Here’s an in-depth, step-by-step tutorial and lab manual for Docker Networking—starting from basics, covering all core concepts, and providing a hands-on guide to every feature and command. This guide uses the Ubuntu image for all labs and examples.
Docker Networking Concepts & Lab Manual (Beginner to Advanced)
1. Docker Networking Concepts: Introduction
1.1 What is Docker Networking?
Docker networking is the system that allows Docker containers to communicate with each other, with the Docker host, and with external networks. Each container, by default, is attached to a network, typically the bridge
network.
2. Core Concepts
2.1 Types of Docker Networks
Network Type | Driver | Description |
---|---|---|
bridge | bridge | Default network for containers. Each container gets a virtual Ethernet interface (veth) in its own network namespace. |
host | host | Shares the host’s networking stack. No isolation between host and container network. |
none | null | No networking for the container. Only loopback. |
custom | bridge | User-defined networks for more control. |
2.2 Core Components
- Bridge: A virtual switch for containers on the same host.
- veth Pair: A pair of virtual ethernet devices. One end is in the container, the other in the host.
- eth0: The default network interface inside the container.
3. Lab Manual: Hands-on with Docker Networking
All commands below are to be run on a Docker host with the Ubuntu image pulled (docker pull ubuntu
).
3.1 Listing Docker Networks
docker network ls
Output:
NETWORK ID NAME DRIVER SCOPE
0bb0cc0920f0 bridge bridge local
8acf821ccc8a host host local
a8c348b5037b none null local
3.2 Inspecting a Docker Network
docker network inspect bridge
- Shows subnet, gateway, attached containers, etc.
3.3 Creating Custom Networks
docker network create dev
docker network create qa
docker network create --driver bridge devopsschool
3.4 Inspecting Custom Networks
docker network inspect dev
docker network inspect qa
3.5 Running Containers with Specific Networks
# Create and attach container to 'qa' network
docker run -itd --name qa1 --net=qa ubuntu
# Create and attach container to 'dev' network
docker run -itd --name dev1 --net=dev ubuntu
3.6 Viewing Network Interfaces in Containers
docker exec -it qa1 /bin/bash
ip a
# Check eth0 interface, assigned IP, etc.
exit
3.7 Network Connection Scenarios
A. Connecting a Container to Multiple Networks
docker network connect dev qa1
docker inspect qa1 | grep -A 20 "Networks"
B. Disconnecting a Container from a Network
docker network disconnect dev qa1
docker inspect qa1 | grep -A 20 "Networks"
3.8 Testing Connectivity Between Containers
- Create two containers on the same network:
docker run -itd --name qa2 --net=qa ubuntu
- Install
ping
utility (inside both containers):docker exec -it qa1 apt update
docker exec -it qa1 apt install iputils-ping -y
docker exec -it qa2 apt update
docker exec -it qa2 apt install iputils-ping -y
- Get the IP of
qa2
:docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' qa2
- Ping from
qa1
toqa2
:docker exec -it qa1 ping <qa2-IP>
3.9 Default Networks: host and none
A. Host Network
docker run -itd --name host1 --net=host ubuntu
docker exec -it host1 ip a
# Shares all network interfaces with host.
B. None Network
docker run -itd --name none1 --net=none ubuntu
docker exec -it none1 ip a
# Only loopback interface is present.
3.10 Understanding veth, Bridge, eth0
- Each container connected to a bridge gets a pair of virtual ethernet interfaces (veth):
- One end in container as eth0
- Other end in the Docker bridge on the host.
Lab: See the veth pair
- Find container PID:
docker inspect --format '{{.State.Pid}}' qa1
- On host, see interfaces:
ip link # Look for veth... interfaces
- In container:
docker exec -it qa1 ip a # eth0
3.11 Removing and Pruning Networks
docker network rm dev
docker network prune # Removes all unused networks
3.12 Advanced Networking Commands
A. List Containers on a Network
docker network inspect qa | grep Name
B. Assign Static IP to Container
docker network create --subnet=192.168.100.0/24 staticnet
docker run -itd --name static1 --net=staticnet --ip=192.168.100.10 ubuntu
docker exec -it static1 ip a
3.13 Network Namespace Lab (Linux)
View container’s network namespace:
- Get container PID:
docker inspect --format '{{.State.Pid}}' qa1
- On host:
nsenter -t <PID> -n ip a
4. Docker Network CLI Cheat Sheet
Command | Purpose |
---|---|
docker network ls | List all networks |
docker network create | Create a new network |
docker network inspect | Inspect network details |
docker run –net= … | Run container on a specific network |
docker network connect | Attach container to network |
docker network disconnect | Detach container from network |
docker network rm | Remove a network |
docker network prune | Remove all unused networks |
5. Advanced Scenarios
5.1 Container to Host Networking
- Bridge: Containers can communicate with the host via the gateway IP of the bridge.
- Host: Full access, same as host.
5.2 Container to External World
- By default, containers can reach the outside world unless firewalled.
6. Sample Lab Scenarios
Scenario 1: Multi-network Container
- Create two networks:
docker network create netA docker network create netB
- Run container in netA:
docker run -itd --name multi1 --net=netA ubuntu
- Connect it to netB:
docker network connect netB multi1
- Inspect:
docker inspect multi1 | grep -A 20 "Networks"
Scenario 2: Communication Restriction
- Run two containers, one on
dev
, one onqa
. - They cannot ping each other (different networks).
- Connect one container to both networks; now it can access both.
Scenario 3: Isolated Network
- Create a network with
--internal
flag (blocks external access):docker network create --internal isolated docker run -itd --net=isolated --name isoc1 ubuntu
- Try to ping external site—it will fail.
7. Cleaning Up
docker network prune
docker network rm <network_name>
docker rm -f $(docker ps -aq)
Summary: Docker Networking Deep Dive
- Bridge: Default, most common network. Use for most container-to-container communication.
- veth: Connects container’s network stack to host bridge.
- eth0: Network interface in container.
- host/none: Special cases for sharing host stack or isolating.
Further Learning
- Overlay networks (for Docker Swarm/multi-host).
- Macvlan networks.
- DNS resolution within Docker networks.
- Exposing and publishing ports (
-p
,--expose
).
Full Docker Networking Lab Script (Ready to Use)
# Step 1: Pull Ubuntu image
docker pull ubuntu
# Step 2: List Docker networks
docker network ls
# Step 3: Inspect bridge network
docker network inspect bridge
# Step 4: Create custom networks
docker network create dev
docker network create qa
# Step 5: List and inspect
docker network ls
docker network inspect dev
# Step 6: Run containers on custom networks
docker run -itd --name dev1 --net=dev ubuntu
docker run -itd --name qa1 --net=qa ubuntu
# Step 7: Inspect container network interfaces
docker exec -it dev1 ip a
docker exec -it qa1 ip a
# Step 8: Connect dev1 to qa
docker network connect qa dev1
# Step 9: Disconnect dev1 from qa
docker network disconnect qa dev1
# Step 10: Host and none networks
docker run -itd --name host1 --net=host ubuntu
docker run -itd --name none1 --net=none ubuntu
# Step 11: Assign static IP
docker network create --subnet=192.168.55.0/24 staticnet
docker run -itd --name static1 --net=staticnet --ip=192.168.55.10 ubuntu
# Step 12: Network cleanup
docker network prune
docker network rm dev qa staticnet
docker rm -f $(docker ps -aq)
Here’s a comprehensive manual listing all essential Linux networking commands to explore, inspect, and troubleshoot Docker container networking on Ubuntu. This guide covers how to analyze networking at the host level and inside the container—from simple checks to advanced network namespace tricks.
Manual: Linux Networking Commands for Exploring Docker Container Networking
1. Checking Network Interfaces
On the Host:
ip a # Shows all network interfaces (look for docker0, veth*, etc.)
ifconfig -a # Alternative view (may need 'net-tools' package)
ip link # Lists all interfaces (states, MACs)
Inside a Container:
docker exec -it <container-name> ip a
docker exec -it <container-name> ifconfig -a
Tip: The container’s main interface is usually
eth0
.
2. Checking Routing Tables
On the Host:
ip route
route -n
Inside a Container:
docker exec -it <container-name> ip route
docker exec -it <container-name> route -n
3. Viewing Network Namespaces
Each Docker container runs in its own network namespace.
List network namespaces (on host):
ls /var/run/netns # Sometimes empty unless explicitly created
Find container’s PID:
docker inspect --format '{{.State.Pid}}' <container-name>
Explore container’s network namespace (as root):
nsenter -t <PID> -n ip a # View interfaces in the container's namespace
nsenter -t <PID> -n bash # Get a shell in the namespace
4. Exploring veth Pairs and Docker Bridges
On the Host:
brctl show # Shows bridges and connected interfaces (needs 'bridge-utils')
ip link # Shows veth* interfaces
ip -d link # Details (peer relationships for veth)
Find docker0 bridge:
ip a | grep docker0
brctl show docker0
Show bridge IP and attached interfaces:
ip addr show docker0
bridge link show dev docker0
5. Checking Network Connections
On the Host or in Container:
ss -tulnp # Lists open ports and listening sockets
netstat -tulnp # Same, legacy (needs 'net-tools')
lsof -i # Shows open files and network sockets
Test connectivity:
ping <IP>
traceroute <IP> # May need to install
curl <URL> # Test HTTP/S
nc -vz <IP> <port> # Test TCP port (nc = netcat)
Inside a container:
docker exec -it <container-name> ping 8.8.8.8
docker exec -it <container-name> curl ifconfig.me
6. Docker Networking on the Host
Show Docker networks:
docker network ls
docker network inspect <network>
Show firewall/NAT rules (how Docker handles IP forwarding):
sudo iptables -t nat -L -n -v | grep DOCKER
sudo iptables -L -n -v | grep DOCKER
7. Observing Container MAC/IP Addresses
Get container’s IP/MAC from Docker:
docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' <container>
docker inspect -f '{{range .NetworkSettings.Networks}}{{.MacAddress}}{{end}}' <container>
8. DNS Inside Docker
Check /etc/resolv.conf
in a container:
docker exec -it <container> cat /etc/resolv.conf
Docker usually provides its own embedded DNS server to containers.
9. Examining Network Traffic (Advanced)
Packet capture on docker0 bridge:
sudo tcpdump -i docker0
sudo tcpdump -i any port 80
In a container:
docker exec -it <container> apt update
docker exec -it <container> apt install tcpdump -y
docker exec -it <container> tcpdump -i eth0
10. Example: Full Lab to Explore Docker Networking Internals
Step 1: Start a container and note its details
docker run -itd --name nettest ubuntu
docker inspect nettest | grep -A 5 "Networks"
Step 2: Find container’s PID and veth pair
CONTAINER_ID=$(docker ps -qf "name=nettest")
PID=$(docker inspect --format '{{.State.Pid}}' $CONTAINER_ID)
ls -l /proc/$PID/ns/net # Shows network namespace link
Step 3: Map veth pair
- On the host:
ip link | grep veth
- Use
ethtool
to find which veth peer connects to which container (install withapt install ethtool
):ethtool -S vethXXXXX # Find statistics, may show peer info
Step 4: Check bridge
brctl show
Step 5: Explore namespace with nsenter
sudo nsenter -t $PID -n ip a
11. Useful Tools to Install on Ubuntu for Networking Labs
sudo apt update
sudo apt install iproute2 net-tools bridge-utils tcpdump ethtool lsof traceroute iputils-ping dnsutils curl netcat
Summary Table of Commands
Purpose | Host Command | Container Command (with docker exec) |
---|---|---|
List interfaces | ip a / ifconfig -a | ip a / ifconfig -a |
Routing table | ip route / route -n | ip route / route -n |
Network namespaces | nsenter -t -n ip a | (direct, already inside namespace) |
List bridges | brctl show | (usually N/A) |
Docker bridge status | ip addr show docker0 | (N/A) |
veth info | ip link / ip -d link / ethtool | (N/A) |
Open ports | ss -tulnp / netstat -tulnp | ss -tulnp / netstat -tulnp |
Test connectivity | ping, curl, nc, traceroute | ping, curl, nc, traceroute |
DNS check | cat /etc/resolv.conf | docker exec cat /etc/resolv.conf |
Packet capture | tcpdump -i docker0 / tcpdump -i any port | tcpdump -i eth0 |
Docker inspect | docker inspect, docker network inspect | (N/A) |
IP/MAC from inspect | docker inspect -f … | (N/A) |
Firewall/NAT rules | iptables -t nat -L | grep DOCKER |
End-to-End Lab Workflow Example
- Create a bridge network
docker network create mynet
- Start two Ubuntu containers
docker run -itd --name box1 --net=mynet ubuntu docker run -itd --name box2 --net=mynet ubuntu
- Check networking from host
docker network inspect mynet ip a # look for new veth interfaces brctl show
- Check networking from inside containers
docker exec -it box1 ip a docker exec -it box2 ip a
- Test connectivity
docker exec -it box1 apt update docker exec -it box1 apt install iputils-ping -y docker exec -it box1 ping <IP-of-box2>
- Trace the connection (from host)
sudo tcpdump -i docker0
Extra: How Docker Networking Actually Works (Flow Summary)
- Docker creates a
docker0
bridge on the host. - When you run a container, Docker:
- Creates a network namespace for the container.
- Creates a veth pair: one end in host namespace, other in container as
eth0
. - Connects host end of veth to
docker0
bridge. - Assigns container an IP from the bridge subnet.
- Sets up NAT/iptables rules for outbound access.

















I’m a DevOps/SRE/DevSecOps/Cloud Expert passionate about sharing knowledge and experiences. I am working at Cotocus. I blog tech insights at DevOps School, travel stories at Holiday Landmark, stock market tips at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at I reviewed , and SEO strategies at Wizbrand.
Do you want to learn Quantum Computing?
Please find my social handles as below;
Rajesh Kumar Personal Website
Rajesh Kumar at YOUTUBE
Rajesh Kumar at INSTAGRAM
Rajesh Kumar at X
Rajesh Kumar at FACEBOOK
Rajesh Kumar at LINKEDIN
Rajesh Kumar at PINTEREST
Rajesh Kumar at QUORA
Rajesh Kumar at WIZBRAND