BestHub
Sign in
Cloud Computing 13 min read

How Docker Uses veth Pairs and Custom Networks for Container Connectivity

This article explains Docker's networking fundamentals, covering Linux veth pairs, the default docker0 bridge, container IP allocation, the deprecated --link option, and how to create and use custom bridge networks to achieve service‑name based communication and network isolation.

Open Source Linux
Open Source Linux
Open Source Linux
How Docker Uses veth Pairs and Custom Networks for Container Connectivity

Docker Network Principles

Containers run in isolated environments similar to tiny Linux systems, so Docker must provide a way for external access. The foundation is the Linux veth pair.

1. Linux veth pair

A veth pair consists of two virtual network interfaces linked together, one attached to the network stack and the other to its peer.

veth pair connects two network interfaces veth0 and veth1.

2. Understanding docker0

On a host you typically see three network interfaces:

lo      127.0.0.1      # loopback
eth0    172.31.179.120   # host private IP (e.g., Alibaba Cloud)
docker0 172.17.0.1       # Docker bridge

docker0 is created when Docker is installed and acts as a bridge between containers and the host.

docker0 enables communication between containers and the host VM.

To illustrate, we start a Tomcat container.

# docker pull tomcat
# docker images
# docker run -d -p 8081:8080 --name tomcat01 tomcat
#

After starting the container, a new veth pair appears (e.g., vethad33778@if200). Each additional container adds another pair.

Each container creates a paired veth interface connected to docker0.

Inside the container, the IP address is 172.17.0.2 and can be pinged from the host.

# docker exec -it tomcat01 cat /etc/hosts
127.0.0.1   localhost
172.17.0.2   <span></span>
#

Starting a second container (tomcat02) yields IP 172.17.0.3, also reachable.

tomcat02's IP is 172.17.0.3 and is pingable.

Conclusion: each container adds a veth pair linked to docker0, which bridges to the host.

3. Container Inter‑connection – Link

By default containers cannot reach each other directly. Using the deprecated --link option we can expose a container’s name.

# docker run -d -p 8083:8080 --name tomcat03 --link tomcat02 tomcat
# docker exec -it tomcat03 cat /etc/hosts
172.17.0.3   tomcat02
172.17.0.4   <span></span>
#
--link adds the linked container’s name to /etc/hosts, but the link is one‑way.

Because --link is outdated, custom networks are preferred.

4. Custom Networks (Recommended)

docker0 characteristics:

Default bridge network

Hostname resolution does not work

--link provides name resolution but is removed when the link is deleted

Docker provides three built‑in network drivers: bridge, host, and none. The bridge driver corresponds to docker0.

# docker network ls
NETWORK ID   NAME      DRIVER   SCOPE
4d3e75606593 bridge    bridge   local
8e92ee24e5f6 host      host     local
e85ffb1f2cc3 none      null     local
#

Creating a custom bridge network:

# docker network create --driver bridge --subnet 192.168.0.0/16 --gateway 192.168.0.1 mynet
# docker network ls
... (mynet appears) ...
# docker network inspect mynet
[ { "Name":"mynet", "Driver":"bridge", "IPAM":{ "Config":[ { "Subnet":"192.168.0.0/16", "Gateway":"192.168.0.1" } ] } } ]
#

Running containers on the custom network:

# docker run -d -p 8081:8080 --name tomcat-net-01 --net mynet tomcat
# docker run -d -p 8082:8080 --name tomcat-net-02 --net mynet tomcat
# docker ps
... shows both containers attached to mynet ...
#

Containers can ping each other by IP or by service name:

# docker exec -it tomcat-net-01 ping 192.168.0.3
# docker exec -it tomcat-net-01 ping tomcat-net-02
#
Service‑name resolution works without --link when using a custom network.

5. Network Connectivity

docker0 and a custom network are isolated; containers on different networks cannot communicate directly. To enable cross‑network communication, Docker’s network connect feature attaches a container to an additional network.

# docker network connect mynet tomcat01
# docker network inspect mynet
... shows tomcat01 now has an IP in the 192.168.0.0/16 subnet ...
#

This allows a container originally on docker0 to communicate with containers on mynet.

6. Summary

veth pair provides a paired virtual network interface.

Docker uses the default docker0 bridge network.

docker0 functions as a router connecting containers to the host.

docker0 bridges container traffic to the host VM.

Custom networks are recommended for service‑name based communication and to avoid IP changes.

Network connectivity links a container to a network, enabling cross‑network interactions.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

Dockercustom networklinkbridge networknetwork connectveth-pair
Open Source Linux
Written by

Open Source Linux

Focused on sharing Linux/Unix content, covering fundamentals, system development, network programming, automation/operations, cloud computing, and related professional knowledge.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment