[{"data":1,"prerenderedAt":1597},["ShallowReactive",2],{"blog-en-docker-networking-deep-dive":3,"blog-en-docker-networking-deep-dive-alt":200},{"id":4,"title":5,"author":6,"body":7,"date":1584,"description":1585,"extension":1586,"image":168,"locale":1587,"meta":1588,"navigation":200,"path":1589,"seo":1590,"stem":1591,"tags":1592,"__hash__":1596},"blog\u002Fblog\u002Fen\u002Fdocker-networking-deep-dive.md","Docker Networking Deep Dive: Choosing Between bridge, host, and overlay","Kubo Team",{"type":8,"value":9,"toc":1559},"minimark",[10,14,25,30,44,162,221,229,233,240,245,256,334,338,345,420,423,455,464,468,650,657,661,668,710,714,723,772,776,802,806,838,864,875,879,886,890,897,975,979,987,1037,1041,1048,1135,1139,1142,1185,1194,1198,1202,1282,1286,1437,1445,1449,1452,1505,1513,1517,1520,1537,1547,1555],[11,12,13],"p",{},"Docker container networking controls communication between containers, with the host, and with external networks. The three primary network drivers — bridge, host, and overlay — each have distinct characteristics, and choosing the right one directly impacts application performance and security.",[11,15,16,17,24],{},"At ",[18,19,23],"a",{"href":20,"rel":21},"https:\u002F\u002Fkubo.hexabase.io\u002F",[22],"nofollow","Kubo",", we provide container networking on Kubernetes, but understanding Docker-level networking forms the foundation for Kubernetes networking concepts. This article dives deep into each network mode's architecture and practical selection criteria.",[26,27,29],"h2",{"id":28},"docker-network-architecture-fundamentals","Docker Network Architecture Fundamentals",[11,31,32,33,37,38,43],{},"Docker networking is implemented through the ",[34,35,36],"strong",{},"libnetwork"," library using a pluggable driver model. The ",[18,39,42],{"href":40,"rel":41},"https:\u002F\u002Fdocs.docker.com\u002Fengine\u002Fnetwork\u002Fdrivers\u002Foverlay\u002F",[22],"Docker official documentation"," describes five network drivers.",[45,46,47,69],"table",{},[48,49,50],"thead",{},[51,52,53,57,60,63,66],"tr",{},[54,55,56],"th",{},"Driver",[54,58,59],{},"Scope",[54,61,62],{},"Isolation",[54,64,65],{},"Performance",[54,67,68],{},"Primary Use",[70,71,72,92,110,128,144],"tbody",{},[51,73,74,80,83,86,89],{},[75,76,77],"td",{},[34,78,79],{},"bridge",[75,81,82],{},"Single host",[75,84,85],{},"High",[75,87,88],{},"Medium",[75,90,91],{},"Default, general container communication",[51,93,94,99,101,104,107],{},[75,95,96],{},[34,97,98],{},"host",[75,100,82],{},[75,102,103],{},"None",[75,105,106],{},"Highest",[75,108,109],{},"Performance-critical scenarios",[51,111,112,117,120,122,125],{},[75,113,114],{},[34,115,116],{},"overlay",[75,118,119],{},"Multi-host",[75,121,85],{},[75,123,124],{},"Medium-Low",[75,126,127],{},"Docker Swarm \u002F cross-cluster communication",[51,129,130,135,137,139,141],{},[75,131,132],{},[34,133,134],{},"macvlan",[75,136,82],{},[75,138,85],{},[75,140,85],{},[75,142,143],{},"Direct physical network attachment",[51,145,146,151,154,157,159],{},[75,147,148],{},[34,149,150],{},"none",[75,152,153],{},"-",[75,155,156],{},"Complete",[75,158,153],{},[75,160,161],{},"Security-focused containers",[163,164,169],"pre",{"className":165,"code":166,"language":167,"meta":168,"style":168},"language-bash shiki shiki-themes tokyo-night","# List available networks\ndocker network ls\n\n# Inspect network details\ndocker network inspect bridge\n","bash","",[170,171,172,181,195,202,208],"code",{"__ignoreMap":168},[173,174,177],"span",{"class":175,"line":176},"line",1,[173,178,180],{"class":179},"sbD-w","# List available networks\n",[173,182,184,188,192],{"class":175,"line":183},2,[173,185,187],{"class":186},"sE3pS","docker",[173,189,191],{"class":190},"sPY7s"," network",[173,193,194],{"class":190}," ls\n",[173,196,198],{"class":175,"line":197},3,[173,199,201],{"emptyLinePlaceholder":200},true,"\n",[173,203,205],{"class":175,"line":204},4,[173,206,207],{"class":179},"# Inspect network details\n",[173,209,211,213,215,218],{"class":175,"line":210},5,[173,212,187],{"class":186},[173,214,191],{"class":190},[173,216,217],{"class":190}," inspect",[173,219,220],{"class":190}," bridge\n",[11,222,223,228],{},[18,224,227],{"href":225,"rel":226},"https:\u002F\u002Fwww.hexabase.com\u002Fproduct\u002Fcaptain-ai\u002F",[22],"Captain.AI"," analyzes your application requirements and automatically suggests optimal network configurations.",[26,230,232],{"id":231},"bridge-network-the-default-choice","Bridge Network: The Default Choice",[11,234,235,236,239],{},"Bridge is Docker's default network driver, most widely used for ",[34,237,238],{},"container-to-container communication on a single host",".",[241,242,244],"h3",{"id":243},"how-it-works","How It Works",[11,246,247,248,251,252,255],{},"Docker creates a virtual bridge interface called ",[170,249,250],{},"docker0",", and containers communicate through this bridge. Each container receives a private IP address from the ",[170,253,254],{},"172.17.0.0\u002F16"," subnet.",[163,257,259],{"className":165,"code":258,"language":167,"meta":168,"style":168},"# Start containers on default bridge network\ndocker run -d --name web nginx\ndocker run -d --name api node:20-alpine\n\n# Check IP address\ndocker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' web\n",[170,260,261,266,286,302,306,311],{"__ignoreMap":168},[173,262,263],{"class":175,"line":176},[173,264,265],{"class":179},"# Start containers on default bridge network\n",[173,267,268,270,273,277,280,283],{"class":175,"line":183},[173,269,187],{"class":186},[173,271,272],{"class":190}," run",[173,274,276],{"class":275},"sT800"," -d",[173,278,279],{"class":275}," --name",[173,281,282],{"class":190}," web",[173,284,285],{"class":190}," nginx\n",[173,287,288,290,292,294,296,299],{"class":175,"line":197},[173,289,187],{"class":186},[173,291,272],{"class":190},[173,293,276],{"class":275},[173,295,279],{"class":275},[173,297,298],{"class":190}," api",[173,300,301],{"class":190}," node:20-alpine\n",[173,303,304],{"class":175,"line":204},[173,305,201],{"emptyLinePlaceholder":200},[173,307,308],{"class":175,"line":210},[173,309,310],{"class":179},"# Check IP address\n",[173,312,314,316,318,321,325,328,331],{"class":175,"line":313},6,[173,315,187],{"class":186},[173,317,217],{"class":190},[173,319,320],{"class":275}," -f",[173,322,324],{"class":323},"sAklC"," '",[173,326,327],{"class":190},"{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}",[173,329,330],{"class":323},"'",[173,332,333],{"class":190}," web\n",[241,335,337],{"id":336},"user-defined-bridge-networks","User-Defined Bridge Networks",[11,339,340,341,344],{},"Using a ",[34,342,343],{},"user-defined bridge network"," instead of the default bridge is strongly recommended.",[163,346,348],{"className":165,"code":347,"language":167,"meta":168,"style":168},"# Create user-defined network\ndocker network create --driver bridge myapp-network\n\n# Start containers on the network\ndocker run -d --name web --network myapp-network nginx\ndocker run -d --name api --network myapp-network node:20-alpine\n",[170,349,350,355,373,377,382,402],{"__ignoreMap":168},[173,351,352],{"class":175,"line":176},[173,353,354],{"class":179},"# Create user-defined network\n",[173,356,357,359,361,364,367,370],{"class":175,"line":183},[173,358,187],{"class":186},[173,360,191],{"class":190},[173,362,363],{"class":190}," create",[173,365,366],{"class":275}," --driver",[173,368,369],{"class":190}," bridge",[173,371,372],{"class":190}," myapp-network\n",[173,374,375],{"class":175,"line":197},[173,376,201],{"emptyLinePlaceholder":200},[173,378,379],{"class":175,"line":204},[173,380,381],{"class":179},"# Start containers on the network\n",[173,383,384,386,388,390,392,394,397,400],{"class":175,"line":210},[173,385,187],{"class":186},[173,387,272],{"class":190},[173,389,276],{"class":275},[173,391,279],{"class":275},[173,393,282],{"class":190},[173,395,396],{"class":275}," --network",[173,398,399],{"class":190}," myapp-network",[173,401,285],{"class":190},[173,403,404,406,408,410,412,414,416,418],{"class":175,"line":313},[173,405,187],{"class":186},[173,407,272],{"class":190},[173,409,276],{"class":275},[173,411,279],{"class":275},[173,413,298],{"class":190},[173,415,396],{"class":275},[173,417,399],{"class":190},[173,419,301],{"class":190},[11,421,422],{},"Advantages of user-defined bridges:",[424,425,426,437,443,449],"ul",{},[427,428,429,432,433,436],"li",{},[34,430,431],{},"dns-based service discovery",": communicate by container name (",[170,434,435],{},"http:--api:3000",")",[427,438,439,442],{},[34,440,441],{},"Automatic DNS resolution",": Default bridge requires IP-based communication",[427,444,445,448],{},[34,446,447],{},"Network isolation",": Block communication between containers on different networks",[427,450,451,454],{},[34,452,453],{},"Dynamic connect\u002Fdisconnect",": Change running container networks on the fly",[11,456,457,458,463],{},"The ",[18,459,462],{"href":460,"rel":461},"https:\u002F\u002Fdev.to\u002Fcaffinecoder54\u002Fdocker-networking-deep-dive-understanding-bridge-host-and-overlay-networks-1kac",[22],"DEV Community Docker networking article"," recommends user-defined bridges as the standard for all projects.",[241,465,467],{"id":466},"bridge-networks-in-docker-compose","Bridge Networks in Docker Compose",[163,469,473],{"className":470,"code":471,"language":472,"meta":168,"style":168},"language-yaml shiki shiki-themes tokyo-night","services:\n  web:\n    image: nginx\n    networks:\n      - frontend\n  api:\n    image: node:20-alpine\n    networks:\n      - frontend\n      - backend\n  db:\n    image: postgres:16\n    networks:\n      - backend\n\nnetworks:\n  frontend:\n    driver: bridge\n  backend:\n    driver: bridge\n    internal: true  # Block external access\n","yaml",[170,474,475,484,491,501,508,517,524,533,540,547,555,563,573,580,587,592,600,608,618,626,635],{"__ignoreMap":168},[173,476,477,481],{"class":175,"line":176},[173,478,480],{"class":479},"s0U2E","services",[173,482,483],{"class":323},":\n",[173,485,486,489],{"class":175,"line":183},[173,487,488],{"class":479},"  web",[173,490,483],{"class":323},[173,492,493,496,499],{"class":175,"line":197},[173,494,495],{"class":479},"    image",[173,497,498],{"class":323},":",[173,500,285],{"class":190},[173,502,503,506],{"class":175,"line":204},[173,504,505],{"class":479},"    networks",[173,507,483],{"class":323},[173,509,510,514],{"class":175,"line":210},[173,511,513],{"class":512},"sgJMe","      -",[173,515,516],{"class":190}," frontend\n",[173,518,519,522],{"class":175,"line":313},[173,520,521],{"class":479},"  api",[173,523,483],{"class":323},[173,525,527,529,531],{"class":175,"line":526},7,[173,528,495],{"class":479},[173,530,498],{"class":323},[173,532,301],{"class":190},[173,534,536,538],{"class":175,"line":535},8,[173,537,505],{"class":479},[173,539,483],{"class":323},[173,541,543,545],{"class":175,"line":542},9,[173,544,513],{"class":512},[173,546,516],{"class":190},[173,548,550,552],{"class":175,"line":549},10,[173,551,513],{"class":512},[173,553,554],{"class":190}," backend\n",[173,556,558,561],{"class":175,"line":557},11,[173,559,560],{"class":479},"  db",[173,562,483],{"class":323},[173,564,566,568,570],{"class":175,"line":565},12,[173,567,495],{"class":479},[173,569,498],{"class":323},[173,571,572],{"class":190}," postgres:16\n",[173,574,576,578],{"class":175,"line":575},13,[173,577,505],{"class":479},[173,579,483],{"class":323},[173,581,583,585],{"class":175,"line":582},14,[173,584,513],{"class":512},[173,586,554],{"class":190},[173,588,590],{"class":175,"line":589},15,[173,591,201],{"emptyLinePlaceholder":200},[173,593,595,598],{"class":175,"line":594},16,[173,596,597],{"class":479},"networks",[173,599,483],{"class":323},[173,601,603,606],{"class":175,"line":602},17,[173,604,605],{"class":479},"  frontend",[173,607,483],{"class":323},[173,609,611,614,616],{"class":175,"line":610},18,[173,612,613],{"class":479},"    driver",[173,615,498],{"class":323},[173,617,220],{"class":190},[173,619,621,624],{"class":175,"line":620},19,[173,622,623],{"class":479},"  backend",[173,625,483],{"class":323},[173,627,629,631,633],{"class":175,"line":628},20,[173,630,613],{"class":479},[173,632,498],{"class":323},[173,634,220],{"class":190},[173,636,638,641,643,647],{"class":175,"line":637},21,[173,639,640],{"class":479},"    internal",[173,642,498],{"class":323},[173,644,646],{"class":645},"sOJ5S"," true",[173,648,649],{"class":179},"  # Block external access\n",[11,651,652,653,656],{},"Setting ",[170,654,655],{},"internal: true"," prevents containers on that network from accessing external networks (internet). This is effective for internal services like databases.",[26,658,660],{"id":659},"host-network-maximum-performance","Host Network: Maximum Performance",[11,662,663,664,667],{},"In host mode, containers ",[34,665,666],{},"directly share"," the host machine's network namespace. No dedicated IP address is assigned — containers use the host's network interfaces and ports directly.",[163,669,671],{"className":165,"code":670,"language":167,"meta":168,"style":168},"# Start container with host network\ndocker run -d --network host nginx\n\n# Binds directly to host port 80\ncurl http:\u002F\u002Flocalhost:80\n",[170,672,673,678,693,697,702],{"__ignoreMap":168},[173,674,675],{"class":175,"line":176},[173,676,677],{"class":179},"# Start container with host network\n",[173,679,680,682,684,686,688,691],{"class":175,"line":183},[173,681,187],{"class":186},[173,683,272],{"class":190},[173,685,276],{"class":275},[173,687,396],{"class":275},[173,689,690],{"class":190}," host",[173,692,285],{"class":190},[173,694,695],{"class":175,"line":197},[173,696,201],{"emptyLinePlaceholder":200},[173,698,699],{"class":175,"line":204},[173,700,701],{"class":179},"# Binds directly to host port 80\n",[173,703,704,707],{"class":175,"line":210},[173,705,706],{"class":186},"curl",[173,708,709],{"class":190}," http:\u002F\u002Flocalhost:80\n",[241,711,713],{"id":712},"performance-characteristics","Performance Characteristics",[11,715,716,717,722],{},"According to ",[18,718,721],{"href":719,"rel":720},"https:\u002F\u002Feastondev.com\u002Fblog\u002Fen\u002Fposts\u002Fdev\u002F20251217-docker-network-modes\u002F",[22],"BetterLink's benchmark article",", host networking achieves:",[45,724,725,738],{},[48,726,727],{},[51,728,729,732,735],{},[54,730,731],{},"Metric",[54,733,734],{},"Bridge",[54,736,737],{},"Host",[70,739,740,751,762],{},[51,741,742,745,748],{},[75,743,744],{},"Throughput",[75,746,747],{},"~20 Gbps",[75,749,750],{},"~40 Gbps",[51,752,753,756,759],{},[75,754,755],{},"Latency",[75,757,758],{},"~50us",[75,760,761],{},"~0us",[51,763,764,767,769],{},[75,765,766],{},"CPU Overhead",[75,768,88],{},[75,770,771],{},"Minimal",[241,773,775],{"id":774},"appropriate-uses-for-host-mode","Appropriate Uses for Host Mode",[424,777,778,784,790,796],{},[427,779,780,783],{},[34,781,782],{},"high-frequency network i-o",": real-time processing, streaming",[427,785,786,789],{},[34,787,788],{},"Monitoring tools",": Prometheus Node Exporter, etc.",[427,791,792,795],{},[34,793,794],{},"Network performance testing",": iperf3, etc.",[427,797,798,801],{},[34,799,800],{},"Legacy applications",": Those requiring direct port binding",[241,803,805],{"id":804},"constraints-and-caveats","Constraints and Caveats",[163,807,809],{"className":165,"code":808,"language":167,"meta":168,"style":168},"# Port mapping is ignored in host mode (-p flag is disregarded)\ndocker run --network host -p 8080:80 nginx  # -p is ignored\n",[170,810,811,816],{"__ignoreMap":168},[173,812,813],{"class":175,"line":176},[173,814,815],{"class":179},"# Port mapping is ignored in host mode (-p flag is disregarded)\n",[173,817,818,820,822,824,826,829,832,835],{"class":175,"line":183},[173,819,187],{"class":186},[173,821,272],{"class":190},[173,823,396],{"class":275},[173,825,690],{"class":190},[173,827,828],{"class":275}," -p",[173,830,831],{"class":190}," 8080:80",[173,833,834],{"class":190}," nginx",[173,836,837],{"class":179},"  # -p is ignored\n",[424,839,840,846,852,858],{},[427,841,842,845],{},[34,843,844],{},"Port conflicts",": Multiple containers cannot use the same port",[427,847,848,851],{},[34,849,850],{},"No isolation",": Containers can access the host's entire network",[427,853,854,857],{},[34,855,856],{},"Security risk",": Expanded attack surface without network isolation",[427,859,860,863],{},[34,861,862],{},"Linux only",": Behavior differs on macOS\u002FWindows Docker Desktop",[11,865,866,867,870,871,874],{},"On ",[18,868,23],{"href":20,"rel":869},[22],"'s Kubernetes environment, using ",[170,872,873],{},"hostNetwork: true"," is discouraged unless there is a specific justification.",[26,876,878],{"id":877},"overlay-network-multi-host-communication","Overlay Network: Multi-Host Communication",[11,880,881,882,885],{},"Overlay networks enable ",[34,883,884],{},"containers across multiple Docker hosts to communicate"," over a distributed network. They are primarily used with Docker Swarm mode.",[241,887,889],{"id":888},"vxlan-implementation","VXLAN Implementation",[11,891,892,893,896],{},"Overlay networks use ",[34,894,895],{},"VXLAN (Virtual Extensible LAN)"," technology. VXLAN encapsulates container Layer 2 frames into IP\u002FUDP packets between hosts, building a virtual overlay network on top of the physical network.",[163,898,900],{"className":165,"code":899,"language":167,"meta":168,"style":168},"# Initialize Docker Swarm\ndocker swarm init\n\n# Create overlay network\ndocker network create --driver overlay --attachable myapp-overlay\n\n# Enable encryption (IPsec)\ndocker network create --driver overlay --opt encrypted myapp-secure\n",[170,901,902,907,917,921,926,945,949,954],{"__ignoreMap":168},[173,903,904],{"class":175,"line":176},[173,905,906],{"class":179},"# Initialize Docker Swarm\n",[173,908,909,911,914],{"class":175,"line":183},[173,910,187],{"class":186},[173,912,913],{"class":190}," swarm",[173,915,916],{"class":190}," init\n",[173,918,919],{"class":175,"line":197},[173,920,201],{"emptyLinePlaceholder":200},[173,922,923],{"class":175,"line":204},[173,924,925],{"class":179},"# Create overlay network\n",[173,927,928,930,932,934,936,939,942],{"class":175,"line":210},[173,929,187],{"class":186},[173,931,191],{"class":190},[173,933,363],{"class":190},[173,935,366],{"class":275},[173,937,938],{"class":190}," overlay",[173,940,941],{"class":275}," --attachable",[173,943,944],{"class":190}," myapp-overlay\n",[173,946,947],{"class":175,"line":313},[173,948,201],{"emptyLinePlaceholder":200},[173,950,951],{"class":175,"line":526},[173,952,953],{"class":179},"# Enable encryption (IPsec)\n",[173,955,956,958,960,962,964,966,969,972],{"class":175,"line":535},[173,957,187],{"class":186},[173,959,191],{"class":190},[173,961,363],{"class":190},[173,963,366],{"class":275},[173,965,938],{"class":190},[173,967,968],{"class":275}," --opt",[173,970,971],{"class":190}," encrypted",[173,973,974],{"class":190}," myapp-secure\n",[241,976,978],{"id":977},"required-ports","Required Ports",[11,980,716,981,986],{},[18,982,985],{"href":983,"rel":984},"https:\u002F\u002Fdocs.docker.com\u002Fengine\u002Fswarm\u002Fnetworking\u002F",[22],"Docker's official Swarm networking documentation",", overlay networks require:",[45,988,989,1002],{},[48,990,991],{},[51,992,993,996,999],{},[54,994,995],{},"Port",[54,997,998],{},"Protocol",[54,1000,1001],{},"Purpose",[70,1003,1004,1015,1026],{},[51,1005,1006,1009,1012],{},[75,1007,1008],{},"2377",[75,1010,1011],{},"TCP",[75,1013,1014],{},"Swarm cluster management",[51,1016,1017,1020,1023],{},[75,1018,1019],{},"7946",[75,1021,1022],{},"TCP\u002FUDP",[75,1024,1025],{},"Container network discovery",[51,1027,1028,1031,1034],{},[75,1029,1030],{},"4789",[75,1032,1033],{},"UDP",[75,1035,1036],{},"VXLAN data path",[241,1038,1040],{"id":1039},"service-discovery-and-dns","Service Discovery and DNS",[11,1042,1043,1044,1047],{},"Docker Swarm automatically assigns a ",[34,1045,1046],{},"Virtual IP (VIP)"," to services and registers DNS entries. Other services can reference them by name without hardcoded IP addresses.",[163,1049,1051],{"className":165,"code":1050,"language":167,"meta":168,"style":168},"# Create Swarm services\ndocker service create --name web --network myapp-overlay \\\n  --replicas 3 nginx\n\ndocker service create --name api --network myapp-overlay \\\n  --replicas 2 myapp:latest\n\n# Access web service from api service\n# curl http:\u002F\u002Fweb:80 (automatic load balancing via VIP)\n",[170,1052,1053,1058,1079,1089,1093,1111,1121,1125,1130],{"__ignoreMap":168},[173,1054,1055],{"class":175,"line":176},[173,1056,1057],{"class":179},"# Create Swarm services\n",[173,1059,1060,1062,1065,1067,1069,1071,1073,1076],{"class":175,"line":183},[173,1061,187],{"class":186},[173,1063,1064],{"class":190}," service",[173,1066,363],{"class":190},[173,1068,279],{"class":275},[173,1070,282],{"class":190},[173,1072,396],{"class":275},[173,1074,1075],{"class":190}," myapp-overlay",[173,1077,1078],{"class":323}," \\\n",[173,1080,1081,1084,1087],{"class":175,"line":197},[173,1082,1083],{"class":275},"  --replicas",[173,1085,1086],{"class":645}," 3",[173,1088,285],{"class":190},[173,1090,1091],{"class":175,"line":204},[173,1092,201],{"emptyLinePlaceholder":200},[173,1094,1095,1097,1099,1101,1103,1105,1107,1109],{"class":175,"line":210},[173,1096,187],{"class":186},[173,1098,1064],{"class":190},[173,1100,363],{"class":190},[173,1102,279],{"class":275},[173,1104,298],{"class":190},[173,1106,396],{"class":275},[173,1108,1075],{"class":190},[173,1110,1078],{"class":323},[173,1112,1113,1115,1118],{"class":175,"line":313},[173,1114,1083],{"class":275},[173,1116,1117],{"class":645}," 2",[173,1119,1120],{"class":190}," myapp:latest\n",[173,1122,1123],{"class":175,"line":526},[173,1124,201],{"emptyLinePlaceholder":200},[173,1126,1127],{"class":175,"line":535},[173,1128,1129],{"class":179},"# Access web service from api service\n",[173,1131,1132],{"class":175,"line":542},[173,1133,1134],{"class":179},"# curl http:\u002F\u002Fweb:80 (automatic load balancing via VIP)\n",[241,1136,1138],{"id":1137},"dns-round-robin-dnsrr","DNS Round-Robin (DNSRR)",[11,1140,1141],{},"In addition to VIP-based load balancing, DNS round-robin mode is available:",[163,1143,1145],{"className":165,"code":1144,"language":167,"meta":168,"style":168},"docker service create --name web \\\n  --endpoint-mode dnsrr \\\n  --network myapp-overlay \\\n  nginx\n",[170,1146,1147,1161,1171,1180],{"__ignoreMap":168},[173,1148,1149,1151,1153,1155,1157,1159],{"class":175,"line":176},[173,1150,187],{"class":186},[173,1152,1064],{"class":190},[173,1154,363],{"class":190},[173,1156,279],{"class":275},[173,1158,282],{"class":190},[173,1160,1078],{"class":323},[173,1162,1163,1166,1169],{"class":175,"line":183},[173,1164,1165],{"class":275},"  --endpoint-mode",[173,1167,1168],{"class":190}," dnsrr",[173,1170,1078],{"class":323},[173,1172,1173,1176,1178],{"class":175,"line":197},[173,1174,1175],{"class":275},"  --network",[173,1177,1075],{"class":190},[173,1179,1078],{"class":323},[173,1181,1182],{"class":175,"line":204},[173,1183,1184],{"class":190},"  nginx\n",[11,1186,1187,1188,1193],{},"In DNSRR mode, DNS queries return a list of IP addresses for all service replicas, and clients directly choose which to connect to. ",[18,1189,1192],{"href":1190,"rel":1191},"https:\u002F\u002Freintech.io\u002Fblog\u002Fservice-discovery-networking-docker-swarm",[22],"Reintech's Docker Swarm article"," provides more detail.",[26,1195,1197],{"id":1196},"network-mode-selection-guide","Network Mode Selection Guide",[241,1199,1201],{"id":1200},"recommendations-by-use-case","Recommendations by Use Case",[45,1203,1204,1217],{},[48,1205,1206],{},[51,1207,1208,1211,1214],{},[54,1209,1210],{},"Scenario",[54,1212,1213],{},"Recommended Driver",[54,1215,1216],{},"Rationale",[70,1218,1219,1230,1240,1251,1261,1272],{},[51,1220,1221,1224,1227],{},[75,1222,1223],{},"Web App + DB",[75,1225,1226],{},"Bridge (user-defined)",[75,1228,1229],{},"Isolation and DNS discovery",[51,1231,1232,1235,1237],{},[75,1233,1234],{},"Microservices (single host)",[75,1236,1226],{},[75,1238,1239],{},"Inter-service isolation",[51,1241,1242,1245,1248],{},[75,1243,1244],{},"Microservices (multi-host)",[75,1246,1247],{},"Overlay",[75,1249,1250],{},"Cross-cluster communication",[51,1252,1253,1256,1258],{},[75,1254,1255],{},"High-performance networking",[75,1257,737],{},[75,1259,1260],{},"No NAT overhead",[51,1262,1263,1266,1269],{},[75,1264,1265],{},"IoT \u002F Physical network integration",[75,1267,1268],{},"Macvlan",[75,1270,1271],{},"Direct NIC attachment",[51,1273,1274,1277,1279],{},[75,1275,1276],{},"Security-focused batch processing",[75,1278,103],{},[75,1280,1281],{},"Complete network isolation",[241,1283,1285],{"id":1284},"security-best-practices","Security Best Practices",[163,1287,1289],{"className":470,"code":1288,"language":472,"meta":168,"style":168},"# Network isolation in Docker Compose\nservices:\n  web:\n    networks:\n      - frontend\n  api:\n    networks:\n      - frontend\n      - backend\n  db:\n    networks:\n      - backend\n\nnetworks:\n  frontend:\n    driver: bridge\n  backend:\n    driver: bridge\n    internal: true\n    ipam:\n      config:\n        - subnet: 172.28.0.0-24\n",[170,1290,1291,1296,1302,1308,1314,1320,1326,1332,1338,1344,1350,1356,1362,1366,1372,1378,1386,1392,1400,1409,1416,1423],{"__ignoreMap":168},[173,1292,1293],{"class":175,"line":176},[173,1294,1295],{"class":179},"# Network isolation in Docker Compose\n",[173,1297,1298,1300],{"class":175,"line":183},[173,1299,480],{"class":479},[173,1301,483],{"class":323},[173,1303,1304,1306],{"class":175,"line":197},[173,1305,488],{"class":479},[173,1307,483],{"class":323},[173,1309,1310,1312],{"class":175,"line":204},[173,1311,505],{"class":479},[173,1313,483],{"class":323},[173,1315,1316,1318],{"class":175,"line":210},[173,1317,513],{"class":512},[173,1319,516],{"class":190},[173,1321,1322,1324],{"class":175,"line":313},[173,1323,521],{"class":479},[173,1325,483],{"class":323},[173,1327,1328,1330],{"class":175,"line":526},[173,1329,505],{"class":479},[173,1331,483],{"class":323},[173,1333,1334,1336],{"class":175,"line":535},[173,1335,513],{"class":512},[173,1337,516],{"class":190},[173,1339,1340,1342],{"class":175,"line":542},[173,1341,513],{"class":512},[173,1343,554],{"class":190},[173,1345,1346,1348],{"class":175,"line":549},[173,1347,560],{"class":479},[173,1349,483],{"class":323},[173,1351,1352,1354],{"class":175,"line":557},[173,1353,505],{"class":479},[173,1355,483],{"class":323},[173,1357,1358,1360],{"class":175,"line":565},[173,1359,513],{"class":512},[173,1361,554],{"class":190},[173,1363,1364],{"class":175,"line":575},[173,1365,201],{"emptyLinePlaceholder":200},[173,1367,1368,1370],{"class":175,"line":582},[173,1369,597],{"class":479},[173,1371,483],{"class":323},[173,1373,1374,1376],{"class":175,"line":589},[173,1375,605],{"class":479},[173,1377,483],{"class":323},[173,1379,1380,1382,1384],{"class":175,"line":594},[173,1381,613],{"class":479},[173,1383,498],{"class":323},[173,1385,220],{"class":190},[173,1387,1388,1390],{"class":175,"line":602},[173,1389,623],{"class":479},[173,1391,483],{"class":323},[173,1393,1394,1396,1398],{"class":175,"line":610},[173,1395,613],{"class":479},[173,1397,498],{"class":323},[173,1399,220],{"class":190},[173,1401,1402,1404,1406],{"class":175,"line":620},[173,1403,640],{"class":479},[173,1405,498],{"class":323},[173,1407,1408],{"class":645}," true\n",[173,1410,1411,1414],{"class":175,"line":628},[173,1412,1413],{"class":479},"    ipam",[173,1415,483],{"class":323},[173,1417,1418,1421],{"class":175,"line":637},[173,1419,1420],{"class":479},"      config",[173,1422,483],{"class":323},[173,1424,1426,1429,1432,1434],{"class":175,"line":1425},22,[173,1427,1428],{"class":512},"        -",[173,1430,1431],{"class":479}," subnet",[173,1433,498],{"class":323},[173,1435,1436],{"class":190}," 172.28.0.0-24\n",[11,1438,457,1439,1444],{},[18,1440,1443],{"href":1441,"rel":1442},"https:\u002F\u002Fenv.dev\u002Fguides\u002Fdocker-networking",[22],"env.dev Docker networking guide"," emphasizes the importance of network segmentation in production environments.",[241,1446,1448],{"id":1447},"relationship-with-kubernetes","Relationship with Kubernetes",[11,1450,1451],{},"Docker's networking model serves as the foundation for Kubernetes CNI (Container Network Interface):",[45,1453,1454,1464],{},[48,1455,1456],{},[51,1457,1458,1461],{},[54,1459,1460],{},"Docker",[54,1462,1463],{},"Kubernetes",[70,1465,1466,1474,1482,1490,1497],{},[51,1467,1468,1471],{},[75,1469,1470],{},"Bridge Network",[75,1472,1473],{},"Pod Network (CNI plugin)",[51,1475,1476,1479],{},[75,1477,1478],{},"Service (DNS)",[75,1480,1481],{},"Kubernetes Service",[51,1483,1484,1487],{},[75,1485,1486],{},"Port Mapping",[75,1488,1489],{},"NodePort \u002F LoadBalancer",[51,1491,1492,1494],{},[75,1493,1247],{},[75,1495,1496],{},"Pod-to-Pod (Flannel, Calico, etc.)",[51,1498,1499,1502],{},[75,1500,1501],{},"No NetworkPolicy",[75,1503,1504],{},"NetworkPolicy for traffic control",[11,1506,457,1507,1512],{},[18,1508,1511],{"href":1509,"rel":1510},"https:\u002F\u002Fmoldstud.com\u002Farticles\u002Fp-docker-networking-modes-explained-bridge-host-and-overlay-comprehensive-guide",[22],"moldstud comprehensive guide"," covers Docker to Kubernetes networking migration in detail.",[26,1514,1516],{"id":1515},"summary-right-network-for-the-right-job","Summary: Right Network for the Right Job",[11,1518,1519],{},"Understanding and appropriately selecting among Docker's three primary network drivers is essential for balancing container application performance and security.",[424,1521,1522,1527,1532],{},[427,1523,1524,1526],{},[34,1525,734],{},": First choice for most use cases. Always use user-defined networks.",[427,1528,1529,1531],{},[34,1530,737],{},": Only when performance is the top priority and isolation can be sacrificed.",[427,1533,1534,1536],{},[34,1535,1247],{},": For inter-service communication in multi-host Docker Swarm environments.",[11,1538,1539,1542,1543,1546],{},[18,1540,23],{"href":20,"rel":1541},[22]," builds on Docker-level networking knowledge to provide advanced Kubernetes networking capabilities — Service Mesh, NetworkPolicy, and Ingress — as a container platform. Combined with ",[18,1544,227],{"href":225,"rel":1545},[22],", AI assists from network design through operational monitoring.",[11,1548,1549,1550,239],{},"For Docker networking or Kubernetes network design consulting, please ",[18,1551,1554],{"href":1552,"rel":1553},"https:\u002F\u002Fwww.hexabase.com\u002Fcontact-us\u002F",[22],"contact us",[1556,1557,1558],"style",{},"html pre.shiki code .sbD-w, html code.shiki .sbD-w{--shiki-default:#51597D;--shiki-default-font-style:italic}html pre.shiki code .sE3pS, html code.shiki .sE3pS{--shiki-default:#C0CAF5}html pre.shiki code .sPY7s, html code.shiki .sPY7s{--shiki-default:#9ECE6A}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html pre.shiki code .sT800, html code.shiki .sT800{--shiki-default:#E0AF68}html pre.shiki code .sAklC, html code.shiki .sAklC{--shiki-default:#89DDFF}html pre.shiki code .s0U2E, html code.shiki .s0U2E{--shiki-default:#F7768E}html pre.shiki code .sgJMe, html code.shiki .sgJMe{--shiki-default:#9ABDF5}html pre.shiki code .sOJ5S, html code.shiki .sOJ5S{--shiki-default:#FF9E64}",{"title":168,"searchDepth":183,"depth":183,"links":1560},[1561,1562,1567,1572,1578,1583],{"id":28,"depth":183,"text":29},{"id":231,"depth":183,"text":232,"children":1563},[1564,1565,1566],{"id":243,"depth":197,"text":244},{"id":336,"depth":197,"text":337},{"id":466,"depth":197,"text":467},{"id":659,"depth":183,"text":660,"children":1568},[1569,1570,1571],{"id":712,"depth":197,"text":713},{"id":774,"depth":197,"text":775},{"id":804,"depth":197,"text":805},{"id":877,"depth":183,"text":878,"children":1573},[1574,1575,1576,1577],{"id":888,"depth":197,"text":889},{"id":977,"depth":197,"text":978},{"id":1039,"depth":197,"text":1040},{"id":1137,"depth":197,"text":1138},{"id":1196,"depth":183,"text":1197,"children":1579},[1580,1581,1582],{"id":1200,"depth":197,"text":1201},{"id":1284,"depth":197,"text":1285},{"id":1447,"depth":197,"text":1448},{"id":1515,"depth":183,"text":1516},"2026-05-27","A thorough comparison of Docker network drivers — bridge, host, and overlay. Understand the architecture, performance, security trade-offs, and use-case selection criteria with practical examples.","md","en",{},"\u002Fblog\u002Fen\u002Fdocker-networking-deep-dive",{"title":5,"description":1585},"blog\u002Fen\u002Fdocker-networking-deep-dive",[1460,1593,79,116,98,1594,1595],"Networking","Containers","Docker Swarm","ADaNP0D4WI0jDvcLamYWIdeIf_EoZvy5e1wfGPrj75o",1779964618795]