June 25, 2017

Understanding container networking is crucial for building an effective containerized environment. Containers change the networking game in several key ways that require you to forget everything you know about traditional networks—and even SDN—when setting up Docker.

To understand just how novel container networking is, it’s worth thinking about how computer networks have evolved over the past several decades. You can break that evolution down into several stages:

  • The first stage was the 1980s and 1990s. This was when the TCP/IP became more or less universal. Networks in this era remained simple. They were mapped directly to physical infrastructure. Besides Network Address Translation, you didn’t have much complexity in your network.
  • By the late 1990s, network virtualization started to become common. VPNs arose. Software switches followed in the mid- to late 2000s. The software defined networking (SDN) configurations that are common today in traditional environments are essentially a continued evolution of the trend toward network virtualization that began in the late 1990s.
  • The third stage is container networking. Networking in a containerized environment is so different that it deserves its own section of this article to explain.

Why Containerized Networking Is Different

Container networks require a fundamentally different approach than networks on other types of infrastructure for the following reasons:

  • In a containerized environment, nothing is static. The configuration is always changing as containers spin up and down. Statically assigned IP addresses would never work in a containerized environment.
  • Containerized environments are massive—so massive that traditional IP networking doesn’t work well because there are not enough addresses to assign. With IPv4 you get only 256 hosts per subnet (and adding subnets creates unnecessary complexity). An environment that contains thousands of containers can’t be addressed effectively with this approach.
  • Traditional IP networking is slow and hard to automate. If you use static addresses, you have to set them manually. If you assign addresses automatically via DHCP or something similar, the service discovery and address assignment tends to take many seconds or even minutes. That is longer than is acceptable in a continuously changing containerized environment.
  • Access Control Lists are more difficult to enforce in an environment where nothing is static.
  • Because containers are immutable (or at least designed to be immutable), you can’t easily change the IP address of a container once it is created.

All of these challenges have solutions. Overlay networks, service discovery, IDs and labels make it possible to route traffic through containerized networks without relying on traditional IP networking.

To make the most of these resources, you have to understand how they work. Before you set up a Docker environment, spend some time thinking through the networking differences.

Christopher Tozzi

Christopher Tozzi has covered technology and business news for nearly a decade, specializing in open source, containers, big data, networking and security. He is currently Senior Editor and DevOps Analyst with Fixate.io and Sweetcode.io.

  • Tuomas Nurmela

    Thanks for summary.

    Just to note though, there are container-aware networking solutions, which do not rely on overlay networking. CNCF webinar on “Introduction to container networking” provides a good, relatively non-vendor specific summary on container networking background and design choices on high level to help further understand the networking aspects.