Master Docker Networking: veth Pairs, bridge0, Links, and Custom Networks

Docker Network Basics

Docker containers run in isolated network namespaces; to communicate they rely on Linux virtual Ethernet (veth) pairs and the default bridge network docker0.

Linux veth Pair

A veth pair consists of two linked virtual network interfaces; one end is placed inside the container’s namespace and the other remains on the host, forming a pipe for traffic.

Understanding docker0

On a typical host you will see three interfaces:

lo      127.0.0.1        # loopback
eth0    172.31.179.120  # host private IP
docker0 172.17.0.1      # Docker bridge

docker0 is created when Docker is installed and bridges containers to the host network.

Container Networking Example with Tomcat

Pull and run a Tomcat container. Each new container adds a veth pair and receives an IP in the 172.17.0.0/16 subnet.

# docker pull tomcat
# docker run -d -p 8081:8080 --name tomcat01 tomcat
# docker network ls
# docker inspect 4d3e75606593

After starting the first Tomcat container, a new veth pair (e.g., vethad33778@if200 ) appears; launching a second container adds another pair.

Inside tomcat01 the IP is 172.17.0.2, which can be pinged from the host.

Similarly, tomcat02 gets 172.17.0.3 and is reachable.

Container Linking ( --link )

The deprecated --link option adds the target container’s name to /etc/hosts of the source container.

# docker run -d -p 8083:8080 --name tomcat03 --link tomcat02 tomcat
# docker exec -it tomcat03 cat /etc/hosts

Result shows both the container’s own IP and an entry 172.17.0.3 tomcat02 . The link is one‑way; tomcat02 does not see tomcat03 .

Because --link is deprecated, user‑defined networks are preferred.

Custom Bridge Networks

Docker provides three built‑in network drivers ( bridge, host, none). The default bridge driver creates docker0. You can create a custom bridge network with a specific subnet and gateway.

# docker network create --driver bridge --subnet 192.168.0.0/16 --gateway 192.168.0.1 mynet
# docker network ls

Run containers attached to the custom network:

# docker run -d -p 8081:8080 --name tomcat-net-01 --net mynet tomcat
# docker run -d -p 8082:8080 --name tomcat-net-02 --net mynet tomcat

Containers in the same user‑defined network resolve each other by name without --link:

# docker exec -it tomcat-net-01 ping tomcat-net-02
# docker exec -it tomcat-net-01 ping 192.168.0.3

Both the service name and the IP are reachable.

Connecting a Container to an Additional Network

Use docker network connect to attach an existing container to another network, enabling cross‑network communication.

# docker network connect mynet tomcat01
# docker network inspect mynet

This adds tomcat01 to mynet , giving it an additional IP address in the 192.168.0.0/16 subnet.

Key Takeaways

veth pairs are paired virtual interfaces that connect a container’s network stack to the host.

The default docker0 bridge acts as a router for all containers on the host. --link provides one‑way name resolution but is deprecated.

User‑defined bridge networks offer better isolation and automatic service‑name resolution. docker network connect allows a container to join multiple networks, enabling cross‑network communication.