Dockerdevops~5 mins

Network isolation between services in Docker - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

When you run multiple services on the same machine, they can talk to each other by default. Network isolation helps keep services separate so they don't interfere or access each other unless you want them to.

When you want to run a web app and a database on the same server but keep their network traffic separate.

When you have multiple microservices and want to control which services can communicate.

When you want to improve security by limiting network access between containers.

When testing new services without affecting existing ones on the same host.

When you want to avoid port conflicts by isolating service networks.

Config File - docker-compose.yml

docker-compose.yml

version: '3.8'
services:
  webapp:
    image: nginx:1.23
    networks:
      - frontend
  database:
    image: mysql:8.0
    environment:
      MYSQL_ROOT_PASSWORD: examplepass
    networks:
      - backend
networks:
  frontend:
    driver: bridge
  backend:
    driver: bridge

This file defines two services: webapp and database. Each service is attached to its own network: frontend and backend. These networks are isolated bridge networks, so containers on frontend cannot communicate with containers on backend unless explicitly connected.

Commands

This command starts the services defined in the docker-compose.yml file in detached mode, creating the isolated networks automatically.

Terminal

docker-compose up -d

Expected OutputExpected

Creating network "example_frontend" with driver "bridge" Creating network "example_backend" with driver "bridge" Creating example_database_1 ... done Creating example_webapp_1 ... done

→

-d - Run containers in detached mode (in the background)

Lists all Docker networks to verify that the isolated networks were created.

Terminal

docker network ls

Expected OutputExpected

NETWORK ID NAME DRIVER SCOPE abc123def456 bridge bridge local def789ghi012 example_frontend bridge local ghi345jkl678 example_backend bridge local

Shows details of the frontend network, including which containers are connected to it.

Terminal

docker network inspect example_frontend

Expected OutputExpected

[ { "Name": "example_frontend", "Id": "def789ghi012", "Containers": { "container_id_webapp": { "Name": "example_webapp_1", "IPv4Address": "172.18.0.2/16" } } } ]

Tests network isolation by trying to ping the database container from the webapp container. It should fail because they are on different networks.

Terminal

docker exec example_webapp_1 ping -c 3 example_database_1

Expected OutputExpected

ping: example_database_1: Name or service not known

→

-c 3 - Send 3 ping requests and then stop

Key Concept

If you remember nothing else from this pattern, remember: Docker networks isolate containers so they can only communicate if attached to the same network.

Common Mistakes

Attaching all services to the default bridge network only

All containers can communicate freely, so there is no isolation.

Create and assign custom bridge networks to separate services.

Trying to ping containers by container name across isolated networks

Docker DNS only resolves container names within the same network.

Ensure containers are on the same network or use IP addresses if necessary.

Not specifying networks in docker-compose.yml and expecting isolation

Without explicit networks, all services join the default network and can communicate.

Define custom networks and assign services to them explicitly.

Summary

Define custom bridge networks in docker-compose.yml to isolate services.

Start services with docker-compose up -d to create networks and containers.

Verify networks with docker network ls and inspect to see connected containers.

Test isolation by trying to communicate between containers on different networks.