HSR Sector 6 · Bangalore +91 96110 27980 Mon–Sat · 09:30–20:30
LMS Login Rack Booking Free Resume Maker ✦ Admissions Open →
👤 Meet Founder · Dual CCIE #22239 · ⭐ 4.7★ Google (1,173) · ⭐ 4.5★ JustDial (1,345) · ▶ 171K YouTube · 20 Years ·Cisco Capital Funded·Fortinet Partner· LMS: nhprep.com · 24/7 Labs · Free AI CV · QuickZTNA · QuickSDWAN
Chapter 2 of 20 — Container & Kubernetes Networking
intermediate Chapter 2 of 20

Docker Networking — Bridge, Host, Overlay & Macvlan Drivers

By Vikas Swami, CCIE #22239 | Updated Mar 2026 | Free Course

What Docker networking is and why it matters in 2026

Docker networking is the subsystem that enables containers to communicate with each other, with the host machine, and with external networks through a pluggable driver architecture. When you launch a container, Docker attaches it to a virtual network using one of five core drivers—bridge, host, overlay, macvlan, or none—each optimized for different isolation, performance, and multi-host scenarios. In 2026, as Kubernetes adoption accelerates across Indian enterprises like Cisco India, HCL, and Aryaka, understanding Docker's network primitives remains foundational because every Kubernetes pod ultimately relies on container runtime networking, and Docker's CNM (Container Network Model) underpins most production stacks.

Modern microservices architectures demand fine-grained control over inter-service communication, load balancing, and security boundaries. Docker networking provides namespace isolation, software-defined routing, and DNS-based service discovery out of the box. For freshers entering DevOps or cloud engineering roles—especially those targeting the 45,000+ placements Networkers Home has facilitated at firms like Akamai India, Barracuda, and Movate—mastering Docker networking is non-negotiable. Interviewers at Cisco and AWS routinely probe candidates on bridge versus overlay trade-offs, MTU mismatches in overlay networks, and how macvlan bypasses the Docker bridge for bare-metal performance.

The five drivers serve distinct use cases: bridge for single-host development, host for maximum throughput at the cost of isolation, overlay for Swarm and multi-datacenter orchestration, macvlan for legacy VLAN integration, and none for air-gapped security workloads. Choosing the wrong driver can bottleneck throughput by 40 percent or expose containers to lateral movement attacks. In our HSR Layout lab, we benchmark all five drivers under identical workloads so that students in our AWS DevOps course in Bangalore see real packet flows, not just theory.

How Docker networking works under the hood

Docker networking is built on three Linux kernel primitives: network namespaces (isolated network stacks per container), virtual Ethernet pairs (veth devices connecting namespaces to bridges), and iptables/nftables rules (NAT, filtering, and port forwarding). When you run docker run -d nginx without specifying a network, Docker creates a veth pair—one end inside the container's namespace, the other attached to the docker0 bridge on the host. The bridge acts as a virtual switch, forwarding Ethernet frames between containers and applying NAT rules so containers can reach the internet via the host's default gateway.

Each network driver implements the Container Network Model (CNM) interface, which defines three objects: sandbox (container's network namespace), endpoint (veth interface), and network (the bridge, overlay VXLAN, or macvlan segment). The Docker daemon's libnetwork library instantiates these objects and programs the kernel accordingly. For example, when you create an overlay network with docker network create -d overlay my-overlay, libnetwork spawns a VXLAN tunnel endpoint, assigns a subnet from the overlay address pool, and configures a distributed key-value store (Consul, etcd, or Swarm's internal Raft) to propagate endpoint metadata across nodes.

DNS resolution is handled by an embedded DNS server listening on 127.0.0.11:53 inside each container. When container A queries container-b, Docker's DNS server returns the IP of container B's endpoint on the shared network. This service discovery mechanism is critical in microservices: a frontend container can reach a backend by name without hardcoding IPs. The DNS server also supports round-robin load balancing when multiple containers share the same service alias.

Port publishing (-p 8080:80) works via DNAT rules in the host's nat table. Docker inserts an iptables rule that rewrites the destination IP and port of incoming packets, forwarding them to the container's internal IP. Outbound traffic from containers undergoes SNAT (source NAT) so that external servers see the host's IP, not the container's private IP. This dual NAT layer is transparent but adds latency—typically 50-100 microseconds per packet—which is why high-frequency trading platforms and telco workloads prefer macvlan or host mode.

Network namespace isolation and veth pairs

Every container gets its own network namespace, visible via ip netns list on the host (Docker prefixes them with container IDs). Inside the namespace, the container sees a loopback interface and one or more veth interfaces. The veth pair is a bidirectional pipe: packets written to one end emerge from the other. Docker attaches the container-side veth to eth0 inside the namespace and the host-side veth to the bridge. You can inspect this with docker exec <container> ip link show and correlate the if_index with ip link show on the host.

iptables rules and the DOCKER chain

Docker injects custom chains into iptables: DOCKER, DOCKER-ISOLATION-STAGE-1, and DOCKER-USER. The DOCKER chain handles port publishing and inter-network isolation. The DOCKER-ISOLATION chains prevent containers on different user-defined networks from communicating unless explicitly connected. The DOCKER-USER chain is where administrators insert custom firewall rules that persist across Docker daemon restarts. A common interview question at Cisco India: "How do you block all traffic to a container except from a specific source IP?" Answer: insert a rule in DOCKER-USER before the RETURN statement.

Bridge driver: default single-host networking

The bridge driver creates a private internal network on a single Docker host. Containers on the same bridge can communicate directly via their container IPs; containers on different bridges cannot unless you explicitly connect them to both networks. The default bridge (docker0) is created automatically when Docker starts, but best practice is to create user-defined bridges with docker network create my-bridge because they provide automatic DNS resolution and better isolation.

User-defined bridges offer three advantages over the default bridge: (1) automatic service discovery via container names, (2) on-the-fly container attachment and detachment without restarting, and (3) configurable subnet and gateway. For example, docker network create --subnet 192.168.100.0/24 --gateway 192.168.100.1 my-bridge lets you align container IPs with your existing IP plan. In our 4-month paid internship at the Network Security Operations Division, interns deploy multi-tier web apps (Nginx frontend, Node.js API, PostgreSQL backend) on separate user-defined bridges and use docker network connect to selectively expose the API to the frontend while keeping the database isolated.

Bridge mode uses NAT for outbound traffic, so external hosts see the Docker host's IP, not the container's. This simplifies firewall rules but breaks protocols that embed IP addresses in payloads (FTP, SIP). For those, you need macvlan or host mode. Bridge networks also impose a small performance penalty—our lab tests show 5-8 percent throughput reduction versus host mode due to bridge forwarding and iptables traversal. For latency-sensitive workloads like real-time video transcoding (common at Akamai India), this overhead matters.

Creating and inspecting bridge networks

docker network create --driver bridge \
  --subnet 10.10.0.0/16 \
  --gateway 10.10.0.1 \
  --opt com.docker.network.bridge.name=br-custom \
  my-bridge

docker run -d --name web --network my-bridge nginx
docker run -d --name api --network my-bridge node:18

# Verify connectivity
docker exec web ping api
docker network inspect my-bridge

The --opt flag sets the Linux bridge interface name to br-custom instead of a random br-<hash>. This makes troubleshooting easier when you run brctl show or ip link show on the host.

Host driver: maximum performance, zero isolation

The host driver removes network isolation entirely: the container shares the host's network namespace and sees all host interfaces. There is no veth pair, no bridge, no NAT—packets flow directly through the host's NIC. This delivers near-native performance (sub-microsecond latency overhead) but sacrifices portability and security. A container in host mode can bind to any port on the host, potentially conflicting with other services. If two containers both try to listen on port 80, the second will fail.

Host mode is used in three scenarios: (1) ultra-low-latency applications like high-frequency trading or telecom signaling, (2) network monitoring tools that need to sniff all traffic (tcpdump, Wireshark), and (3) Kubernetes node agents (kubelet, kube-proxy) that must interact with the host's routing table. At Cisco India's SD-WAN deployments, edge routers running in containers use host mode to directly manipulate kernel routes and iptables rules without the overhead of a bridge.

Security teams often ban host mode in production because a compromised container can sniff all host traffic, modify firewall rules, and pivot to other services. In our AWS DevOps course in Bangalore, we teach students to use host mode only for trusted, single-purpose containers and to enforce AppArmor or SELinux profiles that restrict CAP_NET_ADMIN and CAP_NET_RAW capabilities.

When to use host mode

  • Packet capture: Running tcpdump inside a bridge-mode container only sees traffic to/from that container. Host mode sees all packets on all interfaces.
  • Performance benchmarking: Eliminate Docker networking overhead to isolate application bottlenecks.
  • Legacy apps that bind to specific IPs: Some enterprise apps hardcode the host's IP in configuration files and break under NAT.
docker run -d --network host nginx
# Nginx now listens on the host's port 80 directly
curl http://<host-ip>:80

Overlay driver: multi-host Swarm and Kubernetes networking

The overlay driver creates a distributed virtual network that spans multiple Docker hosts, enabling containers on different machines to communicate as if they were on the same LAN. Overlay networks use VXLAN encapsulation: each packet is wrapped in a UDP header (default port 4789) and routed through the underlay network. Docker Swarm uses overlay networks for service-to-service communication; Kubernetes uses a similar model via CNI plugins like Flannel, Calico, or Cilium.

To create an overlay network, you must first initialize a Swarm cluster with docker swarm init. This starts a Raft consensus store that synchronizes network state across manager and worker nodes. When you run docker network create -d overlay my-overlay, Docker allocates a subnet (default 10.0.0.0/24), assigns a VXLAN ID, and propagates the configuration to all nodes. Containers attached to the overlay get an IP from this subnet and can reach each other by name, even across datacenters.

Overlay networks support encryption via IPsec (enabled with --opt encrypted), which adds AES-GCM overhead—our HSR Layout lab tests show 15-20 percent throughput reduction with encryption enabled. For compliance-heavy sectors like banking (RBI guidelines) or healthcare (DPDP Act 2023), encrypted overlays are mandatory. Aryaka and Akamai India both deploy encrypted overlays for multi-region microservices to meet data sovereignty requirements.

Overlay network architecture

Each Docker host runs a VXLAN Tunnel Endpoint (VTEP) that encapsulates and decapsulates packets. The VTEP maintains a forwarding table mapping container MAC addresses to remote host IPs. When container A on host 1 sends a packet to container B on host 2, the VTEP on host 1 looks up B's MAC, encapsulates the Ethernet frame in a UDP packet destined for host 2's VTEP, and transmits it over the underlay. Host 2's VTEP decapsulates the packet and delivers it to container B.

Overlay networks require three open ports: TCP 2377 (Swarm management), TCP/UDP 7946 (gossip protocol for node discovery), and UDP 4789 (VXLAN data plane). Firewalls must allow these ports between all Swarm nodes. A common pitfall: MTU mismatches. VXLAN adds 50 bytes of overhead, so if your underlay MTU is 1500, the overlay MTU must be 1450 or lower. Failure to adjust MTU causes silent packet drops and intermittent connectivity—this is a favorite CCIE Security interview question.

Creating an encrypted overlay network

# On manager node
docker swarm init --advertise-addr <manager-ip>

# On worker nodes
docker swarm join --token <token> <manager-ip>:2377

# Create encrypted overlay
docker network create -d overlay \
  --opt encrypted \
  --subnet 10.20.0.0/16 \
  --attachable \
  my-secure-overlay

# Deploy service
docker service create --name web \
  --network my-secure-overlay \
  --replicas 3 \
  nginx

The --attachable flag allows standalone containers (not just Swarm services) to connect to the overlay, useful for debugging.

Macvlan driver: VLAN integration and bare-metal performance

The macvlan driver assigns each container a unique MAC address and makes it appear as a physical device on the network. Containers get IPs from the same subnet as the host and can communicate directly with external devices without NAT. This is essential for legacy applications that expect Layer 2 adjacency, VLAN tagging, or multicast (IGMP, mDNS). Macvlan delivers near-native performance because packets bypass the Docker bridge and iptables entirely.

Macvlan operates in four modes: bridge (containers on the same host communicate via a virtual bridge), VEPA (all traffic hairpins through an external switch), private (containers cannot communicate with each other), and passthru (one container gets exclusive access to a physical NIC). Bridge mode is most common. To create a macvlan network, you specify the parent interface (e.g., eth0) and optionally a VLAN ID. Docker then creates sub-interfaces and assigns them to containers.

A critical limitation: macvlan containers cannot communicate with the Docker host itself due to kernel security restrictions (the host's NIC drops packets with source MACs it didn't originate). Workarounds include creating a macvlan interface on the host or using a separate physical NIC. In our lab, we demonstrate this by deploying a DHCP server container in macvlan mode that serves IPs to physical devices on the same LAN—a scenario common in telco edge deployments at Cisco India.

Macvlan configuration example

# Create macvlan network on eth0, VLAN 10
docker network create -d macvlan \
  --subnet 192.168.10.0/24 \
  --gateway 192.168.10.1 \
  -o parent=eth0.10 \
  macvlan10

# Run container with static IP
docker run -d --name dhcp-server \
  --network macvlan10 \
  --ip 192.168.10.100 \
  networkboot/dhcpd

The parent=eth0.10 syntax creates a VLAN sub-interface. If your switch trunk port carries VLAN 10, containers will be Layer 2 adjacent to devices on that VLAN.

When to use macvlan

  • Legacy apps requiring Layer 2 broadcast: NetBIOS, ARP-based clustering, multicast routing protocols.
  • Network appliances: Firewalls, load balancers, IDS/IPS that need to sniff or inject raw Ethernet frames.
  • VLAN segmentation: Isolating containers into different VLANs for compliance (PCI-DSS, HIPAA).
  • Performance-critical workloads: Video streaming, VoIP gateways where every microsecond counts.

Comparing Docker network drivers: trade-offs and decision matrix

Choosing the right driver depends on isolation requirements, performance targets, and multi-host needs. The table below summarizes the five drivers across key dimensions. In our AWS DevOps course in Bangalore, we run side-by-side benchmarks so students see the 40 percent throughput gap between bridge and macvlan under identical workloads.

Driver Isolation Performance Multi-host NAT Use case
bridge High Good (5-8% overhead) No Yes Single-host dev/test, microservices on one node
host None Native (<1% overhead) No No Monitoring tools, ultra-low-latency apps
overlay High Moderate (15-20% with encryption) Yes Yes Swarm services, multi-datacenter orchestration
macvlan Medium Native (<2% overhead) No No VLAN integration, legacy apps, bare-metal perf
none Total N/A No No Air-gapped security workloads, custom networking

Decision tree for driver selection

  1. Do you need multi-host communication? → Yes: overlay. No: continue.
  2. Do you need Layer 2 adjacency or VLAN tagging? → Yes: macvlan. No: continue.
  3. Is performance critical (<10μs latency)? → Yes: host or macvlan. No: continue.
  4. Do you need automatic DNS and isolation? → Yes: user-defined bridge. No: default bridge or none.

At HCL and Wipro, DevOps teams default to user-defined bridge for single-node deployments and overlay for multi-region services. Macvlan is reserved for edge cases like IoT gateways or telecom workloads. Host mode is used sparingly, only for Prometheus node exporters and log shippers that must access host metrics.

Common pitfalls and interview gotchas

Docker networking is a frequent interview topic at Cisco, AWS, and Akamai India. Interviewers probe for hands-on experience, not just theory. Below are the top five gotchas we drill in our HSR Layout lab, based on real interview feedback from our 45,000+ placed candidates.

1. MTU mismatches in overlay networks

VXLAN adds 50 bytes of overhead. If your underlay MTU is 1500, overlay packets larger than 1450 bytes get fragmented or dropped. Symptoms: intermittent connectivity, slow file transfers, TCP retransmissions. Solution: set overlay MTU to 1450 with --opt com.docker.network.driver.mtu=1450 or increase underlay MTU to 1550 (jumbo frames). A CCIE Security lab task might ask you to diagnose this using tcpdump and ip link show.

2. Default bridge lacks DNS resolution

Containers on the default docker0 bridge cannot resolve each other by name—only by IP. This breaks microservices that rely on service discovery. Solution: always use user-defined bridges. Interview question: "Why does ping api fail from a container on the default bridge but succeed on a user-defined bridge?" Answer: user-defined bridges run an embedded DNS server; the default bridge does not.

3. Port conflicts in host mode

Two containers in host mode cannot bind to the same port. If you run docker run --network host nginx twice, the second fails with "address already in use." Solution: use bridge mode with port mapping or assign different ports. Interview question: "How do you run multiple instances of the same service in host mode?" Answer: you can't—use bridge or overlay with replicas.

4. Macvlan containers cannot reach the Docker host

Due to kernel MAC filtering, macvlan containers cannot communicate with the host's IP. Workaround: create a macvlan interface on the host with ip link add mac0 link eth0 type macvlan mode bridge and assign it an IP from the same subnet. This is a favorite troubleshooting question at Aryaka and Barracuda interviews.

5. Firewall rules blocking overlay traffic

Overlay networks require UDP 4789, TCP 2377, and TCP/UDP 7946 open between all Swarm nodes. Cloud security groups or on-prem firewalls often block these by default. Symptom: nodes join the Swarm but services fail to start. Solution: verify with nc -zvu <peer-ip> 4789 and update firewall rules. Interview question: "A Swarm service is stuck in 'pending' state—how do you debug?" Answer: check docker service ps <service> for errors, verify overlay ports with netstat -tuln, inspect VXLAN interfaces with ip -d link show.

Real-world deployment scenarios at Indian enterprises

Understanding Docker networking in isolation is insufficient—you must see how it fits into production architectures. Below are three scenarios drawn from our internship placements at Cisco India, Akamai, and Aryaka, where freshers deploy and troubleshoot containerized workloads daily.

Scenario 1: Multi-tier web app on a single EC2 instance (bridge mode)

A startup deploys a three-tier app—React frontend, Flask API, PostgreSQL database—on a single AWS EC2 instance to minimize costs. Each tier runs in a separate container on a user-defined bridge. The frontend container publishes port 80 to the host, the API container exposes port 5000 only to the frontend, and the database container is not exposed externally. Docker's embedded DNS lets the frontend reach the API via http://api:5000 and the API reach the database via postgresql://db:5432. This setup is common at early-stage SaaS companies and is a standard lab exercise in our DevOps batch.

docker network create app-net
docker run -d --name db --network app-net postgres:15
docker run -d --name api --network app-net -e DATABASE_URL=postgresql://db:5432 flask-api
docker run -d --name frontend --network app-net -p 80:3000 react-app

Scenario 2: Multi-region microservices with encrypted overlay (Swarm mode)

Akamai India runs a CDN control plane across three AWS regions (Mumbai, Singapore, Tokyo). Each region has a Swarm cluster; services communicate via an encrypted overlay network. The overlay spans regions using VPC peering and VPN tunnels. Services like auth, billing, and analytics are deployed as replicated Swarm services with --replicas 5. Docker's ingress load balancer distributes requests across replicas. The overlay is encrypted to comply with DPDP Act 2023 data residency rules. Our 4-month paid internship places students in this exact environment, where they debug overlay routing issues and optimize VXLAN MTU.

Scenario 3: VLAN-segmented IoT gateway with macvlan

A telecom operator deploys IoT gateways at cell tower sites. Each gateway runs Docker on an edge server and hosts containers for MQTT broker, time-series database, and edge analytics. The MQTT broker must be Layer 2 adjacent to IoT devices (sensors, cameras) on VLAN 20, while the analytics container connects to the cloud via VLAN 30. The operator uses macvlan with two parent interfaces: eth0.20 for IoT devices and eth0.30 for cloud uplink. This setup is common at Cisco India's IoT division and is covered in our Kubernetes networking module at networkershome.com/fundamentals/kubernetes-networking.

How Docker networking connects to CCNA, CCNP, and CCIE syllabus

Docker networking is not explicitly listed in Cisco's certification blueprints, but the underlying concepts—VLANs, NAT, routing, VXLAN, IPsec—are core CCNA, CCNP, and CCIE topics. Understanding Docker networking accelerates your grasp of SDN, network virtualization, and cloud networking, all of which appear in modern Cisco exams.

CCNA 200-301 overlap

  • NAT and PAT: Docker's port publishing (-p) is DNAT; outbound traffic uses SNAT. CCNA candidates configure NAT on routers; Docker automates it via iptables.
  • VLANs and trunking: Macvlan's parent=eth0.10 syntax mirrors Cisco's interface GigabitEthernet0/0.10 encapsulation dot1Q 10.
  • Default gateway and routing: Containers use the bridge IP as their default gateway, analogous to end hosts using a router's interface IP.

CCNP Enterprise and CCIE overlap

  • VXLAN and overlay networks: Docker overlay uses VXLAN with UDP 4789, identical to Cisco ACI and EVPN. CCIE Data Center candidates configure VXLAN on Nexus switches; Docker abstracts this into a single CLI command.
  • IPsec encryption: Encrypted overlay networks use IPsec ESP, the same protocol in Cisco IOS IPsec VPNs. CCIE Security candidates troubleshoot IPsec phase 1/2; Docker handles this automatically but you must understand MTU overhead and cipher suites.
  • Multicast and IGMP: Macvlan supports multicast, essential for CCIE Service Provider candidates studying PIM and IGMP snooping.

Founder Vikas Swami, Dual CCIE #22239, designed our curriculum to bridge Docker and traditional networking. Students who master Docker networking find VXLAN, EVPN, and SD-WAN concepts intuitive because they've already manipulated these primitives in containers.

Frequently asked questions

Can containers on different user-defined bridges communicate?

No, by default. Docker's DOCKER-ISOLATION iptables chain blocks inter-bridge traffic. To enable communication, connect a container to both bridges with docker network connect bridge2 container1. This is safer than disabling isolation because you explicitly control which containers can cross network boundaries.

What is the difference between Docker overlay and Kubernetes CNI plugins?

Docker overlay is Swarm-specific and uses VXLAN with a built-in key-value store. Kubernetes CNI plugins (Flannel, Calico, Cilium) are modular and support multiple backends—VXLAN, BGP, WireGuard. Kubernetes does not use Docker's overlay; it delegates networking to the CNI plugin. However, the underlying VXLAN mechanics are identical, so understanding Docker overlay prepares you for Kubernetes networking.

How do I troubleshoot "network not found" errors?

Run docker network ls to list all networks. If the network exists but containers can't attach, check the network's scope with docker network inspect <network>. Overlay networks have scope "swarm" and are only visible on Swarm nodes. If you're running standalone containers, add --attachable when creating the overlay. If the network was deleted, recreate it with the same name and subnet.

Why is my overlay network slow?

Three common causes: (1) MTU mismatch causing fragmentation, (2) encryption overhead (15-20 percent throughput loss), (3) high latency underlay network. Measure baseline latency with ping between Docker hosts. If underlay latency is >50ms, overlay latency will be >60ms. Disable encryption temporarily with --opt encrypted=false to isolate the bottleneck. Use iperf3 inside containers to benchmark throughput.

Can I use Docker networking with Podman or containerd?

Podman uses CNI plugins (same as Kubernetes), not Docker's CNM. The concepts are similar but CLI commands differ. Containerd also uses CNI. If you're migrating from Docker to Podman, you'll rewrite network configurations using CNI JSON files instead of docker network create. Our DevOps course covers both Docker and Podman networking so students are tool-agnostic.

How do I secure Docker networks in production?

Five best practices: (1) use user-defined bridges, never the default bridge, (2) enable overlay encryption for multi-host traffic, (3) restrict CAP_NET_ADMIN capability to prevent containers from modifying routes, (4) insert firewall rules in the DOCKER-USER chain to block unauthorized traffic, (5) use network policies in Kubernetes (via Calico or Cilium) for fine-grained segmentation. At Cisco India and Akamai, security audits flag any use of host mode or default bridge as high-risk.

What is the "none" network driver used for?

The none driver disables all networking—no interfaces except loopback. Use it for air-gapped workloads like cryptographic key generation, malware analysis sandboxes, or compliance-mandated isolated environments. Containers in none mode cannot communicate with anything, making them immune to network-based attacks. To add networking later, create a custom network namespace and attach it manually with ip netns commands.

Ready to Master Container & Kubernetes Networking?

Join 45,000+ students at Networkers Home. CCIE-certified trainers, 24x7 real lab access, and 100% placement support.

Explore Course

Certifications We Prepare You For

CompTIA Network+Cisco CCNACisco CyberOpsCisco DevNetJuniper JNCIAFortinet NSE 4Palo Alto PCNSACheck Point CCTAAWS CloudAzure AdminGoogle CloudVMware VCTAAruba ACAArista ACEF5 BIG-IPHuawei HCIANutanix NCARed Hat RHCSALinux LFCACompTIA Security+Zscaler ZCCA