Bird
Raised Fist0
Microservicessystem_design~12 mins

Container networking in Microservices - Architecture Diagram

Choose your learning style10 modes available
LearnWhyDeepArchPracticeChallengeDesignRecallScale

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
System Overview - Container networking

This system shows how containers communicate within a microservices environment. It ensures that services inside containers can talk to each other and to the outside world securely and efficiently. Key requirements include service discovery, network isolation, and load balancing.

Architecture Diagram
User
  |
  v
Ingress Controller (Load Balancer)
  |
  v
Service Mesh Proxy (Sidecar)
  |
  +-----------------------------+
  |                             |
  |  Container A <--> Container B|
  |  (Microservice A)  (Microservice B)
  |                             |
  +-----------------------------+
       |                  |
       v                  v
   Container Network   Container Network
       |                  |
       v                  v
   Network Plugin (CNI)  Network Plugin (CNI)
       |                  |
       +------------------+
              |
              v
         Host Network
Components
User
client
Initiates requests to the microservices system
Ingress Controller (Load Balancer)
load_balancer
Distributes incoming traffic to appropriate services inside the cluster
Service Mesh Proxy (Sidecar)
service_proxy
Manages service-to-service communication, security, and observability
Container A (Microservice A)
service
Runs one microservice instance inside a container
Container B (Microservice B)
service
Runs another microservice instance inside a container
Network Plugin (CNI)
network_plugin
Provides networking capabilities and IP management for containers
Host Network
host_network
Underlying network of the physical or virtual machine hosting containers
Request Flow - 8 Hops
UserIngress Controller (Load Balancer)
Ingress Controller (Load Balancer)Service Mesh Proxy (Sidecar) in Container A
Service Mesh Proxy (Sidecar) in Container AService Mesh Proxy (Sidecar) in Container B
Service Mesh Proxy (Sidecar) in Container BContainer B (Microservice B)
Container B (Microservice B)Service Mesh Proxy (Sidecar) in Container B
Service Mesh Proxy (Sidecar) in Container BService Mesh Proxy (Sidecar) in Container A
Service Mesh Proxy (Sidecar) in Container AIngress Controller (Load Balancer)
Ingress Controller (Load Balancer)User
Failure Scenario
Component Fails:Network Plugin (CNI)
Impact:Containers lose network connectivity, service-to-service communication fails, and external requests cannot reach containers.
Mitigation:Use redundant network plugins or fallback to host network mode; monitor plugin health and restart plugin components automatically.
Architecture Quiz - 3 Questions
Test your understanding
Which component is responsible for distributing incoming user requests to the correct microservice?
AService Mesh Proxy (Sidecar)
BNetwork Plugin (CNI)
CIngress Controller (Load Balancer)
DHost Network
Design Principle
This architecture shows how container networking uses layered components to isolate and manage communication. The load balancer handles external traffic, while service mesh proxies manage secure and observable service-to-service calls. Network plugins provide the underlying connectivity, ensuring containers can communicate within the host network.

Practice

(1/5)
1. What is the main purpose of container networking in microservices?
easy
A. To allow containers to communicate with each other
B. To store container data persistently
C. To build user interfaces for containers
D. To monitor container CPU usage

Solution

  1. Step 1: Understand container networking role

    Container networking connects containers so they can send data and messages to each other.

  2. Step 2: Compare with other options

    Storing data, building interfaces, and monitoring CPU are not related to networking.

  3. Final Answer:

    To allow containers to communicate with each other -> Option A

  4. Quick Check:

    Container networking = communication [OK]
Hint: Networking means communication between containers [OK]
Common Mistakes:
  • Confusing networking with storage
  • Thinking networking builds UI
  • Mixing monitoring with networking
2. Which Docker command creates a user-defined network named mynet?
easy
A. docker create network mynet
B. docker network create mynet
C. docker network new mynet
D. docker net create mynet

Solution

  1. Step 1: Recall Docker network creation syntax

    The correct command is docker network create <name>.

  2. Step 2: Match options with syntax

    Only docker network create mynet matches the correct syntax exactly.

  3. Final Answer:

    docker network create mynet -> Option B

  4. Quick Check:

    docker network create = correct syntax [OK]
Hint: Remember: 'docker network create' is the right command [OK]
Common Mistakes:
  • Swapping 'create' and 'network' order
  • Using 'new' instead of 'create'
  • Shortening 'network' to 'net' incorrectly
3. Given two containers web and db connected on a user-defined network mynet, what happens when web tries to ping db by container name?
medium
A. Ping succeeds because containers can resolve names on the same user-defined network
B. Ping fails because container names are not resolvable
C. Ping succeeds only if IP addresses are used, not names
D. Ping fails because containers cannot communicate on user-defined networks

Solution

  1. Step 1: Understand user-defined network DNS resolution

    User-defined Docker networks provide automatic DNS resolution of container names.

  2. Step 2: Apply to ping scenario

    Since both containers are on mynet, web can ping db by name successfully.

  3. Final Answer:

    Ping succeeds because containers can resolve names on the same user-defined network -> Option A

  4. Quick Check:

    User-defined network = name resolution works [OK]
Hint: User-defined networks enable container name resolution [OK]
Common Mistakes:
  • Assuming container names are never resolvable
  • Thinking IP addresses are always required
  • Believing user-defined networks block communication
4. You created two containers on the default bridge network but they cannot communicate by container name. What is the likely cause?
medium
A. Container names must be IP addresses on default bridge
B. Containers must be on different networks to communicate
C. Default bridge network does not support automatic container name resolution
D. Docker daemon is not running

Solution

  1. Step 1: Recall default bridge network limitations

    The default bridge network does not provide automatic DNS for container names.

  2. Step 2: Analyze communication failure

    Without name resolution, containers cannot reach each other by name on default bridge.

  3. Final Answer:

    Default bridge network does not support automatic container name resolution -> Option C

  4. Quick Check:

    Default bridge = no name resolution [OK]
Hint: Default bridge lacks container name DNS [OK]
Common Mistakes:
  • Thinking containers must be on different networks to communicate
  • Confusing container names with IP addresses
  • Assuming Docker daemon is stopped without checking
5. You want to isolate microservices into separate networks for security but allow only the api service to communicate with db. Which design best achieves this?
hard
A. Create separate networks but connect all containers to all networks.
B. Connect all services to a single network and use firewall rules inside containers.
C. Use the default bridge network for all containers and rely on container names.
D. Create two networks: api-net and db-net. Connect api to both networks, db only to db-net.

Solution

  1. Step 1: Understand network isolation and selective communication

    Separating services into different networks isolates traffic. Connecting api to both networks allows it to talk to db while others cannot.

  2. Step 2: Evaluate options for security and communication

    Create two networks: api-net and db-net. Connect api to both networks, db only to db-net. isolates db and allows only api access. Other options either lack isolation or allow unwanted access.

  3. Final Answer:

    Create two networks: api-net and db-net. Connect api to both networks, db only to db-net. -> Option D

  4. Quick Check:

    Separate networks + selective connection = secure communication [OK]
Hint: Use multiple networks and connect only needed containers [OK]
Common Mistakes:
  • Putting all containers on one network without isolation
  • Connecting all containers to all networks
  • Relying on default bridge network for security