If you’re using Docker to run your application workloads, it’s possible that you’ve been using the “docker run” command for some time, and haven’t given networking any thought. Docker networking is the process of creating and managing networks that allow Docker containers to communicate both with each other and with the outside world. It provides a way for containers to connect to each other and to the host system, enabling them to share data and resources. Docket networks enable:
- Isolation: Docker networks provide a level of isolation between containers, which can prevent interference and conflicts when multiple containers are running on the same host
- Security: Docker networks allow you to secure network traffic between containers and restrict access to sensitive data or resources
- Scalability: Enable communication and interaction between containers running on different hosts, which can help scale applications across multiple hosts and reduce the risk of single points of failure, ultimately resulting in an increase of operational efficiency.
- Ease of Management: Docker networks can be easily created, managed, and configured using the Docker CLI or Docker Compose. This can simplify the management of network resources and help ensure consistent network configurations across different environments.
In this blog, I’ll delve further into Docker networking, including how to build Docker networks, start containers inside of those networks, and more.
Docker Networking
There are several types of networks available in Docker, including:
- Bridge: This is the default network created when Docker is installed. It permits communication between containers and the host system, but not with external networks.
- Host: This network allows containers to access the host’s IP address and network interfaces by sharing the host’s network stack. This can provide better network performance, but may also introduce security risks.
- None: In addition to having no connectivity to the external network or to other containers, this mode will not configure an IP address for the container. It is capable of batch task execution and does have the loopback address.
Docker Network Commands
# list docker networks |
Build Two-Tier Architecture
In this example, we will create a two-tier architecture with two networks, named frontend and backend, having containers deployed.
Create a custom image
Let’s begin by creating a custom docker image to be used for all our examples.
Create Dockerfile
FROM httpd |
Build an image using this Dockerfile. This image instals all the required utilities.
docker build . -t testimage |
Launch containers in the default network (bridge)
Run the containers without specifying any network.
docker run -d –name s1 -p 8080:80 testimage |
Since both s1 and s2 are within the same network, s2 is accessible from s1. Let’s check it out.
❯ docker exec -it s1 bash |
Create Docker Networks
# create networks |
Launch containers in new networks
Let’s move both of our containers in each network.
# remove existing containers and relaunch them in separate networks |
Let’s test the connectivity between containers.
# check container details by running |
This is what the new architecture will look like.
Create Gateway Network to connect Frontend and Backend
Now, we need to add a gateway which can act as a bridge for both s1 and s2 to communicate with each other.
# create a gateway network container and launch in frontend network |
This is what the architecture looks like with gw container.
Source | Destination | Reachability | Comments |
gw | s1 | ✅ | since gw is deployed in frontend network |
s1 | gw | ✅ | since gw is deployed in frontend network |
gw | s2 | ✅ | since gw is deployed in backend network |
s2 | gw | ✅ | since gw is deployed in backend network |
s1 | s2 | ❌ | There is still no route for s1 to s2 |
s2 | s1 | ❌ | There is still no route for s2 to s1 |
docker exec -it gw bash |
Allow connection from Frontend to Backend network
To allow connection from s1 to s2 containers, we need to add a route for the backend subnet in the s1 container.
❯ docker exec -it s1 bash |
Adding just one route will not make it work, as it is clearly seen in the output of traceroute. The frontend container knows how to go to the IP belonging to the backend network subnet range, but there is no response from the backend.
This is the current architecture.
The final step is to add a route in the backend container.
❯ docker exec -it s2 bash |
In this blog, we built a two-tier architecture to demonstrate how containers in different networks can talk to each other and the importance of Docker networking. Though theoretically, we could construct a third network to support database containers and add a route specific to the backend network.
I hope this article was useful in understanding the fundamentals of Docker networking. In future articles, we will see how these Docker networking concepts are applied to AWS Elastic Container Service and further understand ECS networking modes.