DOCKER - 15 Virtual-Networks

Now that we understand Docker networking concepts, let's see the command-line options to manage virtual networks. docker network ls lists existing networks, docker network inspect <name> shows the details of a given network (including attached containers and IPAM configuration), and docker network create creates a new virtual network, optionally specifying a driver. docker network connect and docker network disconnect attach or detach a running container, much like plugging or unplugging an Ethernet cable in real life.

By default docker network ls shows three networks: bridge (often labelled docker0), the default NAT bridge to your physical network; host, which bypasses Docker's virtual networking and attaches the container directly to the host interface; and none, which gives the container an interface connected to nothing. The bridge network is where containers land if no --network is specified — typically subnet 172.17.x.x.

Creating and using a custom network

  • Create a network: docker network create my_app_net (bridge driver by default, subnet 172.18 and up).
  • Run a container on it: docker container run -d --name new_nginx --network my_app_net nginx.
  • Connect an existing container: docker network connect my_app_net webhost adds a second interface to the running container.
  • Disconnect: docker network disconnect my_app_net webhost removes the interface.
  • Advanced: docker network create --help shows all driver, subnet and IP options for advanced scenarios.

Inspecting webhost after connecting it to my_app_net shows two NICs: one on the original 172.17 bridge, one on 172.18 of the new network. The end goal is isolation: by grouping each application's containers in a dedicated virtual network and exposing only what is needed with -p, you get a much safer setup than overexposing everything on the host. Later, when we cover Docker Swarm, we will look at multi-host networking. See you in the next video.

Summary

This lesson covers Docker virtual networking, including the three main network drivers (bridge, host, and none) and their use cases. You'll learn essential Docker network commands like `docker network ls`, `inspect`, and `create`, plus how to dynamically connect or disconnect containers from networks without restarting them. The lesson demonstrates creating custom virtual networks, managing IP addressing via IPAM, and protecting multi-container applications through network isolation.

Key points

  • Docker offers three network drivers: bridge (default, creates isolated local networks), host (direct physical interface access with higher performance), and none (complete network isolation)
  • Use `docker network create` with optional drivers and flags to build custom virtual networks with specific IP configurations and subnets
  • The `docker network connect` and `disconnect` commands allow you to dynamically add or remove network interfaces from running containers—similar to plugging/unplugging ethernet cables on a live computer
  • Docker automatically assigns IP addresses via IPAM with default subnets like 172.17.x.x for the first custom network, 172.18.x.x for the next, etc.
  • Custom bridge networks provide robust isolation and security for applications running on a single host, and containers can attach to multiple networks simultaneously
  • Use `docker network inspect <network>` to view all containers attached to a network, their assigned IPs, and the network's gateway and subnet configuration

FAQ

What is the difference between bridge and host networks in Docker?

Bridge networks create isolated virtual networks with their own subnet and gateway, providing security and container isolation but with slight performance overhead. Host networks bypass Docker's virtual networking entirely, attaching containers directly to the physical interface for maximum performance—but sacrificing container isolation and security benefits.

How can I add a new network to a running container without restarting it?

Use `docker network connect <network-name> <container-name>` to dynamically add a new network interface to a running container. This is equivalent to inserting a new ethernet card into a live computer. You can also disconnect networks with `docker network disconnect <network-name> <container-name>`.

What is the default IP subnet for Docker bridge networks?

The first custom bridge network typically uses the 172.17.x.x subnet with the gateway at 172.17.0.1. Subsequent custom networks automatically use 172.18.x.x, 172.19.x.x, and so on. You can verify this with `docker network inspect <network>` to see the IPAM configuration.