Docker_networking_advanced
Chapter 14: Docker Networking Advanced - Custom Networks, DNS, and Load Balancing
Section titled “Chapter 14: Docker Networking Advanced - Custom Networks, DNS, and Load Balancing”Table of Contents
Section titled “Table of Contents”- Docker Networking Overview
- Network Drivers
- Custom Bridge Networks
- Overlay Networks
- DNS and Service Discovery
- Load Balancing
- Network Isolation
- Macvlan Networks
- Network Plugins
- Hands-on Lab
- Summary
Docker Networking Overview
Section titled “Docker Networking Overview”Docker Network Architecture
Section titled “Docker Network Architecture”┌─────────────────────────────────────────────────────────────────────────────┐│ DOCKER NETWORKING ARCHITECTURE │├─────────────────────────────────────────────────────────────────────────────┤│ ││ ┌─────────────────────────────────────────────────────────────────────┐ ││ │ Docker Network Namespace │ ││ │ │ ││ │ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │ ││ │ │ Container │ │ Container │ │ Container │ │ ││ │ │ A │ │ B │ │ C │ │ ││ │ │ ┌───────┐ │ │ ┌───────┐ │ │ ┌───────┐ │ │ ││ │ │ │ eth0 │◄──┼────┼─│ eth0 │◄──┼────┼─│ eth0 │ │ │ ││ │ │ └───────┘ │ │ └───────┘ │ │ └───────┘ │ │ ││ │ └─────────────┘ └─────────────┘ └─────────────┘ │ ││ │ │ ││ └─────────────────────────────────────────────────────────────────────┘ ││ │ ││ ▼ ││ ┌─────────────────────────────────────────────────────────────────────┐ ││ │ Docker Bridge (docker0) │ ││ │ │ ││ │ ┌─────────────────────────────────────────────────────────────┐ │ ││ │ │ veth pairs │ │ ││ │ │ vethA ── eth0 vethB ── eth0 vethC ── eth0 │ │ ││ │ └─────────────────────────────────────────────────────────────┘ │ ││ │ │ │ ││ │ ┌─────────────────────────┴───────────────────────────────┐ │ ││ │ │ iptables / NAT / Routing │ │ ││ │ └───────────────────────────────────────────────────────────┘ │ ││ └─────────────────────────────────────────────────────────────────────┘ ││ │ ││ ▼ ││ ┌─────────────────────────────────────────────────────────────────────┐ ││ │ Host Network (eth0) │ ││ └─────────────────────────────────────────────────────────────────────┘ ││ │└─────────────────────────────────────────────────────────────────────────────┘Default Networks
Section titled “Default Networks”# List all networksdocker network ls
# Output:# NETWORK ID NAME DRIVER SCOPE# abc123... bridge bridge local# def456... host host local# ghi789... none null local
# Inspect default bridgedocker network inspect bridgeNetwork Drivers
Section titled “Network Drivers”Network Driver Comparison
Section titled “Network Driver Comparison”┌─────────────────────────────────────────────────────────────────────────────┐│ DOCKER NETWORK DRIVERS │├─────────────────────────────────────────────────────────────────────────────┤│ ││ Driver │ Scope │ Use Case │ Isolation ││ ────────────┼─────────┼─────────────────────────────────┼──────────── ││ bridge │ local │ Single host, default │ High ││ host │ local │ Remove network isolation │ None ││ overlay │ swarm │ Multi-host, Docker Swarm │ High ││ macvlan │ local │ Direct network access │ Highest ││ none │ local │ Disable networking │ Complete ││ plugins │ varies │ Third-party solutions │ Varies ││ ││ Detailed Comparison: ││ ─────────────────── ││ ││ ┌────────────────┐ ┌────────────────┐ ┌────────────────┐ ││ │ BRIDGE │ │ OVERLAY │ │ MACVLAN │ ││ │ │ │ │ │ │ ││ │ Virtual eth │ │ VXLAN tunnel │ │ Direct MAC │ ││ │ on host │ │ Multi-host │ │ Per container │ ││ │ NAT for ext │ │ Encrypted │ │ No NAT │ ││ │ │ │ Service disc │ │ Legacy apps │ ││ └────────────────┘ └────────────────┘ └────────────────┘ ││ │└─────────────────────────────────────────────────────────────────────────────┘Custom Bridge Networks
Section titled “Custom Bridge Networks”Creating a Custom Bridge Network
Section titled “Creating a Custom Bridge Network”# Create a custom bridge networkdocker network create \ --driver bridge \ --subnet=172.20.0.0/16 \ --ip-range=172.20.5.0/24 \ --gateway=172.20.0.1 \ my-bridge-network
# List networksdocker network ls
# Inspect networkdocker network inspect my-bridge-networkUsing Custom Networks
Section titled “Using Custom Networks”# Run containers on custom networkdocker run -d --name web --network my-bridge-network nginxdocker run -d --name api --network my-bridge-network myapi:latestdocker run -d --name db --network my-bridge-network postgres:15
# Connect existing container to networkdocker network connect my-bridge-network existing-container
# Disconnect from networkdocker network disconnect my-bridge-network existing-containerNetwork Isolation
Section titled “Network Isolation”┌─────────────────────────────────────────────────────────────────────────────┐│ NETWORK ISOLATION WITH BRIDGES │├─────────────────────────────────────────────────────────────────────────────┤│ ││ Default Bridge (docker0) Custom Bridge ││ ┌─────────────────────┐ ┌─────────────────────┐ ││ │ │ │ │ ││ │ ┌─────┐ ┌─────┐ │ │ ┌─────┐ ┌─────┐ │ ││ │ │ web │ │ api │ │ │ │ web │ │ api │ │ ││ │ └──┬──┘ └──┬──┘ │ │ └──┬──┘ └──┬──┘ │ ││ │ │ │ │ │ │ │ │ ││ │ └──────┴──────│ │ └──────┴──────│ ││ │ │ │ │ │ │ ││ │ ▼ │ │ ▼ │ ││ │ ┌─────────┐ │ │ ┌─────────┐ │ ││ │ │ DNS │ │ │ │ DNS │ │ ││ │ │(default)│ │ │ │(custom) │ │ ││ │ └─────────┘ │ │ └─────────┘ │ ││ │ │ │ │ ││ │ ✓ Can reach │ │ ✓ Can reach │ ││ │ each other │ │ each other │ ││ │ ✗ No isolation │ │ ✓ Can isolate │ ││ │ │ │ ✓ Custom DNS │ ││ └─────────────────────┘ └─────────────────────┘ ││ ││ Problem: Solution: ││ Containers can access each other Use separate networks ││ by default on default bridge for isolation ││ │└─────────────────────────────────────────────────────────────────────────────┘Overlay Networks
Section titled “Overlay Networks”What is Overlay Networking?
Section titled “What is Overlay Networking?”┌─────────────────────────────────────────────────────────────────────────────┐│ OVERLAY NETWORK ARCHITECTURE │├─────────────────────────────────────────────────────────────────────────────┤│ ││ ┌─────────────────┐ ││ │ External Network│ ││ └────────┬────────┘ ││ │ ││ ┌───────────────────┼───────────────────┐ ││ │ │ │ ││ ▼ ▼ ▼ ││ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ ││ │ Host A │ │ Host B │ │ Host C │ ││ │ │ │ │ │ │ ││ │ ┌─────────────┐ │ │ ┌─────────────┐ │ │ ┌─────────────┐ │ ││ │ │ Container │ │ │ │ Container │ │ │ │ Container │ │ ││ │ │ App1 │ │ │ │ App2 │ │ │ │ App3 │ │ ││ │ └──────┬──────┘ │ │ └──────┬──────┘ │ │ └──────┬──────┘ │ ││ │ │ │ │ │ │ │ │ │ ││ │ │ VXLAN │ │ │ VXLAN │ │ │ VXLAN │ ││ │ │ Tunnel │ │ │ Tunnel │ │ │ Tunnel │ ││ │ └────────┘ │ └────────┘ │ └────────┘ ││ └─────────┬───────────┘ └─────────┬───────────┘ └─────────┬─────────┘ ││ │ │ │ ││ └───────────────────────────┼───────────────────────────┘ ││ │ ││ ▼ ││ ┌─────────────────────────────────────────────────────────────────┐ ││ │ OVERLAY NETWORK (vxlan) │ ││ │ │ ││ │ • Encapsulates container traffic in UDP packets │ ││ │ • Works across multiple hosts │ ││ │ • Automatic service discovery │ ││ │ • Built-in load balancing │ ││ │ │ ││ └─────────────────────────────────────────────────────────────────┘ ││ │└─────────────────────────────────────────────────────────────────────────────┘Creating Overlay Networks
Section titled “Creating Overlay Networks”# Initialize Docker Swarm first (required for overlay networks)docker swarm init
# Create overlay networkdocker network create \ --driver overlay \ --attachable \ my-overlay-network
# Run containers on overlay networkdocker run -d --name web --network my-overlay-network nginxdocker run -d --name api --network my-overlay-network myapi:latestEncrypted Overlay Network
Section titled “Encrypted Overlay Network”# Create encrypted overlay networkdocker network create \ --driver overlay \ --opt encrypted \ --attachable \ secure-overlayDNS and Service Discovery
Section titled “DNS and Service Discovery”Docker Embedded DNS
Section titled “Docker Embedded DNS”┌─────────────────────────────────────────────────────────────────────────────┐│ DOCKER DNS SERVICE DISCOVERY │├─────────────────────────────────────────────────────────────────────────────┤│ ││ Docker DNS Resolution Flow ││ ──────────────────────────── ││ ││ ┌─────────────────┐ ││ │ Container A │ ││ │ │ ││ │ ┌───────────┐ │ 1. Query: "api" ││ │ │ app │─┼────────────────────────────────┐ ││ │ └───────────┘ │ │ ││ │ │ │ ▼ ││ │ ┌─────┴─────┐ │ ┌─────────────────────────┐ ││ │ │ DNS │ │ │ Docker DNS Server │ ││ │ │ Resolver │ │ │ (127.0.0.11) │ ││ │ └───────────┘ │ │ │ ││ └────────┬────────┘ │ • Container names │ ││ │ │ • Network aliases │ ││ │ │ • Domain search │ ││ │ │ │ ││ │ 2. Response: 172.18.0.2 └────────────┬────────────┘ ││ │◄───────────────────────────────────────┘ ││ │ ││ ▼ ││ ┌─────────────────┐ ││ │ Container B │ ││ │ (Name: api) │ ││ │ IP: 172.18.0.2│ ││ └─────────────────┘ ││ ││ DNS Records: ││ ─────────── ││ • Container name → IP address ││ • Network alias → IP address ││ • Network-scoped (only accessible within network) ││ │└─────────────────────────────────────────────────────────────────────────────┘Using DNS in Practice
Section titled “Using DNS in Practice”# Create network with custom DNSdocker network create \ --driver bridge \ --dns=8.8.8.8 \ --gateway=172.25.0.1 \ --subnet=172.25.0.0/16 \ custom-dns-network
# Run containersdocker run -d --name web --network custom-dns-network nginxdocker run -d --name api --network custom-dns-network myapi
# From web container, access api by namedocker exec web curl http://api:8080
# Add network aliasdocker network connect --alias api-service my-network my-container
# Inspect DNS configdocker exec web cat /etc/resolv.confDNS Options
Section titled “DNS Options”# Run with custom DNS serversdocker run --dns 8.8.8.8 --dns 8.8.4.4 nginx
# Run with custom search domaindocker run --dns-search mycompany.local nginx
# Run with specific hostnamedocker run --hostname myapp-server nginxLoad Balancing
Section titled “Load Balancing”Docker Internal Load Balancing
Section titled “Docker Internal Load Balancing”┌─────────────────────────────────────────────────────────────────────────────┐│ DOCKER INTERNAL LOAD BALANCING │├─────────────────────────────────────────────────────────────────────────────┤│ ││ ┌─────────────────┐ ││ │ Service Name │ ││ │ (myapp) │ ││ └────────┬────────┘ ││ │ ││ │ Virtual IP (VIP) ││ ▼ ││ ┌─────────────────────────────────────────────────────────────────┐ ││ │ Load Balancer (HAProxy/Docker) │ ││ │ │ ││ │ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ │ ││ │ │ Round │ │ Least │ │ Source │ │ Random │ │ ││ │ │ Robin │ │ Conn │ │ Hash │ │ │ │ ││ │ └──────────┘ └──────────┘ └──────────┘ └──────────┘ │ ││ │ │ ││ └─────────────────────────────────────────────────────────────────┘ ││ │ ││ ┌──────────────────────┼──────────────────────┐ ││ │ │ │ ││ ▼ ▼ ▼ ││ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ ││ │ Container 1 │ │ Container 2 │ │ Container 3 │ ││ │ 172.18.0.2 │ │ 172.18.0.3 │ │ 172.18.0.4 │ ││ └──────────────┘ └──────────────┘ └──────────────┘ ││ ││ Features: ││ • Automatic distribution ││ • Health checks ││ • Service discovery integration ││ • No external LB needed ││ │└─────────────────────────────────────────────────────────────────────────────┘Publishing Ports with Load Balancing
Section titled “Publishing Ports with Load Balancing”# Run multiple replicas (Swarm)docker service create \ --name myapp \ --replicas 3 \ --publish published=8080,target=80 \ nginx
# All three containers accessible via port 8080# Docker distributes traffic across replicasHAProxy for Advanced Load Balancing
Section titled “HAProxy for Advanced Load Balancing”# haproxy/DockerfileFROM haproxy:2.8COPY haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg
# haproxy.cfgglobal log stdout format raw local0 maxconn 4096
defaults log global mode http option httplog option dontlognull timeout connect 5000ms timeout client 50000ms timeout server 50000ms
frontend http_front bind *:80 default_backend api_back
backend api_back balance roundrobin server api1 api1:8080 check server api2 api2:8080 check server api3 api3:8080 checkNetwork Isolation
Section titled “Network Isolation”Internal Networks
Section titled “Internal Networks”# Create internal network (no external access)docker network create --driver bridge --internal backend-network
# Containers can only communicate with each other# Cannot access external networks or internetdocker run -d --name db --network backend-network postgres:15docker run -d --name app --network backend-network myapp
# App can reach db, but neither can reach internetNetwork Segmentation
Section titled “Network Segmentation”┌─────────────────────────────────────────────────────────────────────────────┐│ NETWORK SEGMENTATION STRATEGY │├─────────────────────────────────────────────────────────────────────────────┤│ ││ ┌─────────────────────────────────────────────────────────────────┐ ││ │ Production Network │ ││ │ │ ││ │ ┌───────────────┐ ┌───────────────┐ ┌───────────────┐ │ ││ │ │ Frontend │ │ Backend │ │ Database │ │ ││ │ │ Network │ │ Network │ │ Network │ │ ││ │ │ │ │ │ │ Internal │ │ ││ │ │ ┌─────────┐ │ │ ┌─────────┐ │ │ │ │ ││ │ │ │ web-1 │ │ │ │ api-1 │ │ │ ┌─────────┐ │ │ ││ │ │ │ web-2 │ │ │ │ api-2 │ │ │ │ postgres│ │ │ ││ │ │ └─────────┘ │ │ └─────────┘ │ │ └─────────┘ │ │ ││ │ └───────┬───────┘ └───────┬───────┘ └─────┬─────┘ │ ││ │ │ │ │ │ ││ └───────────┼────────────────────┼───────────────────┼─────────┘ ││ │ │ │ ││ │ ┌──────────┼───────────────────┘ ││ │ │ │ ││ │ ▼ ▼ ││ │ ┌─────────────────────────────────────┐ ││ │ │ Public Network │ ││ │ │ (Load Balancer / Ingress) │ ││ │ └─────────────────────────────────────┘ ││ │ ││ │ Traffic Flow: ││ │ ──────────── ││ │ Internet → LB → Frontend → Backend → DB ││ │ ││ │ Isolation Rules: ││ │ ──────────────── ││ │ • Frontend → Backend: ALLOW ││ │ • Frontend → Database: DENY ││ │ • Backend → Database: ALLOW ││ │ • Any → Internal: DENY ││ │ │└─────────────────────────────────────────────────────────────────────────────┘Macvlan Networks
Section titled “Macvlan Networks”What is Macvlan?
Section titled “What is Macvlan?”┌─────────────────────────────────────────────────────────────────────────────┐│ MACVLAN NETWORKING │├─────────────────────────────────────────────────────────────────────────────┤│ ││ Traditional Bridge Mode Macvlan Mode ││ ┌─────────────────────────┐ ┌─────────────────────────┐ ││ │ Host │ │ Host │ ││ │ │ │ │ ││ │ ┌──────────────┐ │ │ ┌──────────────┐ │ ││ │ │ Container │ │ │ │ Container │ │ ││ │ │ ┌────────┐ │ │ │ │ ┌────────┐ │ │ ││ │ │ │ eth0 │ │ │ │ │ │ eth0 │ │ │ ││ │ │ └───┬────┘ │ │ │ │ └──┬────┘ │ │ ││ │ │ │ │ │ │ │ │ │ │ ││ │ │ ┌─┴──────┐ │ │ │ │ ┌──┴──────┐ │ │ ││ │ │ │ bridge │ │ │ │ │ │ macvlan │ │ │ ││ │ │ └───┬────┘ │ │ │ │ └──┬──────┘ │ │ ││ │ │ │ │ │ │ │ │ │ │ ││ │ └──────┴──────┘ │ │ └─────┴────────┘ │ ││ │ │ │ │ │ │ ││ │ ┌───────┴───────────┘ │ ┌───────┴───────────┘ ││ │ │ eth0 (Host) │ │ │ eth0 (Host) │ ││ │ └─────────────────┘ │ └─────────────────┘ ││ │ │ ││ │ NAT translation needed │ Direct access to network ││ │ Container has virtual IP │ Container gets real IP ││ │ │ Better performance ││ └─────────────────────────────────┴─────────────────────────────────┘ ││ ││ Use Cases: ││ • Legacy applications that need direct network access ││ • Applications requiring specific IP addresses ││ • High-performance workloads ││ • migrating from VMs to containers ││ │└─────────────────────────────────────────────────────────────────────────────┘Creating Macvlan Networks
Section titled “Creating Macvlan Networks”# Create macvlan networkdocker network create -d macvlan \ --subnet=192.168.100.0/24 \ --gateway=192.168.100.1 \ -o parent=eth0 \ my-macvlan
# Run container with macvlandocker run -d --name myapp \ --network my-macvlan \ --ip 192.168.100.10 \ myimage:latestNetwork Plugins
Section titled “Network Plugins”Third-Party Network Plugins
Section titled “Third-Party Network Plugins”┌─────────────────────────────────────────────────────────────────────────────┐│ DOCKER NETWORK PLUGINS │├─────────────────────────────────────────────────────────────────────────────┤│ ││ Popular Network Plugins ││ ───────────────────── ││ ││ ┌────────────────┐ ┌────────────────┐ ┌────────────────┐ ││ │ Calico │ │ Weave │ │ Flannel │ ││ │ │ │ │ │ │ ││ │ • BGP │ │ • Mesh │ │ • VXLAN │ ││ │ • Policy │ │ • Encryption │ │ • Simple │ ││ │ • Scalable │ │ • Easy │ │ • K8s native │ ││ └────────────────┘ └────────────────┘ └────────────────┘ ││ ││ ┌────────────────┐ ┌────────────────┐ ┌────────────────┐ ││ │ Canal │ │ Romana │ │ Cilium │ ││ │ │ │ │ │ │ ││ │ • Calico+ │ │ • Policy │ │ • eBPF │ ││ │ Flannel │ │ • CNI │ │ • Observab. │ ││ │ │ │ │ │ • Hubble │ ││ └────────────────┘ └────────────────┘ └────────────────┘ ││ ││ Installing Plugins: ││ ────────────────── ││ docker plugin install <plugin> ││ ││ Example: ││ docker plugin install weaveworks/plugin:net ││ │└─────────────────────────────────────────────────────────────────────────────┘Hands-on Lab
Section titled “Hands-on Lab”Lab: Multi-Tier Network Architecture
Section titled “Lab: Multi-Tier Network Architecture”In this hands-on lab, we’ll create a secure multi-tier network architecture.
Prerequisites
Section titled “Prerequisites”- Docker installed
- Docker Swarm initialized (optional, for overlay networks)
Lab Steps
Section titled “Lab Steps”# Step 1: Create networks# Frontend network (public-facing)docker network create --driver bridge frontend-network
# Backend network (internal)docker network create --driver bridge --internal backend-network
# Database network (most restricted)docker network create --driver bridge --internal database-network
# Step 2: List networksdocker network ls
# Step 3: Start services in appropriate networks
# Database layerdocker run -d \ --name database \ --network database-network \ -e POSTGRES_PASSWORD=secret \ postgres:15
# Backend APIdocker run -d \ --name api \ --network backend-network \ myapi:latest
# Connect API to database networkdocker network connect database-network api
# Frontend web serverdocker run -d \ --name frontend \ --network frontend-network \ -p 8080:80 \ nginx
# Connect frontend to backenddocker network connect backend-network frontend
# Step 4: Verify network isolation# From frontend, verify connectivitydocker exec frontend ping api # Should workdocker exec frontend ping database # Should NOT work
# From api, verify connectivitydocker exec api ping database # Should work
# Step 5: Test web accesscurl http://localhost:8080
# Step 6: Clean updocker stop frontend api databasedocker rm frontend api databasedocker network rm frontend-network backend-network database-networkSummary
Section titled “Summary”Key Takeaways
Section titled “Key Takeaways”- Network Drivers - Choose the right driver for your use case
- Custom Networks - Create custom networks for better control
- DNS - Docker provides built-in DNS for service discovery
- Isolation - Use internal networks for security
- Overlay Networks - For multi-host communication
- Macvlan - For legacy apps needing direct network access
Quick Reference Commands
Section titled “Quick Reference Commands”# Create networksdocker network create --driver bridge my-networkdocker network create --driver overlay --attachable my-overlay
# Inspect networkdocker network inspect <network>
# Connect/disconnect containersdocker network connect <network> <container>docker network disconnect <network> <container>
# DNS lookupdocker exec <container> nslookup <service-name>Next Steps
Section titled “Next Steps”In the next chapter, we’ll explore Docker in CI/CD (Chapter 15), covering:
- Building Docker images in CI/CD pipelines
- Testing containers
- Registry integration
- Deployment strategies