At its core, Docker Networking is the mechanism that allows your containers to talk to each other, to the host machine, and to the outside world (the internet or your local corporate network).

Because containers are isolated environments, they don’t automatically share a network stack. Docker uses Linux kernel primitives (like network namespaces, virtual ethernet pairs, and iptables rules) to create virtual networks.

How It Works Under the Hood

When you start a container, Docker isolates it by giving it its own private Network Namespace. To connect this isolated space to the rest of the world, Docker creates a virtual wire called a veth pair (virtual ethernet).

One end of this wire is plugged into the container (usually showing up as eth0), and the other end is plugged into a virtual switch on the host machine (the Docker bridge).

The 4 Main Native Network Drivers

When you deploy containers, you can choose how isolated or exposed they are by changing the network driver.

1. Bridge Network (The Default)

• What it is: A private virtual network created by Docker on the host machine.
• How it works: Containers attached to the same bridge network get their own internal private IP addresses (e.g., 172.17.0.x) and can talk to each other seamlessly. To expose them to the outside world, you must map ports (e.g., -p 8080:80).
• Best for: Standard application stacks (like an Nginx container talking to a Node.js container on the same host).

2. Host Network (--net=host)

• What it is: Complete removal of network isolation between the container and the host.
• How it works: The container shares the host’s network stack directly. If your container opens port 80, it opens port 80 on the physical machine immediately. There are no virtual IPs or port mappings.
• Best for: System monitoring tools (like Node Exporter, which we discussed earlier) or ultra-high-performance applications where you cannot afford the tiny speed penalty of Docker’s virtual routing layer.

3. None Network (--net=none)

• What it is: Absolute network isolation.
• How it works: The container is spawned with its own network loopback interface (127.0.0.1), but it has no external network interfaces, no IP address, and no access to the internet or other containers.
• Best for: Running secure batch processing jobs, calculation scripts, or cron tasks that do not require network access and shouldn’t be exposed to security vulnerabilities.

4. Overlay Network

• What it is: A multi-host network driver.
• How it works: It creates a distributed network across multiple physical servers. It allows containers running on Server A to talk securely to containers running on Server B as if they were on the exact same machine, handling the encryption and encapsulation automatically.
• Best for: Docker Swarm clusters or production microservices distributed over several bare-metal/cloud nodes.

Docker Compose & Embedded DNS Discovery

One of the best features of Docker’s custom networking is Service Discovery.

When you create a docker-compose.yml file, Docker Compose automatically creates a dedicated custom Bridge Network just for that stack. Inside this custom network, Docker runs a tiny embedded DNS server at the IP address 127.0.0.11.

Instead of hardcoding fragile IP addresses into your application configs, your containers can talk to each other using their Service Names:

YAML

version: '3.8'
services:
  web:
    image: nginx
    networks:
      - app-net
  db:
    image: postgres
    networks:
      - app-net
networks:
  app-net:
    driver: bridge

Because they are on the same custom network, the web container can reach the database simply by connecting to http://db:5432. Docker’s internal DNS dynamically maps the name db to whatever private IP the Postgres container holds at that moment.