Docker Networking: 3 major areas – CNM, Libnetwork, Drivers


aka Container Network Model. This is the Docker Networking Model.

Note: there is an alternative – CNI (aka Container Network Interface) from CoreOS which is more suited to Kubernetes. More here:

The CNM has 3 main components:

  • Sandbox: contains configuration of container’s network stack (aka namespace in Linux)
  • Endpoint: joins Sandbox to a Network (aka network interface. e.g. eth0)
  • Network: group of Endpoints that can communicate directly

See also:



aka Control & Management plane

Cross platform and pluggable.

Real-world implementation of CNM by Docker.


Data plane

Network-specific detail

  • Overlay
  • Bridge



docker port

Golden rule:

port1:port2 means you’re mapping port1on the host to port2on the container.

i.e. host:container

Say you run:

docker container run --rm -d --name web -p 8080:80 nginx

you’re mapping port 80 in the container to port 8080 on the host.

-p => publish a container’s port to the host

docker port web

80/tcp ->

which means:

80 on containermaps to 8080 on host

See also Tech Rant–p—expose

Docker: Container Networking

Bridge Networking

bridge or NAT on Windows

aka docker0

But each Bridge is isolated (i.e. an island –  they can’t talk to another bridge network) unless we map ports to the host. This is where overlay networking comes in.

Note, out of the box you get a bridge network called bridge. And inspecting it with docker network inspect bridge you can see something like:

        "Name": "bridge",
        "Id": "79f84aa40524806cc23b566401df397dc4472f7f4a9101b61b336a739fa24b2e",
        "Created": "2018-09-21T08:32:25.177055934Z",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                    "Subnet": "",
                    "Gateway": ""
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        "ConfigOnly": false,
        "Containers": {},
        "Options": {
            "": "true",
            "": "true",
            "": "true",
            "": "",
            "": "docker0",
            "": "1500"
        "Labels": {}

Note how  "Containers": {}, – i.e. no containers.

So, if we ran a container (e.g. `docker container run –rm -d alpine sleep 1d`) we’d see it on the bridge network.

Overlay Networking

This is a single Level 2 network (Level 2 => MAC addresses; Level 3 => IP addresses) which works on different networks.

docker network create

Control plane encrypted out of the box.


docker network create -d

-d =>  –driver

E.g. docker network create -d overlay overnet



Lets you have an IP / Mac address on the network. But must allow promiscuous mode – which is disabled in cloud.

Example of an overlay network

Assuming we’ve got a swarm set up:

  • create a service

docker service create -d --name pinger --replicas 2 --network overnet alpine sleep 1d