Module 7: Docker

Networking Deep Dive

Docker & Containerization Workshop

Presented by: Choudhry Shehryar, MLOps Engineer

Learning Objectives

● Master Docker networking architecture and driver types

● Implement secure container communication patterns
● Troubleshoot common container networking issues
 Docker Network Architecture
Core Components

● Network namespaces (isolation)

● Virtual Ethernet devices (veth)
● Linux bridges
● Network drivers
● iptables rules
● Container Network Interface (CNI)

Container-to-Container Communication

● Same host vs. different hosts

● Container DNS resolution
● Service discovery
 Key Operations

# Create network
Network Namespaces Deep Dive
namespace

ip netns add myns

What are Network Namespaces?
# List namespaces
● Isolated network stacks within Linux kernel
● Each container gets its own namespace ip netns list
● Includes interfaces, routing tables, iptables rules
# Execute command in
namespace

ip netns exec myns ip

addr
 Third-party Network Plugins

Docker Network Drivers● Calico, Weave, Cilium, Flannel

Built-in Driver Types

● bridge: Default, isolated network on host (Layer 2)

● host: Uses host's networking directly (no isolation)
● none: No networking (isolated container)
● overlay: Multi-host networking (Swarm)
● macvlan: Assigns MAC address to container (Layer 2)
● ipvlan: Shares host's MAC address (Layer 3/4)
 User-defined Bridges
Bridge Networks In Depth
● Automatic DNS
resolution
Default Bridge (docker0) ● Better isolation
● Custom configuration
● Automatically created
options
● All containers connect by default
● On-demand connectivity
● NAT for outbound connectivity
● Manual port publishing for inbound
Managing Docker Networks
Basic Network Operations
# List networks
docker network ls
# Inspect network
docker network inspect bridge
# Create custom bridge network
docker network create --driver bridge my-network
# Connect container to network
docker network connect my-network container1
 Network Creation Options
Create with Subnet

docker network create --subnet=172.20.0.0/16 custom-net

Create with Gateway

docker network create --subnet=172.20.0.0/16 --gateway=172.20.0.1

custom-net

Create with IP Range

docker network create --subnet=172.20.0.0/16 --ip-

range=172.20.5.0/24 custom-net
Container Network Mode Options # No networking
docker run -d --network=none nginx
Run with Network Mode
# Default bridge network # Use another container's network
docker run -d nginx
docker run -d --
network=container:container_id
# User-defined bridge network
nginx
docker run -d --network=my-
network nginx

# Host networking (no isolation)

docker run -d --network=host
nginx
 # Publish port range
Port Publishing docker run -d -p 8080-
Publish a Port 8090:80-90 nginx

# Publish port 80 to random host port # Publish all exposed ports

docker run -d -p 80 nginx
docker run -d -P nginx
# Publish port 80 to specific host port 8080
docker run -d -p 8080:80 nginx

# Publish port on specific IP

docker run -d -p 192.168.1.100:8080:80 nginx
Container DNS Resolution Default Resolution

Container DNS Options ● Containers on default

# Set DNS servers bridge: No DNS
● User-defined
docker run --dns=8.8.8.8 --dns=8.8.4.4 nginx networks: Automatic
# Set DNS search domains DNS
● Based on container
docker run --dns-search=example.com nginx name or network alias
# Set hostname
docker run --hostname=web1 nginx
# Add /etc/hosts entry

docker run --add-host=db:192.168.1.10 nginx

Network Aliases Use Case: Service Discovery

Multiple Names for the Same ● Load balancing scenarios

Container ● Blue/green deployments
● Service mesh patterns
# Create container with network
alias

docker run -d --network=my-

network --network-alias=web
nginx

# Connect with multiple aliases

 Macvlan Networks
Direct Connection to Physical Use Cases
Network
● Legacy applications
# Create macvlan network requiring fixed IPs
● Performance-critical
docker network create -d macvlan \
applications
--subnet=192.168.1.0/24 \ ● Integration with existing
network infrastructure
--gateway=192.168.1.1 \

-o parent=eth0 \

macvlan-net
Overlay Networks
Multi-Host Networking Key Features

bash ● Automatic encryption

(optional)
# Initialize Swarm (manager)
● Service discovery across
docker swarm init hosts
● Scale applications across
multiple hosts
● Compatible with Docker
# Create overlay network
Swarm services
docker network create --driver overlay --attachable my-overlay
Container Network Interface (CNI)
What is CNI?

● Standard for container networking

● Enables pluggable networking solutions
● Used by Kubernetes, containerd, CRI-O

CNI Architecture

● Plugin-based model
● Simple specification
● Responsible for IP allocation
● Integration with SDN platforms
Network Segmentation Strategies
Isolation Level Options

● Application segmentation (microservices)

● Environment segmentation (dev/test/prod)
● Tenant segmentation (multi-tenant)

Implementation Techniques

● Separate bridge networks

● Network policies
● VLANs (with macvlan)
● Security groups (cloud environments)
 Service Discovery Methods

Built-in Methods

● Container DNS (user-defined networks)

● Environment variables
● Network aliases

External Solutions

● Consul
● etcd
● ZooKeeper
● Cloud provider solutions
Container Network Security
Best Practices
Security Controls
● Principle of least privilege
● Network isolation (separate networks)
● Regularly update base
● Host firewall rules (iptables) images
● Container firewall rules ● Scan for network
● TCP/UDP port filtering vulnerabilities
● Network policy enforcement ● Monitor network behavior
● Encrypt container-to-
container traffic
Network Encryption
Transport Layer Security
Overlay Network Encryption
● TLS for API endpoints
bash ● Mutual TLS for service-to-
service
# Create encrypted overlay network
● Certificate rotation
docker network create --driver overlay \

--opt encrypted=true \

secure-overlay
Network Performance Tuning
Performance Factors

● MTU size configuration # Run network performance test

● Disable inter-container communication
● Host vs bridge vs macvlan performance iperf3 -s # Server in one
● I/O tuning parameters container

Performance Testing iperf3 -c <server_ip> # Client

# Install performance tools in container in another

docker run -it --name netperf ubuntu bash

apt-get update && apt-get install -y iperf3 netperf

 Network Troubleshooting Commands

# Check container networking

Network Troubleshooting
docker inspect container_name
Common Network Issues
# Network namespace debugging
● DNS resolution problems
● IP address conflicts docker inspect -f '{{.State.Pid}}'
● Port conflicts container_name
● Connectivity failures nsenter -t <pid> -n ip addr
● MTU mismatches
● Firewall blocking # Test connectivity
● Routing issues
docker exec container_name ping
google.com
 Network Captures

# Capture on host interface

Diagnostic Tools
tcpdump -i docker0 -n
Inside Container
# Capture inside container
# Install tools (Alpine)
docker exec container tcpdump -i eth0 -n
docker exec container apk add --no-cache \

bind-tools tcpdump curl iputils

# Install tools (Ubuntu/Debian)

docker exec container apt-get update && \

apt-get install -y dnsutils tcpdump curl iputils-ping

 Exercise 3: Network Troubleshooting

● Diagnose common network issues

Hands-On Exercises ● Use networking diagnostic tools
● Implement solutions to connectivity
Exercise 1: Network Creation & Inspection
problems
● Create custom bridge networks
● Analyze network properties
● Connect containers to multiple networks

Exercise 2: Container Communication

● Configure container-to-container communication

● Test DNS resolution between containers
● Implement network aliases
 Questions & Next Steps

● Networking challenges in your

environment?
● Advanced networking requirements?
● Integration with existing
infrastructure?