TL;DR - Why does Docker call it's default networking as Bridge Networking when it seems to be a lot like NAT Network.
Let start by looking at how -
1) VMWare or VirtualBox handles networking for virtual machines. Say the Host IP is some random 152.50.60.21 and the network CIDR is 152.50.60.0/24.
Bridge Network - Any VM connected through this interface can have any free IP on the network the host is connected to. So if IP 152.50.60.30 is free, then VM can bind to this IP. Similarly, a second VM can have an IP 152.50.60.32 if this IP is free.
The Bridge Network connects the VM's on to the same network the host is connected to. Any machine on the internet can reach the VM's and the VM's can reach the internet directly (of course if the HOST network is connected to internet).
NAT Network - NAT is a separate network from the network the host is connected to. And VMWare can accept any valid CIDR (to not complicate things I will refer to the private reserved blocks only. Though, if am right, any CIDR is fine.) Safely, this new NAT Network being created on host and accessible only on the host can have CIDR 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 (or any subnet of these networks). I am picking 10.0.0.0/8.
So two VM's spinning up on the host and connected through NAT Network can have IP's 10.0.3.3 and 10.0.3.6
Being on the NAT Network the VM's are not visible to the outer world beyond the host i.e the VM's are not reachable to the outer world (except with DNAT/Port Forwarding configuration on the Host). But the VM's can access the outer world/internet/intranet though SNAT provided by HOST i.e the IP's of VM's are never exposed to the outer world.
VMWare Doc's reference: Understanding Common Networking Configurations
Next, let's look on the Docker side -
Dockers default networking
When an image is run on the HOST (whose IP from above is 152.50.60.21) using Dockers default networking (which it calls as Bridge Network), the new container can get an IP (say) 172.17.0.13 from the network - 172.16.0.0/12 (at least on my env). Similarly, a second container can get an IP 172.17.0.23. For accessing the internet these containers rely on SNAT provided by HOST. And any machine on the internet/intranet can't access the Containers except through port forwarding provided by the HOST. So the containers are not visible to the world except for HOST.
Looking at this I would assume that the default networking provided by Docker is NAT Network, but Docker likes to call it as Bridge Network.
So, Could anyone say where things are messed up or how I got to look at Bridge/NAT Networks?
Bridge networks are usually used when your applications run in standalone containers that need to communicate. See bridge networks. host : For standalone containers, remove network isolation between the container and the Docker host, and use the host's networking directly.
NAT mode will mask all network activity as if it came from your Host OS, although the VM can access external resources. Bridged mode replicates another node on the physical network and your VM will receive it's own IP address if DHCP is enabled in the network.
When you start Docker, a default bridge network (also called bridge ) is created automatically, and newly-started containers connect to it unless otherwise specified. You can also create user-defined custom bridge networks. User-defined bridge networks are superior to the default bridge network.
This provides better isolation and interoperability between containers, and custom bridge networks have better security and features than the default bridge. All containers in a custom bridge can communicate with the ports of other containers on that bridge.
Docker's equivalent of VMWare or VirtualBox bridge network is macvlan.
From the docs:
...you can use the macvlan network driver to assign a MAC address to each container’s virtual network interface, making it appear to be a physical network interface directly connected to the physical network. In this case, you need to designate a physical interface on your Docker host to use for the macvlan, as well as the subnet and gateway of the macvlan. You can even isolate your macvlan networks using different physical network interfaces.
When you create a macvlan network, it can either be in bridge mode or 802.1q trunk bridge mode.
In bridge mode, macvlan traffic goes through a physical device on the host.
In the simple bridge example, your traffic flows through eth0 and Docker routes traffic to your container using its MAC address. To network devices on your network, your container appears to be physically attached to the network.
Example of macvlan bridge mode:
$ docker network create -d macvlan \
  --subnet=172.16.86.0/24 \
  --gateway=172.16.86.1 \
  -o parent=eth0 \
  my-macvlan-net
This command creates MacVLAN network on top of eth0 with the network name of my-macvlan-net.
In 802.1q trunk bridge mode, traffic goes through an 802.1q sub-interface which Docker creates on the fly. This allows you to control routing and filtering at a more granular level.
In the 802.1q trunked bridge example, your traffic flows through a sub-interface of eth0 (called eth0.10 in the example below) and Docker routes traffic to your container using its MAC address. To network devices on your network, your container appears to be physically attached to the network.
Example of macvlan 802.1q trunk bridge mode:
$ docker network create -d macvlan \
  --subnet=172.16.86.0/24 \
  --gateway=172.16.86.1 \
  -o parent=eth0.10 \
  my-8021q-macvlan-net
This creates macvlan network, and has parent eth0.10.
The naming seems confusing to someone coming from VMWare or VirtualBox, but it exists.
You can see another tutorial of macvlan (includes assigning IP addr to the container) here.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With