Container networking is a fundamental aspect of containerized applications that enables communication between containers, services, and external systems. This guide covers essential networking concepts, configurations, and best practices.
Docker Networking
Network Types
Bridge Network
The default network driver for containers.
```bash
# Create custom bridge network
docker network create --driver bridge my-bridge-network
# Run container with custom network
docker run -d --name web-server --network my-bridge-network nginx
# Inspect network
docker network inspect my-bridge-network
Host Network
Container shares the host's network stack.
# Run container with host networking
docker run -d --name app --network host nginx
Overlay Network
Enables communication between containers across multiple Docker hosts.
# Create overlay network (Swarm mode)
docker network create --driver overlay --attachable my-overlay
# Deploy service with overlay network
docker service create --name web --network my-overlay nginx
None Network
Container has no network access.
# Run isolated container
docker run -d --name isolated --network none alpine sleep 3600
Network Configuration
Port Mapping
# Map container port to host port
docker run -d -p 8080:80 nginx
# Map to specific interface
docker run -d -p 127.0.0.1:8080:80 nginx
# Map multiple ports
docker run -d -p 8080:80 -p 8443:443 nginx
Environment Variables
# Set network-related environment variables
docker run -d \
-e VIRTUAL_HOST=app.example.com \
-e VIRTUAL_PORT=8080 \
--name app nginx
DNS Configuration
# Custom DNS servers
docker run -d --dns 8.8.8.8 --dns 8.8.4.4 nginx
# Add custom host entries
docker run -d --add-host api.local:192.168.1.100 nginx
Docker Compose Networking
Default Network
version: '3.8'
services:
web:
image: nginx
ports:
- "8080:80"
app:
image: node:alpine
depends_on:
- web
Custom Networks
version: '3.8'
services:
web:
image: nginx
networks:
- frontend
- backend
ports:
- "80:80"
app:
image: node:alpine
networks:
- backend
db:
image: postgres
networks:
- backend
environment:
POSTGRES_PASSWORD: secret
networks:
frontend:
driver: bridge
backend:
driver: bridge
internal: true
External Networks
version: '3.8'
services:
app:
image: nginx
networks:
- existing-network
networks:
existing-network:
external: true
Kubernetes Networking
CNI (Container Network Interface)
Popular CNI Plugins
Flannel - Simple overlay network
apiVersion: v1
kind: ConfigMap
metadata:
name: kube-flannel-cfg
namespace: kube-system
data:
cni-conf.json: |
{
"name": "cbr0",
"type": "flannel",
"delegate": {
"hairpinMode": true,
"isDefaultGateway": true
}
}
Calico - Network policy and security
apiVersion: v1
kind: ConfigMap
metadata:
name: calico-config
namespace: kube-system
data:
calico_backend: "bird"
cluster_type: "k8s,bgp"
Weave Net - Multi-host networking
# Install Weave Net
kubectl apply -f "https://cloud.weave.works/k8s/net?k8s-version=$(kubectl version | base64 | tr -d '\n')"
Services
ClusterIP
Default service type for internal communication.
apiVersion: v1
kind: Service
metadata:
name: backend-service
spec:
type: ClusterIP
selector:
app: backend
ports:
- port: 80
targetPort: 8080
NodePort
Exposes service on each node's IP at a static port.
apiVersion: v1
kind: Service
metadata:
name: frontend-service
spec:
type: NodePort
selector:
app: frontend
ports:
- port: 80
targetPort: 8080
nodePort: 30080
LoadBalancer
Exposes service externally using cloud provider's load balancer.
apiVersion: v1
kind: Service
metadata:
name: public-service
spec:
type: LoadBalancer
selector:
app: web
ports:
- port: 80
targetPort: 8080
ExternalName
Maps service to external DNS name.
apiVersion: v1
kind: Service
metadata:
name: external-api
spec:
type: ExternalName
externalName: api.external.com
Ingress
Basic Ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: web-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- host: myapp.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: web-service
port:
number: 80
TLS Ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: secure-ingress
spec:
tls:
- hosts:
- secure.example.com
secretName: tls-secret
rules:
- host: secure.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: secure-service
port:
number: 443
Network Policies
Default Deny Policy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
Allow Specific Traffic
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-frontend-to-backend
spec:
podSelector:
matchLabels:
app: backend
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: frontend
ports:
- protocol: TCP
port: 8080
Allow External Traffic
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-external-web
spec:
podSelector:
matchLabels:
app: web
policyTypes:
- Ingress
ingress:
- ports:
- protocol: TCP
port: 80
- protocol: TCP
port: 443
Pod Networking
Multi-Container Pods
apiVersion: v1
kind: Pod
metadata:
name: multi-container-pod
spec:
containers:
- name: main-app
image: nginx
ports:
- containerPort: 80
- name: sidecar
image: busybox
command: ['sh', '-c', 'while true; do echo sidecar; sleep 30; done']
Init Containers
apiVersion: v1
kind: Pod
metadata:
name: init-container-pod
spec:
initContainers:
- name: init-networking
image: busybox
command: ['sh', '-c', 'until nslookup backend-service; do sleep 1; done']
containers:
- name: main-app
image: nginx
Network Troubleshooting
Docker Networking Issues
Debug Container Connectivity
# Test connectivity between containers
docker exec -it container1 ping container2
# Check network configuration
docker exec -it container1 ip addr show
# Inspect network interfaces
docker exec -it container1 netstat -tuln
# Test DNS resolution
docker exec -it container1 nslookup google.com
Network Inspection
# List all networks
docker network ls
# Inspect specific network
docker network inspect bridge
# Check container network settings
docker inspect container_name | grep -A 20 NetworkSettings
Kubernetes Networking Issues
Pod Connectivity
# Test pod-to-pod communication
kubectl exec -it pod1 -- ping pod2-ip
# Check pod network details
kubectl describe pod pod-name
# Test service connectivity
kubectl exec -it pod-name -- curl service-name:port
# Check DNS resolution
kubectl exec -it pod-name -- nslookup kubernetes.default
Service Discovery
# List services
kubectl get services
# Describe service
kubectl describe service service-name
# Check endpoints
kubectl get endpoints service-name
# Test service from within cluster
kubectl run test-pod --image=busybox --rm -it -- sh
# Inside pod: wget -qO- service-name:port
Network Policy Debugging
# Check network policies
kubectl get networkpolicies
# Describe policy
kubectl describe networkpolicy policy-name
# Test connectivity with policy applied
kubectl exec -it source-pod -- curl target-service:port
Network Monitoring
Docker Network Monitoring
Container Statistics
# Real-time container stats
docker stats
# Network statistics for specific container
docker exec container_name cat /proc/net/dev
# Monitor network traffic
docker exec container_name ss -tuln
Kubernetes Network Monitoring
Built-in Monitoring
# Node network status
kubectl describe nodes
# Pod network metrics
kubectl top pods --all-namespaces
# Service mesh metrics (if using Istio)
kubectl get destinationrules,virtualservices -A
Network Monitoring Tools
# Example: Deploy network monitoring
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: network-monitor
spec:
selector:
matchLabels:
app: network-monitor
template:
metadata:
labels:
app: network-monitor
spec:
hostNetwork: true
containers:
- name: monitor
image: nicolaka/netshoot
command: ["/bin/bash", "-c", "while true; do sleep 3600; done"]
Security Best Practices
Network Isolation
Docker Security
# Run container with limited network access
docker run -d --network none --name isolated-app app:latest
# Use user-defined networks
docker network create --driver bridge secure-network
docker run -d --network secure-network app:latest
Kubernetes Security
# Network policy for micro-segmentation
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: micro-segmentation
spec:
podSelector:
matchLabels:
tier: database
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
tier: application
ports:
- protocol: TCP
port: 5432
Encryption
TLS Configuration
# TLS termination at ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: tls-ingress
spec:
tls:
- hosts:
- app.example.com
secretName: app-tls-secret
rules:
- host: app.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: app-service
port:
number: 80
Network Scanning
Security Scanning Tools
# Scan for open ports
nmap -sS target-ip
# Check for vulnerabilities
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
aquasec/trivy image nginx:latest
# Network policy testing
kubectl apply -f network-policy.yaml
kubectl exec -it test-pod -- curl -m 5 restricted-service:port
Performance Optimization
Network Performance
Docker Optimization
# Use host networking for high-performance apps
docker run -d --network host high-performance-app
# Optimize bridge network
docker network create --driver bridge \
--opt com.docker.network.bridge.name=optimized-bridge \
--opt com.docker.network.bridge.enable_ip_masquerade=true \
optimized-network
Kubernetes Optimization
# Pod with optimized networking
apiVersion: v1
kind: Pod
metadata:
name: high-performance-pod
annotations:
container.apparmor.security.beta.kubernetes.io/app: runtime/default
spec:
containers:
- name: app
image: high-performance-app
resources:
requests:
memory: "1Gi"
cpu: "500m"
limits:
memory: "2Gi"
cpu: "1000m"
Load Balancing
Service Load Balancing
apiVersion: v1
kind: Service
metadata:
name: load-balanced-service
spec:
type: LoadBalancer
selector:
app: web
ports:
- port: 80
targetPort: 8080
sessionAffinity: ClientIP
sessionAffinityConfig:
clientIP:
timeoutSeconds: 300