DCNANetwork Drivers

Network Drivers

Docker ships with five built-in drivers and supports third-party plugins.

Built-in Drivers Overview

| Driver | Scope | Use case | |--------|-------|----------| | bridge | Local | Default; containers on same host | | host | Local | Remove network isolation, use host's stack | | overlay | Swarm | Multi-host networking | | macvlan | Local | Container needs its own MAC/IP on LAN | | none | Local | Fully disable networking | | ipvlan | Local | Like macvlan but L3; shares host MAC |

bridge (default)

A Linux bridge (docker0 by default) connects containers on the same host.

# Default bridge — containers communicate by IP only
docker run -d --name c1 nginx
docker run -d --name c2 nginx
docker exec c2 ping <c1-ip>      # works by IP
docker exec c2 ping c1            # fails — no DNS on default bridge

# User-defined bridge — DNS works
docker network create my-net
docker run -d --name c1 --network my-net nginx
docker run -d --name c2 --network my-net nginx
docker exec c2 ping c1            # works

User-defined bridges are always preferred over the default bridge because they provide automatic DNS resolution.

docker network create \
  --driver bridge \
  --subnet 172.28.0.0/16 \
  --ip-range 172.28.5.0/24 \
  --gateway 172.28.5.254 \
  my-custom-bridge

host

The container shares the host's network namespace — no isolation, no NAT.

docker run --rm --network host nginx
# nginx listens on host's port 80 directly

Use when: maximum network performance, container needs raw socket access. Avoid in production unless necessary — breaks port isolation.

none

docker run --rm --network none alpine ping 8.8.8.8
# PING 8.8.8.8: Network is unreachable

Only the loopback interface exists. Used for batch jobs that don't need networking.

macvlan

Attaches the container directly to the physical network with its own MAC address. The container appears as a physical device on the LAN.

docker network create \
  --driver macvlan \
  --subnet 192.168.1.0/24 \
  --gateway 192.168.1.1 \
  -o parent=eth0 \
  macvlan-net

docker run --rm --network macvlan-net --ip 192.168.1.100 nginx

By default, the host cannot communicate with containers on a macvlan network. Use a macvlan sub-interface on the host to work around this.

ipvlan

Similar to macvlan but all containers share the host's MAC address. Useful when the switch limits MAC addresses per port.

  • L2 mode: like macvlan at layer 2
  • L3 mode: host acts as a router; containers get routed IPs (no ARP flooding)

Inspecting Networks

docker network ls
docker network inspect bridge
docker network inspect bridge --format '{{json .Containers}}'
docker network connect my-net existing-container
docker network disconnect my-net existing-container

Summary

  • bridge: default for single-host; user-defined bridges add DNS
  • host: no isolation, maximum performance, use sparingly
  • none: fully isolated, no networking
  • macvlan: container gets its own MAC/IP on the physical LAN
  • ipvlan L3: scalable L3 routing without ARP flooding

Lab: Network Drivers in Practice

Network Drivers in Practice
Lab: Network Drivers in Practice
Explore bridge, host, and none drivers hands-on.
────────────────────────────────────────────────────────────
$
Press Enter to run
Create a custom bridge network with subnet 192.168.100.0/24
Run an nginx container attached to custom-bridge with a fixed IP
Run a container with the 'none' driver (no networking)
Inspect custom-bridge to see the web container's IP
Stop and remove the web container
Remove the custom-bridge network
Docker Network ArchitectureContainer DNS & Service Discovery