Lesson 4.1: Docker Network Basics
Welcome to Phase 4! You've learned to build, run, and persist data in containers. Now it's time to make them communicate. Docker networking allows containers to talk to each other and to the outside world. In this lesson, we'll explore the fundamental concepts of Docker networking, the default networks, and how to inspect and manage them. By the end, you'll understand how containers are isolated by default and how to enable communication.
Learning Objectives
TIP
By the end of this lesson, you will be able to:
- Explain the role of Docker networking in container communication.
- Identify the default Docker networks (bridge, host, none) and describe their purposes.
- Use
docker network ls,inspect,create, andrmcommands. - Run containers on different networks and understand their connectivity.
- Inspect a container's network configuration.
1. Why Networking Matters
Containers are isolated by default. This means a container running a web server cannot be accessed from your host unless you explicitly publish ports, and two containers cannot talk to each other unless they are on the same network. Docker's networking subsystem provides the necessary connectivity while maintaining isolation.
INFO
Understanding Docker networking is crucial for:
- Running multi‑container applications (e.g., web server + database).
- Exposing services to the outside world.
- Securing container communication.
- Debugging connectivity issues.
2. Docker Network Drivers
Docker uses network drivers to create and manage networks. The most common drivers are:
| Driver | Description |
|---|---|
| bridge | Default network driver for standalone containers. Creates a private network on the host; containers on the same bridge network can communicate. |
| host | Removes network isolation; the container shares the host's network stack. Useful for performance or when the container needs full host network access. |
| none | Disables networking; the container has only a loopback interface. |
| overlay | Used in Docker Swarm or Kubernetes to connect containers across multiple hosts. |
| macvlan | Assigns a MAC address to the container, making it appear as a physical device on the network. |
| ipvlan | Similar to macvlan but uses layer 3. |
TIP
In this lesson, we'll focus on bridge, host, and none. Overlay and macvlan will be covered later.
3. Default Networks
When you install Docker, three networks are created automatically:
docker network lsSample output:
NETWORK ID NAME DRIVER SCOPE
e4b5c6d7e8f9 bridge bridge local
a1b2c3d4e5f6 host host local
123456789abc none null local3.1. bridge Network
The default bridge network is created automatically. When you run a container without specifying a network, it attaches to this bridge network.
- Containers on the default bridge can communicate with each other by IP, but not by container name unless you use
--link(deprecated). - It provides NAT (Network Address Translation) so containers can access the internet through the host's network.
- Ports must be published (
-p) to be accessible from the host.
3.2. host Network
The host network removes isolation: the container uses the host's network stack directly.
- No port mapping is needed; the container's ports are exposed on the host.
- Performance is slightly better, but security is reduced (container can bind to any port).
- Only works on Linux; not available on Docker Desktop for Mac/Windows (there it's simulated but behaves differently).
3.3. none Network
The none network disables all networking. The container has only a loopback interface.
- Used for containers that don't need network access.
- Useful for batch jobs or isolated processes.
4. Working with Networks
4.1. Listing Networks
docker network ls4.2. Inspecting a Network
docker network inspect bridgeThis shows details like subnet, gateway, and which containers are attached.
4.3. Creating a User‑Defined Bridge Network
The default bridge has limitations (no automatic DNS). User‑defined bridge networks provide better isolation and automatic name resolution.
docker network create mynetYou can specify driver, subnet, etc.:
docker network create --driver bridge --subnet 172.20.0.0/16 mynet4.4. Removing a Network
docker network rm mynetNetworks cannot be removed if they have active containers attached.
5. Running Containers on Networks
5.1. Attach a Container to a Network
Use --network flag with docker run:
docker run -d --name web --network mynet nginx5.2. Connect an Existing Container to a Network
docker network connect mynet web5.3. Disconnect a Container from a Network
docker network disconnect mynet web6. Container Communication on User‑Defined Bridge
On a user‑defined bridge, containers can resolve each other's names automatically.
Example:
- Create a network
appnet. - Run two containers on that network:bash
docker run -d --name app1 --network appnet alpine sleep 3600 docker run -d --name app2 --network appnet alpine sleep 3600 - Exec into
app2and pingapp1:bashdocker exec -it app2 ping app1
The ping succeeds using the container name. This does not work on the default bridge.
7. Exposing Ports to the Host
To make a container accessible from outside the host, use -p or --publish.
docker run -d --name web -p 8080:80 nginx- Maps host port 8080 to container port 80.
- If you omit
-p, the container is only reachable from other containers on the same network.
You can also bind to a specific host IP:
docker run -d --name web -p 127.0.0.1:8080:80 nginx8. Host Network Example
Run a container with host networking (Linux only):
docker run -d --name net-host --network host nginxNow you can access nginx at http://localhost:80 (no port mapping). The container shares the host's IP address and all ports.
9. None Network Example
Run a container with no networking:
docker run -it --network none alpine shInside, ip addr shows only lo (loopback). No external connectivity.
10. Inspecting Container Network Settings
You can inspect a container's network details with docker inspect:
docker inspect webLook for the NetworkSettings section. For a container on a bridge network, you'll see IP address, gateway, and port mappings.
To quickly get a container's IP:
docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' webHands-On Tasks
Task 1: Explore Default Networks
- Run
docker network lsand note the three default networks. - Inspect the
bridgenetwork:docker network inspect bridge. Look at theContainerssection – it will show any containers currently attached. - Inspect
hostandnonenetworks.
Task 2: Run a Container on the Default Bridge
- Run a simple container in detached mode:
docker run -d --name web1 nginx. - Check its IP address:
docker inspect web1 | grep IPAddress. - Try to access nginx from your host:
curl http://<container-ip>. It should work because the host can reach the bridge network. - Now publish the port: stop and remove
web1, then rundocker run -d --name web1 -p 8080:80 nginx. Accesshttp://localhost:8080from your host.
Task 3: Create a User‑Defined Bridge Network
- Create a network:
docker network create mynet. - List networks again; you'll see
mynet. - Run two containers on
mynet:bashdocker run -d --name app1 --network mynet alpine sleep 3600 docker run -d --name app2 --network mynet alpine sleep 3600 - Exec into
app2and pingapp1by name:docker exec -it app2 ping app1. It should succeed. - Try pinging
app1from the default bridge network: run a third container on the default bridge (docker run -it --rm alpine sh), then tryping app1– it will fail because they are on different networks. - Connect the default bridge container to
mynet:docker network connect mynet <default-container>. Then ping again – it should work.
Task 4: Host and None Networks
- Run a container on host network (if on Linux) and check its interfaces:
docker run --rm --network host alpine ip addr. Compare withip addron your host. - Run a container on none network:
docker run --rm --network none alpine ip addr. You'll see onlylo.
Task 5: Inspect Network Connectivity
- Run an nginx container on a user‑defined network without publishing ports.
- Run another container on the same network and use
curlto access nginx by container name. - Remove the containers and networks when done.
Summary
Key Takeaways
- Docker provides several network drivers:
bridge,host,none,overlay, etc. - Three default networks are created automatically:
bridge,host,none. - The default bridge network provides basic connectivity but lacks automatic DNS resolution.
- User‑defined bridge networks allow containers to communicate by name and provide better isolation.
- Use
-pto expose container ports to the host. docker networkcommands manage networks:ls,inspect,create,connect,disconnect,rm.
Check Your Understanding
- What are the three default Docker networks and their purposes?
- How do you list all Docker networks?
- Why does the default bridge network not allow containers to ping each other by name?
- What command would you use to run a container on a user‑defined network named
backend? - How do you expose a container's port 3000 to host port 9000?
- What is the difference between the host network driver and the bridge driver?
Click to see answers
- bridge: Default network for standalone containers with NAT to host. host: Removes network isolation, shares host's network stack. none: Disables all networking, only loopback.
docker network ls- The default bridge does not have an embedded DNS server. Name resolution only works on user-defined bridges.
docker run -d --name mycontainer --network backend imagenamedocker run -d --name mycontainer -p 9000:3000 imagename- Bridge creates a private internal network with NAT; containers get their own IP. Host removes isolation entirely—the container uses the host's IP and network stack directly.
Additional Resources
- Docker networking overview (official)
- Docker network commands reference
- Bridge network driver
- Host network driver
Next Up
In the next lesson, we'll dive deeper into bridge networks and explore user‑defined bridges in detail, including custom subnets, gateways, and how they enable container‑to‑container communication. See you there!