DCNADocker Network Architecture

Docker Network Architecture

Docker's networking stack is built on the Container Network Model (CNM), an abstraction that allows pluggable network drivers.

Container Network Model (CNM)

The CNM has three building blocks:

| Component | Description | |-----------|-------------| | Sandbox | An isolated network namespace — has its own interfaces, routes, DNS | | Endpoint | A virtual NIC connecting a sandbox to a network | | Network | A group of endpoints that can communicate directly |

A container gets a sandbox. That sandbox can have one or more endpoints, each attached to a different network.

The Docker Networking Stack

Application
    │
┌───▼──────────────────────┐
│     Docker Engine        │  libnetwork
│  Network Controller      │
│  (CNM implementation)    │
└───┬──────────────────────┘
    │  Driver API
┌───▼──────────┬──────────┐
│ bridge       │ overlay  │ ... (pluggable drivers)
└──────────────┴──────────┘
    │
Linux kernel networking
(netns, veth pairs, iptables, IPVS)

libnetwork is Docker's Go implementation of the CNM. Network drivers are plugins that implement the driver API.

Virtual Ethernet Pairs (veth)

Each container gets a veth pair: one end inside the container's network namespace, the other on the Docker host connected to a bridge.

# See the veth pair on the host
ip link show | grep veth
brctl show docker0

iptables & Docker

Docker heavily uses iptables to:

NAT outgoing traffic (MASQUERADE)
Forward traffic to containers (DNAT)
Isolate networks (DROP rules)

# See Docker's iptables chains
sudo iptables -t nat -L -n -v
sudo iptables -L DOCKER -n -v

Docker manages these rules automatically. Manual edits to Docker's chains will be overwritten.

Network Namespaces

Each container runs in its own network namespace — a kernel feature providing isolated network stacks.

# List all network namespaces
ip netns list

# Inspect a running container's namespace
docker inspect <container> --format '{{.NetworkSettings.SandboxKey}}'

The Docker Daemon & Networking

When Docker starts, it creates:

The docker0 bridge (default bridge network)
A network namespace per container at creation
veth pairs linking container namespaces to the bridge

Summary

CNM (Sandbox, Endpoint, Network) is Docker's networking abstraction
libnetwork implements CNM; network drivers plug in
veth pairs connect container namespaces to the host bridge
iptables handle NAT, port forwarding, and network isolation

Lab: Explore Docker Network Architecture

Explore Docker Network Architecture

Lab: Explore Docker Network Architecture

Practice listing, inspecting and understanding the default Docker networks.

────────────────────────────────────────────────────────────

Press Enter to run

List all Docker networks on this host

Inspect the default bridge network to see its configuration

Create a user-defined bridge network called 'demo-net'

Verify the new network was created by listing all networks

Remove the demo-net network

Network Drivers