Docker_networking_advanced
Chapter 14: Docker Networking Advanced - Custom Networks, DNS, and Load Balancing
Section titled βChapter 14: Docker Networking Advanced - Custom Networks, DNS, and Load BalancingβTable of Contents
Section titled βTable of Contentsβ- Docker Networking Overview
- Network Drivers
- Custom Bridge Networks
- Overlay Networks
- DNS and Service Discovery
- Load Balancing
- Network Isolation
- Macvlan Networks
- Network Plugins
- Hands-on Lab
- Summary
Docker Networking Overview
Section titled βDocker Networking OverviewβDocker Network Architecture
Section titled βDocker Network Architectureβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ DOCKER NETWORKING ARCHITECTURE ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€β ββ βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ββ β Docker Network Namespace β ββ β β ββ β βββββββββββββββ βββββββββββββββ βββββββββββββββ β ββ β β Container β β Container β β Container β β ββ β β A β β B β β C β β ββ β β βββββββββ β β βββββββββ β β βββββββββ β β ββ β β β eth0 βββββΌβββββΌββ eth0 βββββΌβββββΌββ eth0 β β β ββ β β βββββββββ β β βββββββββ β β βββββββββ β β ββ β βββββββββββββββ βββββββββββββββ βββββββββββββββ β ββ β β ββ βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ββ β ββ βΌ ββ βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ββ β Docker Bridge (docker0) β ββ β β ββ β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β ββ β β veth pairs β β ββ β β vethA ββ eth0 vethB ββ eth0 vethC ββ eth0 β β ββ β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β ββ β β β ββ β βββββββββββββββββββββββββββ΄ββββββββββββββββββββββββββββββββ β ββ β β iptables / NAT / Routing β β ββ β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β ββ βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ββ β ββ βΌ ββ βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ββ β Host Network (eth0) β ββ βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ββ ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββDefault Networks
Section titled βDefault Networksβ# List all networksdocker network ls
# Output:# NETWORK ID NAME DRIVER SCOPE# abc123... bridge bridge local# def456... host host local# ghi789... none null local
# Inspect default bridgedocker network inspect bridgeNetwork Drivers
Section titled βNetwork DriversβNetwork Driver Comparison
Section titled βNetwork Driver Comparisonβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ DOCKER NETWORK DRIVERS ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€β ββ Driver β Scope β Use Case β Isolation ββ βββββββββββββΌββββββββββΌββββββββββββββββββββββββββββββββββΌββββββββββββ ββ bridge β local β Single host, default β High ββ host β local β Remove network isolation β None ββ overlay β swarm β Multi-host, Docker Swarm β High ββ macvlan β local β Direct network access β Highest ββ none β local β Disable networking β Complete ββ plugins β varies β Third-party solutions β Varies ββ ββ Detailed Comparison: ββ βββββββββββββββββββ ββ ββ ββββββββββββββββββ ββββββββββββββββββ ββββββββββββββββββ ββ β BRIDGE β β OVERLAY β β MACVLAN β ββ β β β β β β ββ β Virtual eth β β VXLAN tunnel β β Direct MAC β ββ β on host β β Multi-host β β Per container β ββ β NAT for ext β β Encrypted β β No NAT β ββ β β β Service disc β β Legacy apps β ββ ββββββββββββββββββ ββββββββββββββββββ ββββββββββββββββββ ββ ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββCustom Bridge Networks
Section titled βCustom Bridge NetworksβCreating a Custom Bridge Network
Section titled βCreating a Custom Bridge Networkβ# Create a custom bridge networkdocker network create \ --driver bridge \ --subnet=172.20.0.0/16 \ --ip-range=172.20.5.0/24 \ --gateway=172.20.0.1 \ my-bridge-network
# List networksdocker network ls
# Inspect networkdocker network inspect my-bridge-networkUsing Custom Networks
Section titled βUsing Custom Networksβ# Run containers on custom networkdocker run -d --name web --network my-bridge-network nginxdocker run -d --name api --network my-bridge-network myapi:latestdocker run -d --name db --network my-bridge-network postgres:15
# Connect existing container to networkdocker network connect my-bridge-network existing-container
# Disconnect from networkdocker network disconnect my-bridge-network existing-containerNetwork Isolation
Section titled βNetwork Isolationβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ NETWORK ISOLATION WITH BRIDGES ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€β ββ Default Bridge (docker0) Custom Bridge ββ βββββββββββββββββββββββ βββββββββββββββββββββββ ββ β β β β ββ β βββββββ βββββββ β β βββββββ βββββββ β ββ β β web β β api β β β β web β β api β β ββ β ββββ¬βββ ββββ¬βββ β β ββββ¬βββ ββββ¬βββ β ββ β β β β β β β β ββ β ββββββββ΄βββββββ β ββββββββ΄βββββββ ββ β β β β β β ββ β βΌ β β βΌ β ββ β βββββββββββ β β βββββββββββ β ββ β β DNS β β β β DNS β β ββ β β(default)β β β β(custom) β β ββ β βββββββββββ β β βββββββββββ β ββ β β β β ββ β β Can reach β β β Can reach β ββ β each other β β each other β ββ β β No isolation β β β Can isolate β ββ β β β β Custom DNS β ββ βββββββββββββββββββββββ βββββββββββββββββββββββ ββ ββ Problem: Solution: ββ Containers can access each other Use separate networks ββ by default on default bridge for isolation ββ ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββOverlay Networks
Section titled βOverlay NetworksβWhat is Overlay Networking?
Section titled βWhat is Overlay Networking?βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ OVERLAY NETWORK ARCHITECTURE ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€β ββ βββββββββββββββββββ ββ β External Networkβ ββ ββββββββββ¬βββββββββ ββ β ββ βββββββββββββββββββββΌββββββββββββββββββββ ββ β β β ββ βΌ βΌ βΌ ββ βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ ββ β Host A β β Host B β β Host C β ββ β β β β β β ββ β βββββββββββββββ β β βββββββββββββββ β β βββββββββββββββ β ββ β β Container β β β β Container β β β β Container β β ββ β β App1 β β β β App2 β β β β App3 β β ββ β ββββββββ¬βββββββ β β ββββββββ¬βββββββ β β ββββββββ¬βββββββ β ββ β β β β β β β β β ββ β β VXLAN β β β VXLAN β β β VXLAN β ββ β β Tunnel β β β Tunnel β β β Tunnel β ββ β ββββββββββ β ββββββββββ β ββββββββββ ββ βββββββββββ¬ββββββββββββ βββββββββββ¬ββββββββββββ βββββββββββ¬ββββββββββ ββ β β β ββ βββββββββββββββββββββββββββββΌββββββββββββββββββββββββββββ ββ β ββ βΌ ββ βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ββ β OVERLAY NETWORK (vxlan) β ββ β β ββ β β’ Encapsulates container traffic in UDP packets β ββ β β’ Works across multiple hosts β ββ β β’ Automatic service discovery β ββ β β’ Built-in load balancing β ββ β β ββ βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ββ ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββCreating Overlay Networks
Section titled βCreating Overlay Networksβ# Initialize Docker Swarm first (required for overlay networks)docker swarm init
# Create overlay networkdocker network create \ --driver overlay \ --attachable \ my-overlay-network
# Run containers on overlay networkdocker run -d --name web --network my-overlay-network nginxdocker run -d --name api --network my-overlay-network myapi:latestEncrypted Overlay Network
Section titled βEncrypted Overlay Networkβ# Create encrypted overlay networkdocker network create \ --driver overlay \ --opt encrypted \ --attachable \ secure-overlayDNS and Service Discovery
Section titled βDNS and Service DiscoveryβDocker Embedded DNS
Section titled βDocker Embedded DNSβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ DOCKER DNS SERVICE DISCOVERY ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€β ββ Docker DNS Resolution Flow ββ ββββββββββββββββββββββββββββ ββ ββ βββββββββββββββββββ ββ β Container A β ββ β β ββ β βββββββββββββ β 1. Query: "api" ββ β β app βββΌβββββββββββββββββββββββββββββββββ ββ β βββββββββββββ β β ββ β β β βΌ ββ β βββββββ΄ββββββ β βββββββββββββββββββββββββββ ββ β β DNS β β β Docker DNS Server β ββ β β Resolver β β β (127.0.0.11) β ββ β βββββββββββββ β β β ββ ββββββββββ¬βββββββββ β β’ Container names β ββ β β β’ Network aliases β ββ β β β’ Domain search β ββ β β β ββ β 2. Response: 172.18.0.2 ββββββββββββββ¬βββββββββββββ ββ ββββββββββββββββββββββββββββββββββββββββββ ββ β ββ βΌ ββ βββββββββββββββββββ ββ β Container B β ββ β (Name: api) β ββ β IP: 172.18.0.2β ββ βββββββββββββββββββ ββ ββ DNS Records: ββ βββββββββββ ββ β’ Container name β IP address ββ β’ Network alias β IP address ββ β’ Network-scoped (only accessible within network) ββ ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββUsing DNS in Practice
Section titled βUsing DNS in Practiceβ# Create network with custom DNSdocker network create \ --driver bridge \ --dns=8.8.8.8 \ --gateway=172.25.0.1 \ --subnet=172.25.0.0/16 \ custom-dns-network
# Run containersdocker run -d --name web --network custom-dns-network nginxdocker run -d --name api --network custom-dns-network myapi
# From web container, access api by namedocker exec web curl http://api:8080
# Add network aliasdocker network connect --alias api-service my-network my-container
# Inspect DNS configdocker exec web cat /etc/resolv.confDNS Options
Section titled βDNS Optionsβ# Run with custom DNS serversdocker run --dns 8.8.8.8 --dns 8.8.4.4 nginx
# Run with custom search domaindocker run --dns-search mycompany.local nginx
# Run with specific hostnamedocker run --hostname myapp-server nginxLoad Balancing
Section titled βLoad BalancingβDocker Internal Load Balancing
Section titled βDocker Internal Load Balancingβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ DOCKER INTERNAL LOAD BALANCING ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€β ββ βββββββββββββββββββ ββ β Service Name β ββ β (myapp) β ββ ββββββββββ¬βββββββββ ββ β ββ β Virtual IP (VIP) ββ βΌ ββ βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ββ β Load Balancer (HAProxy/Docker) β ββ β β ββ β ββββββββββββ ββββββββββββ ββββββββββββ ββββββββββββ β ββ β β Round β β Least β β Source β β Random β β ββ β β Robin β β Conn β β Hash β β β β ββ β ββββββββββββ ββββββββββββ ββββββββββββ ββββββββββββ β ββ β β ββ βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ββ β ββ ββββββββββββββββββββββββΌβββββββββββββββββββββββ ββ β β β ββ βΌ βΌ βΌ ββ ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ ββ β Container 1 β β Container 2 β β Container 3 β ββ β 172.18.0.2 β β 172.18.0.3 β β 172.18.0.4 β ββ ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ ββ ββ Features: ββ β’ Automatic distribution ββ β’ Health checks ββ β’ Service discovery integration ββ β’ No external LB needed ββ ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββPublishing Ports with Load Balancing
Section titled βPublishing Ports with Load Balancingβ# Run multiple replicas (Swarm)docker service create \ --name myapp \ --replicas 3 \ --publish published=8080,target=80 \ nginx
# All three containers accessible via port 8080# Docker distributes traffic across replicasHAProxy for Advanced Load Balancing
Section titled βHAProxy for Advanced Load Balancingβ# haproxy/DockerfileFROM haproxy:2.8COPY haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg
# haproxy.cfgglobal log stdout format raw local0 maxconn 4096
defaults log global mode http option httplog option dontlognull timeout connect 5000ms timeout client 50000ms timeout server 50000ms
frontend http_front bind *:80 default_backend api_back
backend api_back balance roundrobin server api1 api1:8080 check server api2 api2:8080 check server api3 api3:8080 checkNetwork Isolation
Section titled βNetwork IsolationβInternal Networks
Section titled βInternal Networksβ# Create internal network (no external access)docker network create --driver bridge --internal backend-network
# Containers can only communicate with each other# Cannot access external networks or internetdocker run -d --name db --network backend-network postgres:15docker run -d --name app --network backend-network myapp
# App can reach db, but neither can reach internetNetwork Segmentation
Section titled βNetwork Segmentationβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ NETWORK SEGMENTATION STRATEGY ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€β ββ βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ββ β Production Network β ββ β β ββ β βββββββββββββββββ βββββββββββββββββ βββββββββββββββββ β ββ β β Frontend β β Backend β β Database β β ββ β β Network β β Network β β Network β β ββ β β β β β β Internal β β ββ β β βββββββββββ β β βββββββββββ β β β β ββ β β β web-1 β β β β api-1 β β β βββββββββββ β β ββ β β β web-2 β β β β api-2 β β β β postgresβ β β ββ β β βββββββββββ β β βββββββββββ β β βββββββββββ β β ββ β βββββββββ¬ββββββββ βββββββββ¬ββββββββ βββββββ¬ββββββ β ββ β β β β β ββ βββββββββββββΌβββββββββββββββββββββΌββββββββββββββββββββΌββββββββββ ββ β β β ββ β ββββββββββββΌββββββββββββββββββββ ββ β β β ββ β βΌ βΌ ββ β βββββββββββββββββββββββββββββββββββββββ ββ β β Public Network β ββ β β (Load Balancer / Ingress) β ββ β βββββββββββββββββββββββββββββββββββββββ ββ β ββ β Traffic Flow: ββ β ββββββββββββ ββ β Internet β LB β Frontend β Backend β DB ββ β ββ β Isolation Rules: ββ β ββββββββββββββββ ββ β β’ Frontend β Backend: ALLOW ββ β β’ Frontend β Database: DENY ββ β β’ Backend β Database: ALLOW ββ β β’ Any β Internal: DENY ββ β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββMacvlan Networks
Section titled βMacvlan NetworksβWhat is Macvlan?
Section titled βWhat is Macvlan?βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ MACVLAN NETWORKING ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€β ββ Traditional Bridge Mode Macvlan Mode ββ βββββββββββββββββββββββββββ βββββββββββββββββββββββββββ ββ β Host β β Host β ββ β β β β ββ β ββββββββββββββββ β β ββββββββββββββββ β ββ β β Container β β β β Container β β ββ β β ββββββββββ β β β β ββββββββββ β β ββ β β β eth0 β β β β β β eth0 β β β ββ β β βββββ¬βββββ β β β β ββββ¬βββββ β β ββ β β β β β β β β β β ββ β β βββ΄βββββββ β β β β ββββ΄βββββββ β β ββ β β β bridge β β β β β β macvlan β β β ββ β β βββββ¬βββββ β β β β ββββ¬βββββββ β β ββ β β β β β β β β β β ββ β ββββββββ΄βββββββ β β βββββββ΄βββββββββ β ββ β β β β β β ββ β βββββββββ΄ββββββββββββ β βββββββββ΄ββββββββββββ ββ β β eth0 (Host) β β β eth0 (Host) β ββ β βββββββββββββββββββ β βββββββββββββββββββ ββ β β ββ β NAT translation needed β Direct access to network ββ β Container has virtual IP β Container gets real IP ββ β β Better performance ββ βββββββββββββββββββββββββββββββββββ΄ββββββββββββββββββββββββββββββββββ ββ ββ Use Cases: ββ β’ Legacy applications that need direct network access ββ β’ Applications requiring specific IP addresses ββ β’ High-performance workloads ββ β’ migrating from VMs to containers ββ ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββCreating Macvlan Networks
Section titled βCreating Macvlan Networksβ# Create macvlan networkdocker network create -d macvlan \ --subnet=192.168.100.0/24 \ --gateway=192.168.100.1 \ -o parent=eth0 \ my-macvlan
# Run container with macvlandocker run -d --name myapp \ --network my-macvlan \ --ip 192.168.100.10 \ myimage:latestNetwork Plugins
Section titled βNetwork PluginsβThird-Party Network Plugins
Section titled βThird-Party Network Pluginsβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ DOCKER NETWORK PLUGINS ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€β ββ Popular Network Plugins ββ βββββββββββββββββββββ ββ ββ ββββββββββββββββββ ββββββββββββββββββ ββββββββββββββββββ ββ β Calico β β Weave β β Flannel β ββ β β β β β β ββ β β’ BGP β β β’ Mesh β β β’ VXLAN β ββ β β’ Policy β β β’ Encryption β β β’ Simple β ββ β β’ Scalable β β β’ Easy β β β’ K8s native β ββ ββββββββββββββββββ ββββββββββββββββββ ββββββββββββββββββ ββ ββ ββββββββββββββββββ ββββββββββββββββββ ββββββββββββββββββ ββ β Canal β β Romana β β Cilium β ββ β β β β β β ββ β β’ Calico+ β β β’ Policy β β β’ eBPF β ββ β Flannel β β β’ CNI β β β’ Observab. β ββ β β β β β β’ Hubble β ββ ββββββββββββββββββ ββββββββββββββββββ ββββββββββββββββββ ββ ββ Installing Plugins: ββ ββββββββββββββββββ ββ docker plugin install <plugin> ββ ββ Example: ββ docker plugin install weaveworks/plugin:net ββ ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββHands-on Lab
Section titled βHands-on LabβLab: Multi-Tier Network Architecture
Section titled βLab: Multi-Tier Network ArchitectureβIn this hands-on lab, weβll create a secure multi-tier network architecture.
Prerequisites
Section titled βPrerequisitesβ- Docker installed
- Docker Swarm initialized (optional, for overlay networks)
Lab Steps
Section titled βLab Stepsβ# Step 1: Create networks# Frontend network (public-facing)docker network create --driver bridge frontend-network
# Backend network (internal)docker network create --driver bridge --internal backend-network
# Database network (most restricted)docker network create --driver bridge --internal database-network
# Step 2: List networksdocker network ls
# Step 3: Start services in appropriate networks
# Database layerdocker run -d \ --name database \ --network database-network \ -e POSTGRES_PASSWORD=secret \ postgres:15
# Backend APIdocker run -d \ --name api \ --network backend-network \ myapi:latest
# Connect API to database networkdocker network connect database-network api
# Frontend web serverdocker run -d \ --name frontend \ --network frontend-network \ -p 8080:80 \ nginx
# Connect frontend to backenddocker network connect backend-network frontend
# Step 4: Verify network isolation# From frontend, verify connectivitydocker exec frontend ping api # Should workdocker exec frontend ping database # Should NOT work
# From api, verify connectivitydocker exec api ping database # Should work
# Step 5: Test web accesscurl http://localhost:8080
# Step 6: Clean updocker stop frontend api databasedocker rm frontend api databasedocker network rm frontend-network backend-network database-networkSummary
Section titled βSummaryβKey Takeaways
Section titled βKey Takeawaysβ- Network Drivers - Choose the right driver for your use case
- Custom Networks - Create custom networks for better control
- DNS - Docker provides built-in DNS for service discovery
- Isolation - Use internal networks for security
- Overlay Networks - For multi-host communication
- Macvlan - For legacy apps needing direct network access
Quick Reference Commands
Section titled βQuick Reference Commandsβ# Create networksdocker network create --driver bridge my-networkdocker network create --driver overlay --attachable my-overlay
# Inspect networkdocker network inspect <network>
# Connect/disconnect containersdocker network connect <network> <container>docker network disconnect <network> <container>
# DNS lookupdocker exec <container> nslookup <service-name>Next Steps
Section titled βNext StepsβIn the next chapter, weβll explore Docker in CI/CD (Chapter 15), covering:
- Building Docker images in CI/CD pipelines
- Testing containers
- Registry integration
- Deployment strategies