Demystifying Docker Networking: A Clear Guide

Docker containers are great! Nobody can deny that, right? When you have used docker, have you ever wondered how the networking works behind the scenes. Usually, you just create a container and it magically has access to all the networking, but what is really happening behind the scenes? Did you know you can actually configure this networking?! Not only that, there are SIX ways you can do it!!! Isn't that insane?! Let's see what those six ways are.

Intro to Docker Networking

Docker networking is insane, but at the most basic level, it works like this. Each container has is in a docker network. Each network has a network driver. This is basically a networking type. There are several drivers you can pick from. That is what we are going to cover here shortly.

Bridge

The first network driver is bridge. This is the most basic driver. This is what you have been using without realizing. Each time you create a docker container and don't specify the network, it goes into something called the default network. This is a network that docker has already created from the moment you installed it. This default network has the bridge driver.

The bridge driver uses IP Masquerading to connect docker containers to the internet. The docker containers can also communicate with each-other as long as they are in the same network. This is why using the default network is not considered best practice. This means you do not have any sort of network isolation. This means that if a hacker is able to get access to your container, the can connect, and possibly hack, the other containers too. This can be disastrous!

MacVLAN

This is kind of a weird one. This driver makes it so each docker container has its own, individual, MAC address and IP address on the host network. You no longer need to expose ports, instead, just use the IP address of the container itself. The traffic will be routed accordingly.

There is a good chance you will have to change the configuration of your network because having several MAC addresses on a single port is usually a sign of a security threat.

IPVLAN

An IP VLAN, makes it look like all the containers are on the network of the host wit their own IP. It will look like containers are their own devices on the network,

IPVLAN vs. MacVLAN

An IPVLAN driver and a MacVLAN driver are both very similar, but they have 1 very important difference. It is that the IP VLAN assigns each container its own IP, but still uses the MAC address of the host. The MAC VLAN, on the other hand, gives each container its own MAC address and IP address.

There are many situations where IP VLANs are preferable over MAC VLANs because the switches do not like having several MAC addresses on a single port. I am not aware of any situation where using a MAC VLAN is really better than using an IP VLAN, but I am sure there are some.

Host

This is a very unique network driver. When you use the host network, the container and the host share a single networking namespace. You do not need to publish any ports, because any ports the container listens on will also be listened to on the host. The host and the container, both have the same ports.

This sort of thing is useful if you need a very high amount of performance. Using other networking types can degrade performance because of all the additional overhead present in the NAT or other things. They are also very useful when you need all the hosts to be exposed.

None

The none driver has very special use-cases. As the name implies, the none network means that there is no network connection for the container. It is completely isolated from the internet and anything else. It is best practice to use this for as many use cases as you can since this is the absolute most secure networking type. After all, the best way to secure a server is to not connect it to the internet in the first place.

Conclusion

Docker networking is a great skill. If you have read this far, you have that skill. You know the basics of docker networking. That is great! Not many people know that. This is one of the skills you can tell your future employers about. I know you are probably not very comfortable with docker networking right now. I will create a hands-on walk through that will help you gain confidence with this.

One more thing before you go. There is a lot to remember. I know it can be overwhelming. That is why I created an cheat-sheet. Here it is

Docker-Networking.md
If you have any more questions about things covered in this article, you know of another thing I should cover, or you think I should just have done something better, please leave a comment. Thank you for reading.

Comments

Post a Comment

Popular posts from this blog

Persistent Data in Docker: Explanation + Hands-On Demo

Docker containers, by nature, are ephemeral. They are not designed to stay without being deleted for long periods of time. While you could, theoretically never delete the image, most of the benefits of docker are realized when containers are temporary. There is something wrong with this approach, though. Almost all the data in the world is designed to be persistent. This poses a problem that docker volumes can solve. What are docker volumes? Docker volumes are a method of ensuring data persistence in a containerized environment. To comply with best practices, you need to make sure that spontaneously losing a container or 2 does not have an impact on anything but the performance of your infrastructure. To do this, all the important data in your containers needs to be put somewhere. Somewhere which is not liked to the life-cycle of the container itself. That somewhere is a volume. A docker volume is little more than a place to store data. From the point of view of the container, nothing
Read more

Pods to Deployments | Kubernetes Architecture Evolution

Image
When I was learning the basic kubernetes concepts, I was confused between pods, replicasets, and deployments. Each one seemed to have the other inside of it. I remained confused for a long time. I kept trying to avoid the topic. When I actually understood, it felt great. I do not want you to have that confusion when you are learning these concepts. That is why I created this post. Manifest files As we talked about in our previous post, to access your cluster, you use a tool called kubectl . While you can execute commands to deploy and manage resources, there is a better way of doing it. As you must know if you have read my posts about docker compose , Infrastructure As Code is often more efficient and easier to manage when compared to traditional CLI tools. This is why kubernetes also supports infrastructure as code. It is written in yaml. Those files are called kubernetes manifest files. It is best practice to use them. That is why we are going to be using them here. Step 1: Deploying
Read more

Docker Compose Explained: Simplifying Multi-Container Deployments

Docker compose and other IaC (Infrastructure as Code) tools are very important to learn. Today, they are almost essential knowledge to manage any sort of infrastructure, anywhere. Docker Compose is one of the most prominent tools in this space. According to Stackshare, at the time of writing, there are about 2108 companies using docker compose in their tech stack. This includes giant companies like Udemy. The knowledge of this relatively simple tool is very important. That is why I am going to break it down for you here. What is Docker Compose As mentioned before, Docker Compose is an IaC tool for Docker containers. It makes it significantly easier to deploy and manage containers in an environment with several containers. Why Docker Compose Now that you know what docker compose is, let's talk about why somebody would need such a tool. What benefits does it provide? Simplifies Deployment: Docker compose simplifies deployment. Once you have the IaC template in place, you can deploy a
Read more