alredho.com

Photo by Ryoji Iwata / Unsplash

Understanding docker networking: host vs bridge

docker Aug 6, 2024

Docker provides several networking options to connect containers to each other and to external networks. The most common network drivers are:

  • Bridge: The default network driver. It creates an isolated network for containers on a single host.
  • Host: Removes network isolation between the container and the Docker host, using the host’s networking stack.
  • Overlay: Used for multi-host networks, enabling containers on different Docker hosts to communicate.
  • Macvlan: Assigns a MAC address to each container, making it appear as a physical device on the network.
  • None: Disables networking for a container.

In this article, we'll focus on the host and bridge networks.

Host network

The host network driver removes the network isolation between the Docker container and the Docker host. When a container is started with the host network, it shares the host’s network namespace. This means the container will use the host’s IP address and can directly access network interfaces on the host.

Benefit of host network

  1. Performance
    Because there is no network translation (NAT) overhead, the performance is closer to running the service directly on the host.
  2. Simplicity
    Easier to manage networking configurations as it uses the host's networking stack.

Drawback of host network

  1. Port Conflicts
    Since the container shares the host's network, it can lead to port conflicts if multiple services try to use the same port.
  2. Isolation
    Reduced network isolation can pose security risks.

Bridge network

The bridge network is the default network driver for Docker containers. It creates a private internal network on the Docker host, allowing containers to communicate with each other through this bridge while being isolated from the host's network.

Benefit of bridge network

  1. Isolation
    Containers are isolated from the host network, improving security.
  2. Port Mapping
    Allows you to map ports from the container to the host, avoiding port conflicts.
  3. Custom Network
    You can create custom bridge networks to segment your containers into different groups.

Drawback of bridge network

  1. Performance
    Network translation (NAT) introduces a small performance overhead compared to the host network.
  2. Complexity
    Managing port mappings and custom networks can be more complex.

How to use in Portainer

Host network

  1. You simply have to specify in your compose:
    version: '3.8'
services:
  service_name:
    ...
    network_mode: host
    ...
  2. Be aware that host network mode will try to map whatever ports the container are using to your device, if even one of the port is already used then the container will fail to deploy

Bridge network

Create the bridge network

  1. You can certainly create the network in the compose, but I consider it best practice to create it beforehand
  2. Open up Portainer, click on Networks
  3. Click + Add network, fill in the name and make sure the Driver is bridge, you can fill in other details if you want before you click Create the network

Apply bridge network in compose

  1. You simply have to specify in your compose:

    version: '3'
services:
  service_name:
    ...

networks:
  default:
    name: ${BRIDGE_NETWORK_NAME}
    external: true

  2. At times you may want to use multiple bridge network for different services to connect/separate service groups, you can do so like this:

    version: '3'
services:
  service_1:
    networks:
      - default
      - bridge_2
    ...

  service_2:
    networks:
      - default
    ...

  service_3:
    networks:
      - bridge_3
    ...

networks:
  default:
    name: bridge_1
    external: true
  bridge_2:
    name: bridge_2
    external: true
  bridge_3:
    name: bridge_3
    external: true

    That way service_1 can talk to both service_2 and service_3
    But service_2 can't talk to service_3 directly

Tags

Alredho Arya Pradana

Recommended for you