Docker Network Security
Securing Docker networking involves network isolation, encrypted communication, and careful firewall management.
Network Isolation Principles
Defense in depth — containers should only have access to networks they need.
# Bad: all services on one network
docker network create everything
# Good: isolated networks per tier
docker network create frontend-net # web + proxy
docker network create backend-net # web + api
docker network create db-net # api + database
# database only on db-net — never reachable from frontend
Internal Networks
Mark a network as internal to prevent containers from reaching the internet:
docker network create \
--internal \
--driver bridge \
isolated-db-net
Containers on an internal network cannot route traffic outside. Useful for databases.
Overlay Encryption
Data-plane encryption for Swarm overlay networks:
docker network create \
--driver overlay \
--opt encrypted=true \
secure-overlay
Uses AES-GCM 256-bit encryption. Management plane (Raft) is always TLS-encrypted.
mTLS with Docker Secrets + Sidecars
For service-to-service mTLS, use:
- Docker Secrets to distribute certificates
- A sidecar proxy (Envoy, Nginx) to terminate TLS
# Store a TLS cert as a Docker Secret
docker secret create server.crt server.crt
docker secret create server.key server.key
# Mount in a service
docker service create \
--secret server.crt \
--secret server.key \
--name api \
my-api-image
# Secrets mounted at /run/secrets/server.crt
iptables & Docker
Docker manages iptables automatically. Key rules:
# Docker's FORWARD policy (blocks inter-network traffic)
iptables -I DOCKER-USER -j DROP # drop all
iptables -I DOCKER-USER -s 10.10.0.0/24 -d 10.10.1.0/24 -j ACCEPT # allow specific
# Check what Docker has added
iptables -t nat -L DOCKER -n -v
iptables -L DOCKER-ISOLATION-STAGE-1 -n -v
Use the
DOCKER-USERchain for custom rules — Docker never overwrites it.
Securing the Docker Socket
The Docker socket (/var/run/docker.sock) gives root-equivalent access. Protect it:
# Use TLS for remote Docker API
dockerd \
--tlsverify \
--tlscacert=ca.pem \
--tlscert=server-cert.pem \
--tlskey=server-key.pem \
--host tcp://0.0.0.0:2376
Container Network Capabilities
By default, containers run without NET_ADMIN and NET_RAW. Adding these is a security risk:
# Avoid unless necessary
docker run --cap-add NET_ADMIN my-image
docker run --cap-add NET_RAW my-image # enables raw sockets / packet capture
AppArmor & Seccomp Profiles
Limit syscalls to reduce attack surface:
# Apply custom seccomp profile
docker run --security-opt seccomp=custom-profile.json nginx
# AppArmor profile
docker run --security-opt apparmor=docker-default nginx
Secrets vs Environment Variables
| | Env vars | Docker Secrets |
|-|----------|----------------|
| Visible in docker inspect | Yes | No |
| In process environment | Yes | No (file at /run/secrets/) |
| Swarm only | No | Yes |
| Rotation | Restart required | Service update |
Always prefer Secrets for sensitive data in Swarm.
Summary
- Segment networks: frontend, backend, db — no cross-tier access by default
--internalnetworks block internet egress- Overlay
--opt encryptedadds AES-256 data plane encryption - Use
DOCKER-USERchain for custom iptables rules - Never bind-mount the Docker socket; use TLS for remote API
- Prefer Docker Secrets over environment variables for credentials