices

Recommended

  • Use bridge networking for normal container isolation
  • Use explicit port publishing only when required
  • Avoid host networking unless there is a strong need
  • Avoid none networking unless isolation is required
  • Monitor exposed ports
  • Use firewall rules and security groups
  • Prefer orchestrator-managed networking in Kubernetes

Do's

  • Use docker network ls to inspect Docker networks
  • Use docker inspect to check container IPs and ports
  • Use ip link and ip addr to inspect bridge interfaces
  • Use -p hostPort:containerPort for controlled exposure
  • Document exposed container ports

Don'ts

  • Don't use host networking casually
  • Don't expose unnecessary ports
  • Don't rely on container bridge IPs for external access
  • Don't manually modify Docker-managed NAT rules without caution
  • Don't assume Docker bridge networking is the same as Kubernetes Pod networking

Danger

Exposing containers incorrectly can create security risks and port conflicts on production hosts.

Troubleshooting Checklist

When Docker networking fails, check:

  • Which network mode is the container using?
  • Is the container attached to the expected Docker network?
  • Does the container have an IP address?
  • Is the application listening on the expected port?
  • Was the port published using -p?
  • Is the host firewall allowing traffic?
  • Are Docker iptables rules present?
  • Is there a host port conflict?

Quick Commands

docker network ls
docker run --network none nginx
docker run --network host nginx
docker run nginx
docker run -p 8080:80 nginx
docker inspect <container-id>
ip link
ip addr show docker0
iptables -t nat -L -n -v
curl http://172.17.0.3:80
curl http://192.168.1.10:8080

Summary

Quote

  • Docker supports none, host, and bridge networking
  • none provides no network connectivity
  • host shares the host network stack
  • bridge creates an internal private container network
  • Docker uses network namespaces, veth pairs, Linux bridge, and iptables
  • Port publishing maps host ports to container ports
  • These concepts help explain Kubernetes CNI networking