Don’t leave yourself unprotected, get the best protection by checking out BitDefender Premium Security
Today you are going to explore the mysterious world of Docker networking. From the default bridge to the blackhole of none. NetworkChuck is going to help you navigate this fascinating technology.
0:00 ⏩ Intro
1:17 ⏩ What do you need?
2:19 ⏩ Let’s do this!
3:33 ⏩ The first network: The Default Bridge
10:44 ⏩ The second network: The User-defined Bridge
15:38 ⏩ The third but best network: The MACVLAN
22:51 ⏩ MACVLAN, trunked: MACVLAN 802.1q
25:01 ⏩ The fourth network: IPVLAN (L2)
27:05 ⏩ The fifth and my favorite network: IPVLAN (L3)
36:40 ⏩ The sixth network: Overlay network
37:35 ⏩ None
38:11 ⏩ Outro
You need to learn Docker networking right now. It’s crazy. I can’t stop playing with it. I mean, yeah. We can all agree that Docker containers, I mean, they’re, they’re pure magic. They’re wicked fast lightweight. That’s why everyone’s using them. Oh, wait. What’s that behind your ear? Yeah. I told you they were magic, but there’s something that’s always bugged me a big mystery. How in the world does the networking work? I mean, think about it by default. It kind of just works. But when we add these containers to a host, are they on their own network? Can we create more networks? Can we isolate them? Can we expose them? Which we often have to do to make things work? Which is that our only option what’s going on here. So yeah. Um, seven, there are seven different types of networks we can deploy with Docker containers.
Isn’t that crazy? How did I miss this? How did I never play with this? So I like to invite you to go on a journey with me. Take the red pill. Let’s go down the rabbit hole of Docker networking. You will never look at Docker containers the same. So get your coffee ready. Let’s dive in and shout out to the sponsor of this video fit defender. We’ll talk more about how they can help protect you from the spooky side of the internet later now, to understand Docker containers and how the networking works. You’re gonna have to play with it like right now. So let’s get your lab, spin up. Let me tell you what you need and feel free to follow exactly what I’m doing. It’s completely free. The first thing you’ll need is a bit of knowledge, knowledge. On fact, I met that guy in Vegas. Hey, I just saw Ty Lopez.
He’s blogging me blog. I know how we at G seven X. Yeah, man, we
Go that you’ll need to know a thing or two about Docker containers, what they are and why they are awesome. Now I’m not gonna cover that here in this video, but I already did end this video right here. So go ahead and watch it and click it up there or down the link below so you can keep watching. But I advise if you don’t know what I’m talking about. When I say Docker, you’re like wet locker. No Docker. If you don’t know what I’m talking about, then go ahead and watch that one and come back and see me. I’ll wait. Don’t worry. I’ll be here. And second, you’ll need a host, a Linux virtual machine where we can install Docker. I’ll be using the latest version of the free boun. Two desktop deployed in my favorite free type two hypervisor virtual box. Now, if all those words just scared you then go and watch my video right here on virtual machines, you will be caught up to speed.
And by the way, I’m still gonna wait here for you. So come back and see me when you’re done. But if you’re not scared, the final thing you need is coffee. Of course, because everything in it requires coffee. Never. Chuck tuck coffee with my coffee in hand. Now I’m ready for the lab. Let’s do this. Do you have your coffee? Go, go get it here in my lab, I have a fresh install of Ubuntu desktop. As I mentioned before, nothing on it. I’ll go ahead and start that bad boy up right now, man. Isn’t that pretty? I love this. The first on our journey into Docker networking will be the default bridge, which is the first and sometimes only network we deal with when we deploy Docker. And it’s the default for a reason, cuz it is a little magic. Like trust me, you’re gonna have fun with this.
Let’s deploy this and see what magic we have inside. Now here on my machine. I have not deployed Docker yet, which is cool. Cause I wanna show you one thing real quick and go ahead and do this with me. If you have not deployed Docker, I wanna watch my terminal, love the terminal. Feel someone home here. Let’s take a look at our network interfaces. Let’s type in IP address show and see what we have and pretty much what I expect. We have our loop back interface and then we have our main interface connecting us to our home network, which actually by the way, let’s make this change. If you’re using virtual box, go ahead and follow along with me. I’m gonna change the network for my VM by going to settings network. And I’m gonna change it from Nat to bridge adapter, which will connect my VM directly to my home network.
Getting an IP address from my router. You’ll wanna do this for something amazing coming up called Mac VLANs. I, I don’t wanna spoil it for you, but trust me. It’s awesome. So now with that change in place, I’ll do my IP address show once more and yeah, look, my IP address changed. This is now directly connected to my home network. Perfect. So like any good magician, let me show you the current state of things before we perform magic. Here’s the host running a boon two. Here’s his interface with the IP address of ten seven one two three two on my home network, which connects it directly to my router, the internet and me now let’s install Docker, do a little pseudo PT update action to update my repositories. If my password is right, my goodness. Okay, cool. And then we’ll do pseudo PT install, docker.io dash Y it’s all we need.
Install quick coffee break while it’s doing its thing and it is done. Cool. So now some magic just just happened. Let’s take a look, IP address show once more in our terminal and let’s see if we have any new interfaces. <laugh> look, if we do there he is. We have something called Docker zero. What is that guy? Look where’d the IP address come from that’s new Docker. Zero is our new virtual bridge interface. It is the default interface and network for the default bridge, the default network and Docker and pay attention to his IP address right here. Just remember that. Now there’s more Docker magic. We can uncover real quick. Let’s try this command Docker network LS, bam. This will list our current Docker networks. One guy. We already know Mr. Bridge right here. That’s his name, but two we don’t and we’ll actually cover them here in a moment.
They are two of the seven networks in Docker and they’re there by default obviously. But one thing I do want you to notice is notice that little menu item up here. The section called driver and Docker speak driver basically means network type. So our bridge network is name bridge, and his type is also bridge. He’s using the bridge driver. You’ll see that terminology everywhere in Dockers. So just like network type drivers. That’s what I do now. What do you say? We deploy some containers in our default network. Come on, follow along with me. We’ll use command Docker run. We’ll do a few switches dash ITD to make it interactable and detached running in the background and we’ll do a dash dash RM. So it will clean up after itself when we’re done with it. We’ll name our container. See what am I into right now?
Um, oh, I just watched Thor. Thor holds up, man, that movies. Awesome. So anyways, <laugh> we’ll call it Thor. And then finally we’ll specify the image we’re gonna use for our container. I like busy box. It’s quick, lightweight, fast. It’s just good. So let’s try it out. Bam and done. I love how fast Docker is. I will never get over how magical that feels. All right, let’s do one more. Let’s hit her up arrow this time. We’ll just change the name of Thor to let’s do Mulk. Okay. No <laugh> how do you spell Milner? <laugh> I I’m butchering it. I’m gonna Google it real quick. Okay. Way off MiiR. What’s Miya. There we go. Bam. Two containers down. Now I wanna add one more, but this time I wanna add in instead of busy box, we’ll do N engine X, NGI and X as the image and we’ll name this one, uh, storm breaker.
Yeah, let’s try it out. It’s gonna download the image and it’s almost done. Okay. It’s done cool. Let’s make sure they’re up. Pseudo Docker, PS there. They all are all pretty. Now I want you to notice this. When we deployed our containers, did we say anything about networking at all? No we didn’t. We just let it do its thing by default, which means it got thrown into our bridge network we’ve been talking about, and here’s what it did when we deployed those containers in the default network, Docker automatically created three virtual ethernet interfaces and connected it or linked it to the Docker zero bridge. And it kind of acts like a switch and there’s a virtual ethernet interface for each of our containers. So the containers, Ethan at zero interface, we’ll connect to those bad boys. Now don’t take my work for it. Let’s take a look.
If we do IP address show again, look at that three new interfaces. 1, 2, 3. And then if we try this command bridge link, it will actually show us their name and the fact that they are connected to Docker zero. Super cool. Right? I love seeing that stuff. Now that bridge was busy. Not only did he create virtual ethernet interfaces, but he also handed out IP addresses, which means he’s also running some D HCP. Let’s go take a look. Actually, we can take a little dive into our bridge network with this really neat command. You’ll use this all the time. When messing with Docker, Docker inspect, you can inspect anything, but this time we’re gonna inspect a network named bridge. Let’s take a look. Now that’s a lot of info, but let me pinpoint what I want you to see. Miss scroll up just a bit. Do you notice some familiar faces or names?
Looking at our bridge. We’ve got our three containers mul near Thor and storm breaker. And what else do you see? Do you see it right here? They each have their own IP address in that same Docker zero network we talked about and like every good network it has DNS. It actually takes a copy of the et C resolve file from the host and puts a sucker into the container. So they’re using the same DNS and because the Docker zero network acts like a switch. As you can imagine, the containers can talk to each other all day and don’t take my word for it. Let’s jump into each of ’em right now. We’ll do a Docker exec dash. It, the name of our container. I’ll do th first and we’ll jump into his shell or N type an IP address show. I can see his IP address.
Let’s try to ping mill near. I think it was dot three. And as you may have expected, the container can ping the internet. So network, chuck.com totally works because if I do an IP route inside of Thor here, his default route, his gateway, his Docker zero, which you’re probably wondering how does that work? How does Docker zero get Thor out to the internet? And it’s the magic called Nat maade. We’re not gonna cover that right now, but it’s also magic as you would expect. And that is the bridge network. Pretty awesome. Right? No wonder it’s default, but hold on. We did forget something though. Did you forget about our web server over here? Stormbreaker remember we installed engine X, which by default is a website and it will use port 80. Now question, can we reach that website? And what I mean by we is can my computer over here, which is, you know, me, can it access that web server?
Can I go to ten seven one two, three, two, the IP address to the host on port 80 and navigate to the website? Probably not right. You saw this coming 10, 7.1 2 3, 2 port 80. You specify that nothing can’t be reached and that right there is one of the annoying things about the bridge network. If you want to access any of the services that your Docker containers might offer, like a website, it won’t work by default. You actually have to manually expose those ports and you may have done this before. In fact, let’s do it right now. We need to expose port 80 to the world to allow us to access. And after that, we’re gonna have to redeploy storm breaker, nothing too crazy. I’m gonna jump out of thal, quick type an exit, gonna remove storm breaker, or I’ll just stop. And he’ll remove himself. Docker stopped storm breaker, and let’s redeploy him with that same command up arrow a billion times.
I’m so I don’t have to type the command in again. So here right before I do the name, I’ll do a dash P for port and I’ll do 80 colon, 80 telling Docker to expose this container’s port 80 to my host, port 80. Let’s try it out. Done super fast. If I do a Docker PS, this is a great way to see like, Hey, what ports are being exposed? It’ll tell you right there. And now if I go and refresh my page Yasi, it’s working. Did I just see Yasi? I don’t know why I said that. I’m sorry. I’ll probably do it again now. Honestly, that’s annoying when you’re having fun in your home lab and you’re like, oh, I have to expose another port, but it is a pretty good practice to have that because it does put a layer of isolation between your containers and your network.
And for that matter, the host and spoiler, there will be networks where we don’t have to expose anything. And they’re just amazing. They’re my favorite. But we’ll get to that here in a moment. And speaking of isolation, let’s move on to our next network. This one’s pretty fun cuz you get to actually create it now again, the default bridge is cool, but what if I told you Docker doesn’t want you to use it? They’re like, yeah, it’s there, but please don’t use it. They want you to use this next network type because they want you to create your own networks. Which honestly I’m like, okay, fine. I’ll create my own networks. That sounds pretty fun. This network is pretty much exactly like the default bridge. It’s just simply called the user defined bridge, which means you’re just defining it. You’re making it. So let’s make one real quick user defined bridge.
It’s gonna be crazy hard. Watch. I’m just kidding. It’s so easy. One command Docker network create. And then what do you wanna name it? Let’s name it. Um, Asgard. That’s it enter network created. <laugh> that simple. If we do IP address show, we’ll see a new virtual bridge is being created right here with a new network. Instead of do 17, we got 1 72 18 now a new bridge, which if we do our other command network LS, there he is as guard with driver type bridge. Now what do you say? We throw some containers in Asgard. It’s kinda lonely in there right now. Same stories before, except we do have a new switch this time. We’ll do dash dash network because now we’re outta default world. We’re gonna actually do something dash network. And then after that, the name of your network, simple as that Asgard, that’s it.
Then we’ll name it. Let’s do, um, let’s do low this time and then finally the name of our image busy box. And that should be it done so easy. Let’s do it once more. Let’s add a friend in there. Change the name from Loki to, I don’t know Oden. Yeah, let’s do Oden. Awesome. And just like before, if we do IP address show, we have some virtual interfaces created looking at our bridge link. We can see those new interfaces tied to that virtual bridge that was created. And then we can inspect that network, pseudo Docker, inspect Asguard and take a look at what IP addresses, OIN and Lokey got handed in the 1 72 18 network. And here’s our network now. And I might be wondering, okay, why, why is this preferred? Why should we do this? And the keyword here is isolation because right now as guard, let me label it.
Actually we gotta label Asguard here. Asguard is isolated. It’s protected from the default network. They can’t talk to each other actually. So if I jump into, let’s say Thor, once more as we did earlier and I try to ping, let’s say Oden or an ping Lokey. I’m not gonna get anything back. They are isolated. If you’re already in it, you know how important network isolation is? We wanna isolate your workloads. And this is why Docker recommends a user defined bridge. Bridges are the, probably the best network in Docker. If you’re gonna be using Docker in production and you wanna define your own networks and there’s actually one more cool benefit when using a user defined bridge versus a default bridge. And that’s you get some cool container to container DNS action. Like let me show you let’s jump into Lokey. And here in Lokey, all I have to do is ping.
Let’s just say OIN Oden’s name and it resolves. So in the name of your containers, we’ll have DNS injuries. You can ping it by name, which is pretty cool because often container IP addresses will change. As you redeploy your workloads. You do not get that in the default network. So just define your own networks. Like we just showed you super easy to do. Hey, it’s time for a quick coffee break. Oh, that’s cold. I’ve been recording too long. Eh, I still need some I’ll power through. Anyways, this coffee break is sponsored by bit defender and the best way to protect your computer and yourself online bit defender, premium security bit defender premium security is a premium privacy and security pack for absolute digital freedom. I’ll like the sound of that. It’s got everything best protection, unlimited VPN, a password manager and priority support. It’s multi-platform I’ve got it right here in my windows machine.
Shoot. I even have it on my phone, which I didn’t know. That was a thing. Once you have bit defender installed, it’ll protect you all the standard stuff. You have to worry about. Anti-virus threat defense vulnerabilities, and then even like other things, because this is like a multi-layered approach. They do online threat prevention, a cloud-based global protective network. That’s pretty cool. Secures your device by blocking any online threat. And of course the firewall, Ooh, ransomware remediation. That’s that’s sweet. Why don’t I have that on turn it on reverses. Any damage done by ransomware by restoring encrypted files, that’s pretty killer. And anti-spam which by the way, getting phishing emails and things are one of the worst and most popular ways to get like ransomware and viruses on your PC. I gotta make sure my employees use this. And I know because you watch my channel, you do care about privacy and bit defender has your back on that.
As we mentioned, they have VPN and password management. They also help you safely pay in places cuz you don’t wanna lose your credit card and stuff to bad dudes. They also have webcam and microphone protection because I know you’re always thinking, Hey, is someone watching me is my webcam on with bid defender. You don’t have to worry about that. Also dude, stop people from tracking you. Google wants to know who you are. We’ve talked about that before on the channel bid defender will help them not find out in the parental control, which I need cuz I have six kids. Thank you bit defender. Now in the past programs like this may have slowed down your PC, but with bit defender, they, they think about that. They got you actually first the coolest setting dark mode. But as far as speed, we can actually change the profile based on what we’re doing.
We can have a work profile movie profile game profile using that one, a lot, a public wifi profile, tailored to what you need in that moment. Do I need performance or do I need security? Do I need both? And the answer’s always yes, but they’ll help you mitigate so that stuff or go into autopilot. It’ll figure it out for you. So you don’t have to worry about it. Now if only bid defender would help keep my coffee warm, it would be absolutely perfect. But beyond that, you should definitely check it out. Link below there. What I use to protect my computers. And if you wanna protect yourself and your computer and your privacy and all that stuff, we talked about, check them out, help support the channel and help support awesome sponsors like bid defender anyways, back to Docker. And I wanna take one more sip of cold coffee.
Ah, now this next network is, um, it’s kind of weird. It’s one of the weirder ones. It’s actually pretty awesome. It’s called the host and that might sound familiar because it was one of the default networks already there. And the best way to explain it is just to show you so here, what I’m gonna do. Remember our web server storm breaker operating on port 80 let’s uh, let’s delete him real quick. We’re gonna take him out and redeploy him in a host network. Let’s try it. Docker, stop storm breaker. Then Docker run once more with all our same stuff, except this time we’re gonna do two different things. First we will define our network. Our network name will just be hosts and then we will not expose any ports. Leave it as is. We’ll keep the same name storm breaker. And then of course specify EngineX at the very end.
That’s it deploy it. Now I wanna show you something really strange. It’s gonna be weird now so far, nothing too strange, but let me show you what it looks like in our network right now with him deployed in a host network. Storm breaker will be moved right up here next to his Papa right next to the host. And that’s it. <laugh> when you deploy a container to the host network, he doesn’t even really have his own network. He just totally bums off the host <laugh> he doesn’t even have anything. He shares his IP address his ports that’s that’s it. Now why this is cool is that you don’t have to expose any ports. Check this out. If I, again, go out to 10.7 0.1 2 3, 2. The IP address of my host. Um, it’s working because right now essentially Stormbreaker is running as a regular application on the host, even though he is a container, this is super cool for a lot of reasons. Actually, my buddy, Christian’s gonna tell you how he uses it.
If you deploy a wire guard, VPN container, for example, you might not want to isolate this container with a separate virtual IP address. Instead you wanna run this application directly connected to the host network, just like every other application that’s installed without
Docker. So that’s all there pretty much is to the host network. It’s just really lazy, which is awesome. It just runs like an application. The downside is there’s really no isolation, right? It’s like right there next to the host. Yeah, no isolation at all. Now this next network is my all time. Favorite. This thing I could not believe it’s a real network and Docker, this sucker is called the Mac VLAN and it’s gonna, it’s gonna break your brain. Here’s the kn VLAN. What if we could erase all this stuff, all the complication, all the Docker networks and the virtual, either interfaces, the separate networks. What if we could take it all away and to simply connect our Docker containers directly to our physical network. That’s a Mac VLAN. This is basically how it would look. If I connected Thor and Y near yum, sorry to a Mac VLAN network, it would pretty much be like their ethernet interfaces are connecting directly to my switch in my house.
They even get their own Mac addresses. I’m just gonna make random ones up and they will have their own IP addresses on my network, on my home network. That sounds amazing. Right? They’re they’re acting like virtual machines. Let’s do it real quick. I know you can’t wait. Let’s do it right now. Let’s first create our Mac VLAN network. This one will be a bit more involved, but it’s not too crazy. So same story. As before Docker network creates this time, we have to specify what type of driver we’re going to use. So we’ll do that with dash D and then the driver, which will be Mac VLAN. And then I’ll do a back slash continue my command on the next line to make it easier. And prettier. Now here at the Mac VLAN, we’re gonna have to specify the subnet. We’re putting it into, and in our case it’ll be my home network or your home network.
So I’ll do dash dash subnet. And then right after that, my home network subnet, which is mine right here, 10.7 0.104 slash 24. Do another line here. We also have to specify the gateway. The router in your home network. Mine is 10.7 0.1 0.3. And then finally, one more thing. One very important thing. Do on one more line, we’ll do a dash oh for options. And we’ll say parent equals E N P zero S three. And you’re probably like, wait, what? <laugh> here. We have to actually tie our Mac VLAN to our host network interface. So looking back at our network diagram here, the main interface of my Ubuntu machine it’s name was EMP zero S three, define yours, go IP address, show and terminal. You’ll see what it is, but you must tie your Mac Von network to a physical Nick, the Nick that’s connected to the network.
You wanna connect your Docker containers to so that’s, that’s it. And then finally right after that, just name it. I’m gonna name mine new as guard. And that should be it. Let’s hit enter. Yeah, that’s done. Let’s do a little Docker network LS action real quick. There he is. New Asguard Mac VLAN. So now we have to try it out, right? So let’s put Thor and mul near into that new network. Like we have here first off to stop them and we can do that with one command, just Thor and then mule near just like that. And then we’ll deploy them inside that new network. And of course here with our network switch, we’ll specify new Asguard I’ll do a back slash to make things pretty on a new line. And then there’s one more thing we have to do. I know, I keep saying new things.
We’re gonna have to specify and assign the IP address ourselves. I’ll explain why here in a bit. We’ll go ahead and just do dash dash IP and then the IP address we want to use. Just make sure it’s not being used in your network and that’s outside your D HCP range. I’ll do ten seven point one 92. They’ll name it four like before, and then finally specify busy box as our image. That should be it. Enter. Good to go. And now Thor is connected to my network, like a regular virtual machine. Well actually, maybe <laugh> let me show you. Let’s jump into Thor real quick, jumping into his shell. If I do IP address show, I can see he does indeed have that IP address, bam, but let’s see if we can ping anything in my network. Like let’s say, uh, let’s ping my default gateway, which should be his as well.
Hmm. Nothing happening this right here. Illustrates one of the downsides of Mac VLAN. It sounds all cool. Like it’s amazing, right? But remember with Mac VLANs, each of your Docker containers are getting their own Mac address. Now where that becomes an issue is your network may not be able to have multiple Mac addresses on one switch port. So really when I drew this out the cable, the connection is sharing a port with the host. They’re all connected to the same port, which will see multiple Mac addresses. And a lot of times ports can’t handle that. It might have port security, which says, you know, can only have one or maybe two Mac addresses on one port. And that breaks things. You’ll often see this called promiscuous mode. I think I’m gonna spell this right? And if you wanna try this you’ll need that enabled. So if you’re like me, it probably didn’t work right now, but we can enable it and it should work.
Fingers crossed we’ll first start with the host. We have to actually enable promiscuous mode on its network interface. One easy command IP link set. And that will specify our network interface. Mine is E N P zero S three, then promi. That’s how the cool kids say it. Promi promiscuous on that should do it. Let’s jump back in a Thor and see if that worked P my default gateway still nothing. That means we have to go off the chain and change on each network device. Now you’re seeing the pain here, right? It’s like, oh my gosh, Mac bland sounded really cool until we hit this issue. There’s a different way to do it coming up in the next network. But hold on, let’s try one more thing. And virtual box, we can also enable promiscuous mode. Let me jump into my virtual machine settings, go to network, click on advanced and right here, promiscuous mode is in deny mode.
Well, of course it’s not gonna work. So let’s enable that. Let’s just do allow everything. It’s a lab who cares click. Okay. And now fingers crossed. Give it a second. Okay. Chuck, from the future here, I did have to reboot my host and then do that command once more IP set, link, whatever. And now <laugh> fingers crossed. It totally works connected directly to my network. So the Mac VLAN literally has all the benefits of a bridge network, except it’s directly connected to your home network. Isn’t that crazy? And when I say all the benefits, I really do mean it like let’s deploy. What was the other dude? Let’s the other dude in our network. Oh, Mulk. Let’s deploy him. If I jump into him real quick, watch this. I can ping Thor. We still have that cool container DNS resolution thing. And what this also means is if I deploy a web server in a Mac VLAN, I don’t have to expose any ports.
It’s on its own IP address. Let’s try it out. We’ll deploy Jane Foster as an EngineX web server, and it’ll put it on, make sure this IP address is available. Yes, 96. And now if we just go out to, this is so cool, 10, 7, 1 96, it just sneak and works. That’s my preferred Docker way to do things. It’s awesome. Now, again, as I mentioned, the Mac feeling has a downside. Actually, two of them, that whole Mac address thing happened to have promiscuous mode, which you may have no control over and something we haven’t mentioned. And that’s the IP address thing. No DHCP. You would expect that if you connect your device directly to your home network, it’ll get an IP address from your, your router or whatever’s offering D ACP. No, in fact, it’s even worse. <laugh> if you don’t specify an IP address, when you deploy your container, Docker will choose one for you. Docker will use its own D ACP and assign like dot two or dot three or dot four. You know, the way it does a normal bridge network, which could create a little bit of the conflict. <laugh> because you got two DHP servers in your network. So in that scenario, dude, just specify your IP address with every container or you can do it like Christian does. So
I do it this way. I specify the IP address range of the IP addresses. The Docker host should assign to the containers. And I know limit this to just one IP address, not used by any other device within that network. This is really dumb. Let’s be honest.
And yes, I agree with Christian. It is pretty stupid that Docker <laugh> does that. Why would I want that with the Mac VLAN network Docker. Now we’ll talk about how we can solve the problems with Mac VLAN with the next network type, but the Mac VLAN, it has two modes. Didn’t see that coming. Did you, the mode we’re looking at now is bridge mode. It acts just like a, a bridge network, except it connects to your network, which is again amazing. But there’s another mode in this one. <laugh> it’s gonna make the network geeks cry a little bit with joy, tears of joy. It has an 8 0 2 do one cue mode with this mode. <laugh> and if you’re a networking geek, you already know where it’s going. Not only can you connect your containers directly to your network, but you could also specify this is so crazy a sub interface.
So for example, eat zero 20, eat zero dot three, which will have Docker actually create sub interfaces auto magically. And it will send these individual networks, these VLANs over the link, like it’s a trunk, which if I lost you here, then you probably don’t care about networking as much as I do. And others do. So think route or on a stick with Docker containers on a host and I’ll show you what it looks like real quick. So let’s assume 20 is VLAN 20 and 30 is VLAN 30 and here’s their IP addresses. It’s a completely different network. Let’s create it real quick. First. I will delete my existing Mac VLAN I’ll first, uh, stop Thor and Mulk. I’ll remove the network with pseudo Docker network, R M and then new Asgard. The name of the network. Oh, wait, I forgot. He had one more end point in there.
He had Jane Foster. Sorry, Jane Foster. I forgot about you. Okay. Now it’s removed. Now let’s recreate that Mac VLAN with a few pretty big differences. Here. We get a new subnet, a new gateway and a new sub interface, which it’ll be the host, uh, interface. Same as before. So it’ll be parent equals EAN. Was it PP? Yeah. Zero S three. And then to create that sub interface, it’ll be dot 20, which that sub interface currently does not exist, but Docker will auto create it when it sees you doing this and then we’ll name it. I’ll just go Mac VLAN 20. Oh, I totally forgot to do create network. Okay. Network. There we go. Oh, too many ticks. Am I O there we go. Why is it not working? Oh, totally forgot to do Docker network create. Okay, gotta get that right. There we go. So don’t have to do IP address, show new sub interface.
Now of course, in that scenario, you would need to have, have trunking set up, which I’m not gonna cover. That’s outta scope of this. That’s pretty sticking cool. Now I’m gonna delete that cause I don’t need it right now. And let’s talk about our next network. Now, this one solves the big problem with Mac VLANs, that stinking promiscuous stuff. And it’s actually, I think probably my favorite over Mac VLAN, because it has two very funky modes. While one of them’s spunky, the other mode is fine. This is called IP VLAN. It has two modes, L two and L three. We’re gonna focus on L two because it’s pretty much the stink and same as Mac VLAN with one very awesome difference. And it solves our problem. So whereas Thor and mail near and a Mac VLAN, they are assigned their own Mac address, which sounds cool in theory.
But it really isn’t because it messes with our switches and the promiscuous stuff. You got it right with IPV lands. Nope. They don’t do that. Instead. They keep all the awesomeness of connecting it directly to your network and getting a real IP address. But they allow the host to share its Mac address with the containers. So Thor Millner its Mac address will match exactly to the host, but they’ll still have IP addresses on our network. This seems to resolve all issues. And in most cases will, as long as you switch your router security stuff is are okay with there being one Mac address with like 20 IP addresses. But for the most part, it should be fine. So let’s actually create that right now to solve our promiscuous issues, to create that network, same stories before Docker network create we’ll do a dash D for our driver we’re gonna use, and it will be IP V L now to do IP VLAN mode L two, you don’t have to think about it just that’s the default mode.
So leave it as is. And at this point it’s pretty much the same as the Mac VLAN to specify subnet gateway, parent interface, we’ll name it again. New Asgard will work and that’s it. And when we add our containers specifying to use the new Asgard network and assigning our IP address, cuz it will still have that annoying IP address issue. Didn’t get rid of that. We’ll launch Thor. Let’s jump into Thor real quick. See if we can pick our gateway golden, let’s pick the internet and then let me show you how they have the same Mac address. Let me exit I’ll do IP address show on the host. Notice the Mac address of EMP zero S three is ready to go right here, ending in 33, 8 or ad. If I bring up the command, prompt on my computer and ping 10, 7.1 92, it’ll take a second to resolve it.
It’s trying to get through a bunch of stuff. There it goes. Have me nervous for a second. Yeah. Still working, but check my a table. We’ll look at that. The Mac address I see for ten seven, one ninety two is the same as my O Buntu host. Okay, cool. IPV land. L two, nothing too crazy. Pretty much. Same as Mac VLAN, except just a little bit better in a lot of situations now time for L three and this one’s probably my favorite out of all of them because of how crazy it is. The internet was begging for this and Docker finally made it happen and it’s pretty much a love letter to networking nerds. So you’re welcome. IP VLAN, L three is all about layer three. And when I say layer three, I mean IP addresses, routing routes. That’s all we’re talking about here. So, so far actually with our bridge Mac VLAN, IPV, VLAN, it’s all been very layer.
Two focused dealing with Mac addresses, ARP responses and requests. Everything’s very layer two and switch like, but with L three, Nope, no more switching. No more switching. No more ARP. We’re all layer three IP addresses. So with IP V and L three, we’re not connecting our containers to our network. Like it’s a switch. We’re connecting it to our host. Like the host is a router. <laugh> what I’ll explain. Watch this. Let me give you an example. So here we’re gonna create two new networks out of thin air. Okay. You’ve got new as guard up here with the network 1 9 2, 1 68 94, 0 slash 24. And then we’ll do, I don’t know like earth. I’m getting lazy with my examples earth with 1 92, 1 68 95 0. Now what I wanna point out right now is that these networks brand new, they don’t exist on my network at all. My home network has no idea how to reach these totally brand new.
When we deploy these networks and throw these containers in there, these containers connection to the outside world is completely layer three. They connect to the host like it’s a router. These are layer three connections. And what that means for networking people is that there’s no broadcast traffic anymore, no broadcast draft, which you know, can be a very, very good thing. Because if you have a pretty complex layer, two network, you’ve got bridging loops, you have to worry about all those BPDU Pippi dos, spin it around and for a bit, it’s been best practice to remove a bunch of layer two and focus on layer three connections to your top rack switches, right? I know I’m going real deep on networking, but that’s what this is for. So because layer three, no broadcast. It’s not responding to our request, which again is very cool for network nerds.
But the problem we have here is that right now, these containers really can’t talk to anyone outside of their own network. Like for example, Thor cannot go to the internet. Thor can’t talk to me, which is really sad. I can’t talk to Thor. I cannot reach containers in that network at all exposed ports doesn’t happen. That’s not even a thing. Cuz we’re dealing with layer three and we’re dealing with routing. And right now my network and all my hosts in my network have no idea how to reach 1 92, 1 6, 8 94, 0 that’s Anno. Like they don’t have a route for it. It’s not in their routing table. So that might sound kinda stupid. It’s like, why would you deploy this? If they can’t reach anything? Well it’s because you get more control <laugh> and control is the name of the game here. You can do some crazy isolation with your containers and you can restrict and isolate them via layer three via networks.
So again, right now, no one can reach them, but I can control who reaches them. All I have to do is in my network, my home network. I just have to tell my router, Hey, if you wanna reach 1 9 2 1 6, 8 94 0. I know where you should go. I want you to go to the host ten seven one two three, two. The ATU host he’ll know how to get there. Cause remember he’s functioning as the router. So I’m just telling my home network. Hey, this network is kind of a weird one. If you wanna talk to these guys, they’re over there. Talk to that dude. And that’s really how networks work. That’s static route. It’s so cool. Let’s deploy it real quick. You can deploy this in your own home network right now. You just have to have access to your router to be able to do this. So real quick, I wanna delete my previous I P B land network because you can’t have more than one network linked or assigned to, uh, a network interface.
And I only have, I only have one network interface on my, uh, machine here, so I will stop Thor. No one can stop Thor, but me. Then I will remove new ASCAR and now let’s create an IPV V L three network. Same story. As before I’ve been saying that a lot Docker network create our type will still be IPV land when we do dash D and then we’ll specify our subnet, which is gonna be a brand new network we’re creating right now, 94, 0 slash 24. And then the big thing we don’t do here is we don’t specify a gateway because with a I P VLAN L three network, the gateway is gonna be the parent interface. We tie it to, we don’t have to specify that. It’ll just be that way. Um, that’s pretty cool, but we will have one more new thing. So let’s do a dash O parent we’ll specify the parent interface, which again was for me E N P zero S three.
Then we have one more dash O is how you specify additional options. We’ll do IP VLAN, underscore mode equals L three. And that puts it in the L three mode as it, you know, you might have guessed, you might think, oh, Hey, that’s it. No, no, no. We’re gonna go ahead and specify our other network. We’ll do subnet and we’ll do 1 92, 1 68 95 0 didn’t know we could do that. Did you? And we actually have to do that. If we’re gonna create more than one network that are gonna be using the same, uh, physical interface. But anyways, let’s go ahead and name it real quick, new agar. And that’s it. Now, as far as like what’s been created in Docker, nothing outta the ordinary, you’ll see anything it’s all in the background. So let’s go ahead and deploy some containers in there. Same story as before our network will indeed be new ASCAR and you could at this point specify or not specify N IP address, but because we have two subnets in this network, we will have to specify which one we want them to go into.
And we’ll do that just by simply assigning the IP. I’ll do 94.7 for this one. This will be four busy box bam. And then we’ll add another one. We’ll change the name to mul near. We’ll keep ’em in the same subnet as well. We’ll do a dot eight and then we’ll add the other guys lowkey. We’ll do, uh, the new subnet 90 five.seven and then Oden 95 do eight. Now we did a lot here, but we pretty much just copied what we drew in our diagram here. This is how it looks and let’s go inspect that network. We’ll inspect new Asgard and we can see our containers with their assigned IP addresses. Now let’s jump into Thor. Like we always love to do first Thor. He can’t reach the internet while he does have a route out. If I do IP route, see his route is to Ethan net zero, which goes back to my physical interface.
But right now, when he does make that journey out, nothing knows how to get back to him. Now don’t feel too bad for Thor. He can still ping his friends. He can ping Milner even by name. Can he ping the other network? Kenny? He ping earth. Let’s try pinging Lokey. Yeah, totally can. Even though it’s in a different subnet, he can ping Lokey. And that’s a key thing you have to know about IP VLAN, L three, that’s a mouthful and a half when separate networks share this same parent interface like these two networks do, they can talk to each other all day. So if you want that network isolation you’ll need to connect them to a different physical interface with IPV V line L three S but I feel bad for them. I want them to have access to everything. So let’s add a static route in my network and I’ll show you how this works.
It’s so neat. I’ll jump into my unified, which is what I use for home. Networking, jump to my router here and I’ll create, create two static routes telling them the next top is ten seven one. Let me just actually make sure my IP address is the same. Oh, it’s 2 29. Now it’s changing. It changed. So 10.7 1 2 29 and then I’ll add one for earth. So by creating these static routes, I’ve told my router and my entire network, how to get to these container networks. So in theory, if I jump into Thor once more, that rhymed, I should be able to ping google.com ho I should be able to ping my router. I’ll ping my NA in my office and my computer should be able to ping Thor as well. So Thor is of IP address is 1 9 2 1 68 94, 7 94 7 bam. So that’s pretty cool. IP V L L three, turns your host into a router, allowing you to create Docker container networks that are layer three only and routed, which is like the best practice of networks.
I love it so much now. I’m pretty sure this video has gone on pretty long, but we’ve gotten through five networks. We only have two more left and they’re very, very quick. The sixth network is called an overlay network, and I’m not gonna show you what that is because it’s more for, if you have different hosts, like right now, we’re working with one host and that’s normally what you’ll do in your home and your lab, but in production and in the cloud or wherever you’re gonna be, you might have multiple hosts running a bunch of containers all across these different machines. And they’re probably running something called Docker swarm, which is very similar to Kubernetes. It’s just Docker’s version of that. Now you can imagine if you had multiple hosts with containers that maybe you want to talk to each other on all the different hosts that could get kind of complex, that networking can get kind of crazy.
That’s where an overlay comes into play overlays. A very common thing in networking now, and basically it kind of abstracts or removes the complication for you and allows you to simply make rules on how those containers can talk to each other. It’s very cool, very complicated. And it’s all the rage networking. Just know. You’ll probably not use that right now unless you’re dealing with Docker swarm and you’re gonna create overlay networks. So go look that up. I’m not gonna cover it. And then I saved the most secure network for last. This is like, you can’t get any more secure than this security guys. Get ready. Allow me to unveil ready, drum, roll the nun network. The name says it all. It is absolutely nothing. I don’t have to create it. It’s already there. See none. The driver is null. And if I create a container inside there network, none.
I love putting that. We’ll say gore as the name busy box, as the image, we’ll jump in there real quick. If I do an IP address show, there’s nothing to show. All it has is loop back. You’re not giving you anything. It’s got nothing, none, that’s it. So those are the seven Docker networks. This will open up a whole new world for you in your lab and possibly in your career. Having Docker networks has a skill on your resume. Do put that on there, do this lab and put that lab on your resume. And let me know how you implement this into your home lab. I’m already starting to, it makes things so much simpler when you know how the networking works. And frankly, it’s just really, really fun. And let me know which one is your favorite. I’m kind of in between the Mac VLAN I P VLAN L two and, and uh, L three L three.
I’ll probably never, ever use actually. You know what? I will use that just because I wanna be comp complicated. Yeah, I’m gonna use it anyways. That’s all I have guys. Thanks for having some coffee with me and discussing something very fun and very cool. I know this video may have been a bit longer, but it was a, it was a pretty complex video. And thanks again to Christian from that digital life for his awesome content. If you haven’t already subscribed to him and check him out linked below, and by the way, have you hacked the YouTube algorithm today? Let’s make sure you do hit that light button notification, bill comment, subscribe comment. Or you said comment <laugh> you gotta hack YouTube today. Ethically of course. And yeah, that’s really all I have. Um, I’ll get you guys next time.