Docker networking
Each Docker container has its own network stack, and this is due to the Linux kernel net
namespace, where a new net
namespace for each container is instantiated and cannot be seen from outside the container or other containers.
Docker networking is powered by the following network components and services:
Linux bridges: L2/MAC learning switch built into the kernel to use for forwarding
Open vSwitch: Advanced bridge that is programmable and supports tunneling
Network Address Translators (NAT): These are immediate entities that translate IP address + Ports (SNAT, DNAT)
IPtables: Policy engine in the kernel that is used for managing packet forwarding, firewall, and NAT features
Apparmor/SElinux: Firewall policies for each application can be defined
Various networking components can be used to work with Docker, providing new ways to access and use Docker-based services. As a result, we see a lot of libraries that follow different approaches to networking. Some prominent ones...