0
0
Dockerdevops~15 mins

Creating custom bridge networks in Docker - Mechanics & Internals

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Overview - Creating Custom Bridge Networks
What is it?
Creating custom bridge networks in Docker means making your own private network where containers can talk to each other securely and efficiently. Unlike the default network Docker provides, a custom bridge network lets you control how containers connect and communicate. This helps organize containers better and avoid conflicts. It is like building your own private neighborhood for your containers.
Why it matters
Without custom bridge networks, all containers share the same default network, which can cause name conflicts and security issues. Custom networks let you isolate groups of containers, control communication, and assign meaningful names. This improves security, debugging, and scalability. Imagine a world where all devices in a city share one big network without any separation — chaos and confusion would happen. Custom bridge networks prevent that in Docker.
Where it fits
Before learning custom bridge networks, you should understand basic Docker concepts like containers, images, and the default Docker network. After mastering custom bridge networks, you can explore advanced networking topics like overlay networks, network plugins, and service discovery in Docker Swarm or Kubernetes.
Mental Model
Core Idea
A custom bridge network is a private virtual network that connects Docker containers, letting them communicate securely and with controlled settings.
Think of it like...
It's like creating a private gated community inside a city where only invited houses (containers) can talk to each other freely, separate from the noisy public roads (default network).
┌─────────────────────────────┐
│       Docker Host           │
│  ┌───────────────┐          │
│  │ Custom Bridge │          │
│  │   Network     │          │
│  ├─────┬─────┬───┤          │
│  │Cont1│Cont2│...│          │
│  └─────┴─────┴───┘          │
│                             │
│  Default Bridge Network      │
│  ┌───────────────┐          │
│  │ ContA, ContB  │          │
│  └───────────────┘          │
└─────────────────────────────┘
Build-Up - 7 Steps
1
FoundationUnderstanding Docker Default Networks
🤔
Concept: Learn what the default Docker bridge network is and how containers connect by default.
Docker automatically creates a default bridge network named 'bridge'. When you start containers without specifying a network, they connect here. Containers on this network can communicate by IP but not by container name. This network is shared by all containers unless you specify otherwise.
Result
Containers connect to the default bridge network and can communicate using IP addresses but not container names.
Knowing the default network behavior helps you understand why custom networks are needed for better container communication and isolation.
2
FoundationBasics of Docker Bridge Networks
🤔
Concept: Understand what a bridge network is and how it works in Docker.
A bridge network is a private internal network created on the Docker host. It acts like a virtual switch connecting containers. Containers on the same bridge network can communicate using container names as DNS. Docker manages IP address assignment and routing inside this network.
Result
Containers on the same bridge network can reach each other by name and IP, isolated from other networks.
Understanding bridge networks is key to controlling container communication and network isolation.
3
IntermediateCreating a Custom Bridge Network
🤔
Concept: Learn how to create your own bridge network with Docker CLI.
Use the command: docker network create my_custom_network This creates a new bridge network named 'my_custom_network'. You can specify options like subnet, gateway, and driver. Containers connected to this network can communicate by name and are isolated from other networks.
Result
A new custom bridge network named 'my_custom_network' is created and ready for container connections.
Creating custom networks lets you organize containers into isolated groups with controlled communication.
4
IntermediateConnecting Containers to Custom Networks
🤔Before reading on: Do you think containers connect to custom networks automatically or need explicit commands? Commit to your answer.
Concept: Learn how to attach containers to your custom bridge network at start or after creation.
To start a container on a custom network: docker run --network my_custom_network --name container1 alpine sleep 1000 To connect an existing container: docker network connect my_custom_network container1 To disconnect: docker network disconnect my_custom_network container1
Result
Containers are connected to the custom network and can communicate with others on the same network by name.
Knowing how to connect containers to networks explicitly gives you control over container communication and network layout.
5
IntermediateInspecting and Managing Networks
🤔
Concept: Learn how to view details and manage Docker networks.
Use docker network ls to list networks. Use docker network inspect my_custom_network to see connected containers, IP ranges, and settings. Use docker network rm my_custom_network to remove a network (only if no containers are connected).
Result
You can see network details and manage lifecycle of custom networks.
Inspecting networks helps debug connectivity issues and understand network structure.
6
AdvancedCustomizing Network Subnets and Gateways
🤔Before reading on: Can you specify IP ranges when creating custom networks? Commit to yes or no.
Concept: Learn how to define your own IP address ranges and gateways for custom bridge networks.
Create a network with specific subnet and gateway: docker network create \ --subnet=192.168.100.0/24 \ --gateway=192.168.100.1 \ my_custom_network This controls IP allocation and avoids conflicts with other networks.
Result
Custom bridge network uses specified IP range and gateway for container IPs.
Controlling IP ranges prevents conflicts in complex environments and integrates Docker networks with existing infrastructure.
7
AdvancedAdvanced Isolation and Security with Bridge Networks
🤔Before reading on: Do you think containers on the same bridge network are fully isolated by default? Commit to yes or no.
Concept: Explore how custom bridge networks affect container isolation and how to enhance security using network options.
Containers on the same bridge network can communicate freely. To restrict communication, use options like --internal to block external access or configure firewall rules on the host. Docker also supports network plugins for advanced security policies. Understanding these helps prevent unwanted container access.
Result
You can create networks that isolate containers from outside or restrict container-to-container communication as needed.
Knowing the limits of bridge network isolation helps design secure container environments and avoid accidental exposure.
Under the Hood
Docker creates a Linux bridge device on the host for each bridge network. Containers connect virtual Ethernet interfaces (veth pairs) to this bridge. The bridge acts like a virtual switch forwarding packets between containers. Docker runs an embedded DNS server to resolve container names to IPs within the network. IP addresses are allocated from the subnet range assigned to the network. Network namespaces isolate container network stacks.
Why designed this way?
The bridge network model leverages existing Linux networking features for simplicity and performance. Using Linux bridges and namespaces avoids reinventing networking while providing isolation. This design balances ease of use, flexibility, and integration with host networking. Alternatives like overlay networks add complexity but enable multi-host communication.
Docker Host Network Stack
┌─────────────────────────────┐
│        Linux Bridge         │
│  ┌───────────────┐          │
│  │  veth-peer1   │◄────┐    │
│  ├───────────────┤     │    │
│  │  veth-peer2   │◄────┼────┤
│  └───────────────┘     │    │
│         │              │    │
│  ┌───────────────┐     │    │
│  │ Container 1   │     │    │
│  │ Network Stack │     │    │
│  └───────────────┘     │    │
│                        │    │
│  ┌───────────────┐     │    │
│  │ Container 2   │     │    │
│  │ Network Stack │     │    │
│  └───────────────┘     │    │
└────────────────────────┴────┘
Myth Busters - 4 Common Misconceptions
Quick: Do containers on different custom bridge networks communicate by default? Commit yes or no.
Common Belief:Containers on different custom bridge networks can talk to each other automatically.
Tap to reveal reality
Reality:Containers on separate custom bridge networks cannot communicate unless connected to a common network or explicitly linked.
Why it matters:Assuming cross-network communication leads to failed service interactions and debugging confusion.
Quick: Does creating many custom bridge networks slow down Docker performance? Commit yes or no.
Common Belief:Creating many custom bridge networks significantly slows down Docker and container performance.
Tap to reveal reality
Reality:Docker efficiently manages multiple bridge networks with minimal performance impact on the host.
Why it matters:Avoiding custom networks due to performance fears limits container organization and security.
Quick: Are containers on the default bridge network able to resolve each other's names? Commit yes or no.
Common Belief:Containers on the default bridge network can resolve each other's container names automatically.
Tap to reveal reality
Reality:The default bridge network does not provide automatic DNS resolution for container names; containers must use IP addresses.
Why it matters:Expecting name resolution causes communication failures and wasted debugging time.
Quick: Does the --internal flag on a bridge network block all container communication? Commit yes or no.
Common Belief:Using --internal on a bridge network disables all container communication inside that network.
Tap to reveal reality
Reality:The --internal flag blocks external access to the network but allows containers inside to communicate normally.
Why it matters:Misunderstanding this leads to incorrect network security setups and unexpected container isolation.
Expert Zone
1
Custom bridge networks allow multiple networks per container, enabling complex multi-network setups for microservices.
2
Docker's embedded DNS server only resolves container names within the same network, so cross-network name resolution requires extra configuration.
3
Network options like --opt com.docker.network.bridge.enable_icc control inter-container communication, allowing fine-grained security policies.
When NOT to use
Custom bridge networks are limited to single-host communication. For multi-host or cluster-wide networking, use overlay networks or Kubernetes networking solutions instead.
Production Patterns
In production, teams create multiple custom bridge networks to isolate environments (dev, test, prod), separate database and app containers, and enforce security boundaries. They also automate network creation and container attachment in CI/CD pipelines.
Connections
Virtual Local Area Network (VLAN)
Custom bridge networks in Docker are similar to VLANs in physical networking, both isolate traffic within a shared infrastructure.
Understanding VLANs helps grasp how Docker isolates container traffic logically without separate physical hardware.
Linux Network Namespaces
Docker bridge networks rely on Linux network namespaces to isolate container network stacks.
Knowing namespaces clarifies how containers have independent network interfaces and routing tables.
Office Workspace Partitioning
Creating custom bridge networks is like partitioning an office into separate rooms for teams to work without disturbing each other.
This connection helps understand the importance of network isolation for security and organization.
Common Pitfalls
#1Trying to connect containers on different custom bridge networks without linking or shared networks.
Wrong approach:docker run --network network1 --name c1 alpine sleep 1000 docker run --network network2 --name c2 alpine sleep 1000 # Trying to ping c2 from c1 fails
Correct approach:docker network connect network1 c2 # Now c1 can ping c2 by name
Root cause:Misunderstanding that containers must share a network to communicate by name.
#2Assuming containers on the default bridge network can resolve each other's names.
Wrong approach:docker run --name c1 alpine sleep 1000 docker run --name c2 alpine sleep 1000 # From c1: ping c2 (fails)
Correct approach:docker network create mynet docker run --network mynet --name c1 alpine sleep 1000 docker run --network mynet --name c2 alpine sleep 1000 # From c1: ping c2 (succeeds)
Root cause:Not knowing default bridge network lacks embedded DNS for container names.
#3Removing a network while containers are still connected to it.
Wrong approach:docker network rm mynet # Error: network is in use by containers
Correct approach:docker network disconnect mynet container1 # Then remove network docker network rm mynet
Root cause:Not disconnecting containers before deleting the network.
Key Takeaways
Custom bridge networks let you create private, isolated networks for Docker containers to communicate securely and clearly.
Containers must share the same network to communicate by container name; different networks isolate traffic completely.
You can customize IP ranges and gateways in custom networks to avoid conflicts and integrate with existing infrastructure.
Docker uses Linux bridges and network namespaces under the hood to provide isolation and connectivity efficiently.
Understanding network isolation and management is essential for building secure, scalable containerized applications.