DOCKER - 14 Network Concepts

To follow this lesson you should know how to start a container and have some background on TCP/IP networking: subnets, IP addresses, ports and firewalls. The first concept to remember is the -p option of docker container run, which maps a host port to a container port and exposes the container to your machine's network.

Docker has a "batteries included but removable" philosophy: the defaults are simple and consistent, but almost every option can be changed. In this lesson we will also look at docker container port, which gives you a quick view of the ports forwarded to a given container.

Docker networking essentials

  • Default bridge network: when you start a container you implicitly join a Docker network. By default it is the bridge network, behind a NAT firewall managed by Docker.
  • No need for -p between containers on the same network: a PHP/Apache container and its database can talk to each other directly without exposing ports to the host.
  • App isolation through virtual networks: create a dedicated network for each application (for example Mongo + Node.js for one app, MySQL + PHP for another) so unrelated containers cannot reach each other.
  • --net=host: attaches the container directly to the host's interface, bypassing Docker's virtual networking. You lose isolation benefits but may need it for some specific cases.
  • Custom drivers and plugins: Docker's plugin ecosystem allows alternative network drivers for more advanced scenarios.

Recapping the CLI: when you ran your first container with docker container run -p 80:80 --name webhost -d nginx, the -p bound host port 80 to container port 80. docker container port webhost shows those mappings in a compact format. To get the actual container IP, use:

docker container inspect --format '{{ .NetworkSettings.IPAddress }}' webhost

You will see an IP from Docker's bridge subnet (typically 172.17.x.x), not your host's 192.x.x.x range. For local development and testing, defaults are usually enough, but everything can be customized. See you in the next video.

Summary

This lesson covers Docker networking fundamentals, including how containers connect to networks, the port mapping mechanism via the `-p` flag, and how Docker's default bridge network enables container communication. It explains that Docker uses configurable virtual networks where containers can communicate without exposing ports to the physical network, and introduces tools like `docker container port` and `docker inspect` to view network configurations.

Key points

  • Docker containers connect to virtual networks by default using bridge networking, which routes traffic through Docker's firewall configuration
  • The `-p` (or `-P`) flag maps host machine ports to container ports, exposing services to the physical network while keeping internal container ports isolated
  • Containers on the same Docker network can communicate directly with each other without opening ports to the wider system, enabling secure multi-container applications
  • Use `docker container port <name>` to quickly view which host ports are forwarded to a specific container
  • Container IP addresses are separate from the host machine IP—containers are assigned IPs on Docker's internal network range (e.g., 172.x.x.x)
  • All Docker networking defaults are modifiable: you can create multiple virtual networks, adjust IP configurations, and choose different network drivers to extend functionality

FAQ

Why do containers have different IP addresses than the host machine?

Docker assigns containers IP addresses on a separate virtual network (default bridge network) rather than the physical host network. This isolation provides security and allows multiple containers to run independently. You can view a container's IP using `docker inspect` with a format filter.

How can two containers communicate with each other without using port mappings?

When containers are connected to the same Docker network, they can communicate directly by container name or IP address without needing `-p` port mappings. This keeps their communication internal to Docker's network and prevents unnecessary exposure to the physical network.

What does 'batteries included but swappable' mean for Docker networking?

This means Docker provides sensible, working-out-of-the-box default network configurations (bridge network, automatic IP assignment, port forwarding), but nearly all these settings are modifiable. You can change network drivers, create custom networks, adjust IP ranges, and configure security policies as needed for your application.