Docker Network Modes Explained: Bridge, Host, and Overlay Comparisons

4 min readJun 26, 2024

In Docker, networking is essential for communication between containers and the host. Let’s explore three main types of Docker networks: Bridge, Host, and Overlay, through two scenarios.

Scenario 1: When One Container Needs to Talk to Another

Imagine you have two containers: C1 (Frontend) and C2 (Backend). The frontend container must communicate with the backend container, which requires a networking mechanism.

Scenario 2: When Containers Need to Be Isolated

Consider C2 (Finance), which contains sensitive user information, and C1 (Login), which is accessible by developers, users, or testers. Logical isolation is necessary to ensure security.

Before Diving into Scenarios: Understanding Docker Networking

Bridge Network

The Bridge network allows containers to communicate with each other and the host.

Setup: Hosts and containers have network interfaces (e.g., eth0). For instance, the host might have eth0: 192.168.1.2, while a container might have eth0: 172.17.0.2.
Communication: Docker creates a Virtual Ethernet (VETH) pair, known as docker0, allowing the container to communicate with the host.

Host Network

The Host network allows containers to use the host’s network directly, providing higher performance but less isolation.

Setup: The container uses the host’s eth0 interface. For example, if the host has eth0: 192.168.1.2, the container might use eth0: 192.168.1.3.
Security Concern: This setup is insecure because the host and container share the same network.

Overlay Network

The Overlay network is used for multi-host networking, ideal for environments like Docker Swarm or Kubernetes.

Setup: It enables containers on different hosts to communicate securely.
Usage: This network is more complex but crucial for distributed applications.

Hands-on Practical Examples Explained

Creating a Login Container (No Isolation Required)

docker run -d — name login nginx:latest
docker images
dock fer ps

To log into the “login” container and install additional packages like “ping”, follow these steps:

docker exec -it <conatiner_id> bin/bash
apt-get update -y
apt-get install iputils-ping

2. Creating a Logout Container (No Isolation Required)

Follow the same process to create a logout container

Now, we can proceed to check the IP addresses assigned to both the “login” and “logout” containers.

docker inspect login

docker inspect logout

The IP address of the login container is 172.17.0.2 with the network set to Bridge, while the logout container has the IP address 172.17.0.3 also on the Bridge network. Given that both containers reside within the same subnet or CIDR block, pinging from the logout container to the login container will successfully establish communication.

Addressing Security Concerns

By default, all containers use the same VETH and docker0 bridge, which can be insecure. To enhance security, especially for sensitive applications like the Payment container, we can create a custom bridge network.

Using a “Custom Bridge Network” can improve security by isolating sensitive containers.

Now, we will create a Payment container that needs to be logically isolated from the Login container. To achieve this, we’ll set up a custom bridge network.

Create a docker network using below command

docker network create <network_name>
docker network ls

2. Now, we can attach the custom bridge network or host network to the containers. Next, we’ll attach the secure network to the Payment container.

3. Let’s inspect the Payment container. It is connected to the secure-network with an IP address of 172.19.0.2, which belongs to a different subnet compared to the previous login and logout containers. This isolation ensures complete separation from both of those containers.

4. We can verify connectivity by attempting to ping from the Payment container to the Logout container. Upon logging into the Payment container and initiating the ping command, we observe that connectivity is not established.