DOCKER - 15 Virtual-Networks

Now that we understand Docker networking concepts and how virtual networks and IPs work, let's go through the command-line options that manage them. The starting point is docker network ls to list networks, while docker network inspect shows the details of a specific network. The create command builds a new virtual network and accepts an optional --driver flag for built-in or third-party drivers. Finally, connect and disconnect add or remove a network interface on a running container — much like plugging a NIC into a powered-on computer.

Listing and inspecting networks

Running docker network ls shows every network that exists. Depending on your OS and Docker version, you'll see the bridge network called docker0 or bridge — both refer to the same default network connecting Docker's NAT firewall to your physical host. With an Nginx container running, docker network inspect bridge lists the attached containers (our webhost Nginx for instance), their IPs, and the IPAM configuration. The default subnet is usually 172.17.0.0/16, which can be customised, along with the gateway that routes traffic to the physical network.

Two other built-in networks deserve a mention. The host network bypasses Docker's virtual networking and attaches the container directly to the host interface — useful for high-throughput scenarios, but it weakens the isolation guarantees. The none network gives a container an interface attached to nothing, like an unplugged NIC.

  • docker network create my_app_net — create a bridge network
  • docker container run -d --name new_nginx --network my_app_net nginx — attach at creation
  • docker network connect my_app_net webhost — hot-plug an existing container
  • docker network disconnect my_app_net webhost — unplug it

Creating my_app_net uses the default bridge driver, allocating the next subnet (around 172.18.0.0/16, then 19, 20, etc.). Advanced features like overlay networks for multi-host private networking, or third-party drivers such as Weave, will be covered later. The docker network create --help output reveals every IP and driver option available for advanced scenarios.

You can switch containers between networks at runtime. After connecting our existing webhost to my_app_net, docker container inspect webhost will list two interfaces — one on the bridge network, one on my_app_net with a fresh IP. Disconnecting brings it back to a single network. The big benefit is security: by grouping app containers into a private virtual network and exposing only the necessary ports with -p, you drastically reduce the attack surface compared to a flat physical network. Multi-host networking will be addressed when we cover Docker Swarm.