# Docker Networking

Docker networking is a crucial aspect of container management that enables communication between containers and the outside world. Understanding Docker networking is essential for building scalable and secure containerized applications.

## Core Concepts of Docker Networking

### Network Drivers

Docker uses network drivers to provide different networking capabilities. Each driver has unique characteristics and use cases.

1. Bridge: The default network driver. It's used when multiple containers need to communicate on the same Docker host.

2. Host: Removes network isolation between the container and the Docker host, using the host's networking directly.

3. Overlay: Enables communication between containers across multiple Docker hosts, often used in Docker Swarm.

4. Macvlan: Allows you to assign a MAC address to a container, making it appear as a physical device on your network.

5. None: Disables all networking for a container.

### Network Scopes

Docker networks operate in two scopes:

1. Local: The network is limited to a single host.
2. Swarm: The network can span multiple hosts in a Docker Swarm cluster.

## Working with Docker Networks

### Listing Networks

To list all networks:

```bash
docker network ls
```

### Creating a Network

To create a new network:

```bash
docker network create [OPTIONS] NETWORK
```

Example:
```bash
docker network create --driver bridge my_network
```

### Connecting a Container to a Network

When running a container:

```bash
docker run --network=my_network my_image
```

For an existing container:

```bash
docker network connect my_network my_container
```

### Disconnecting a Container from a Network

```bash
docker network disconnect my_network my_container
```

### Removing a Network

```bash
docker network rm my_network
```

## Docker Bridge Networking

Bridge networking is the default network mode in Docker.

### Default Bridge Network

- All containers are connected to the `bridge` network by default.
- Containers on the default bridge can communicate with each other via IP addresses.
- To enable communication by container name, use custom bridge networks.

### Custom Bridge Networks

Custom bridge networks provide better isolation and allow containers to communicate using their names as hostnames.

Creating a custom bridge network:

```bash
docker network create my_custom_bridge
```

Running a container on the custom network:

```bash
docker run --network=my_custom_bridge --name=container1 my_image
```

Now, `container1` can be reached by its name from other containers on the same network.

## Exposing Ports

To make a container's service accessible from outside, you need to expose its ports.

### Publishing Ports

When running a container:

```bash
docker run -p [HOST_PORT]:[CONTAINER_PORT] my_image
```

Example:
```bash
docker run -p 8080:80 nginx
```

This maps port 80 in the container to port 8080 on the host.

### Exposing All Ports

To expose all ports defined in the Dockerfile:

```bash
docker run -P my_image
```

## Docker Host Networking

Host networking removes network isolation between the container and the Docker host.

To use host networking:

```bash
docker run --network host my_image
```

Note: Host networking can't be used on Docker Desktop for Mac or Windows.

## Docker Overlay Networking

Overlay networks are used in Docker Swarm to enable container communication across multiple Docker hosts.

### Creating an Overlay Network

```bash
docker network create --driver overlay my_overlay_network
```

### Attaching a Service to an Overlay Network

```bash
docker service create --network my_overlay_network my_image
```

## Docker Macvlan Networking

Macvlan networks allow you to assign a MAC address to a container, making it appear as a physical device on your network.

Creating a Macvlan network:

```bash
docker network create -d macvlan \
  --subnet=172.16.86.0/24 \
  --gateway=172.16.86.1 \
  -o parent=eth0 my_macvlan_network
```

## Network Troubleshooting

### Inspecting Network Details

```bash
docker network inspect my_network
```

### Viewing Container's Network Settings

```bash
docker inspect --format='{{json .NetworkSettings.Networks}}' my_container
```

### Using Network Debugging Tools

Many network debugging tools can be used within containers:

```bash
docker run --rm --net=host nicolaka/netshoot
```

This container includes tools like `ping`, `traceroute`, `nslookup`, etc.

## Docker DNS

Docker provides a built-in DNS server for container name resolution.

- Containers on the default bridge network can only resolve each other by IP address.
- Containers on custom networks can resolve each other by name or alias.

Setting a DNS alias:

```bash
docker run --network my_network --network-alias my_alias my_image
```

## Network Security Best Practices

1. Use custom bridge networks instead of the default bridge for better isolation.

2. Limit exposed ports to only what's necessary.

3. Use Docker Secrets for sensitive data instead of environment variables.

4. Implement network segmentation using multiple custom networks.

5. Regularly update Docker and base images to patch security vulnerabilities.

6. Use Docker Content Trust to sign and verify images.

7. Implement proper firewall rules on the Docker host.

## Advanced Networking Concepts

### Container Network Model (CNM)

CNM is Docker's approach to container networking. It consists of three main components:

1. Sandbox: Contains the network stack configuration of a container.
2. Endpoint: Connects a sandbox to a network.
3. Network: A group of endpoints that can communicate with each other directly.

### Network Plugins

Docker supports network plugins that allow you to use different networking technologies:

- Weave
- Calico
- Flannel

These plugins often provide additional features like encryption, fine-grained access control, and improved performance.

### Service Discovery

In a Docker Swarm, services can be discovered using the built-in DNS server. Each service is assigned a DNS entry in the format `<service-name>.<network-name>`.

By mastering these Docker networking concepts and practices, you'll be well-equipped to design, implement, and troubleshoot network configurations for your containerized applications.