Computer Networks

Networking in Docker

A microservice is running, but how does it find the database? IPs change, containers die and get recreated. You need a network that figures out who is where on its own - so the code doesn't know about IPs and just says 'connect to redis'.

**Docker Compose** is the standard for local development. Run docker-compose up - all services see each other by name
**Kubernetes** uses similar concepts: overlay networks (CNI plugins), service discovery (CoreDNS), network policies
**Netflix** migrated to containers and overlay networks - thousands of microservices find each other without hardcoded IPs

Предварительные знания

Docker Networking: Basics

**Docker Networking** determines how containers communicate with each other and the outside world. Each container gets its own network namespace - an isolated network stack with its own interfaces, routing table, and iptables. From the outside, a container looks like a separate machine.

**Network Namespace** is a Linux kernel feature. The container sees only its own interfaces, not the host's. `docker exec nginx ip addr` will show different interfaces than `ip addr` on the host. Isolation at the kernel level.

When should you use network mode 'host'?

Bridge Network

**Bridge Network** is a virtual switch inside the host. Containers connect to the docker0 bridge via veth pairs. They get IPs from a private subnet (172.17.0.0/16). They communicate with each other directly, and with the outside world via host NAT.

**Port Publishing** (-p 8080:80) creates an iptables DNAT rule. Incoming traffic on host:8080 is redirected to container:80. `docker port nginx` shows the mapping. Without -p the container is not accessible from outside.

Why can container A on a bridge reach B by IP, but not by name?

Overlay Network

**Overlay Network** is a virtual network on top of the physical network. Containers on different hosts get IPs from the same subnet and communicate directly. Under the hood - VXLAN tunnels between hosts. Docker Swarm creates overlay networks automatically.

**VXLAN (Virtual Extensible LAN)** encapsulates L2 frames in UDP. VNI (VXLAN Network Identifier) = 24 bits = 16 million isolated networks. Solves the VLAN limit problem (4096). The standard for cloud/container networking.

How much overhead does VXLAN add to a packet?

Container DNS

**Container DNS** is an embedded DNS server in Docker (127.0.0.11). Containers resolve each other's names via the Docker daemon. On user-defined networks it works automatically: container name = DNS name. In Compose - the service name.

**Service Discovery** - containers find each other by name, not by IP. IPs change on restart. Names are stable. In Docker Compose, services are resolved by the service name from docker-compose.yml.

localhost (127.0.0.1) inside a container points to the host

127.0.0.1 inside a container is the container itself, not the host

A container has its own network namespace. Its localhost is itself. To reach the host you need host.docker.internal (Docker Desktop) or the host's real IP

Why is DNS better than hardcoding container IP addresses?

Key Takeaways

**Network drivers:** bridge (local, default), overlay (multi-host), host (no isolation), none (disabled)
**Bridge** = Linux bridge + veth pairs + NAT. Port publishing via iptables DNAT
**Overlay** = VXLAN tunnels between hosts. Containers on different machines in the same L2 network
**DNS (127.0.0.11)** - service discovery by name. User-defined networks only
**User-defined > default bridge:** DNS, isolation, connect/disconnect on the fly

Вопросы для размышления

How would you debug a situation where container A cannot connect to container B?
Why do production environments often use external networking (Calico, Cilium) instead of Docker overlay?
How do you enforce network security between containers? How do you restrict who can talk to whom?

Связанные уроки

os-19-containers