The overlay network driver creates a distributed network among multiple Docker daemon hosts. This network sits on top of (overlays) the host-specific networks, allowing containers connected to it to communicate securely when encryption is enabled. Docker transparently handles routing of each packet to and from the correct Docker daemon host and the correct destination container.
You can create user-defined overlay networks using docker network create, in the same way that you can create user-defined bridge networks. Services or containers can be connected to more than one network at a time. Services or containers can only communicate across networks they're each connected to.
Overlay networks are often used to create a connection between Swarm services, but you can also use it to connect standalone containers running on different hosts. When using standalone containers, itβs still required that you use Swarm mode to establish a connection between the hosts.
πCreate an overlay network
Before you start, you must ensure that participating nodes can communicate over the network. The following lists ports that need to be open to each host participating in an overlay network:
Ports:
2377/tcp: The default Swarm control plane port, is configurable with docker swarm join --listen-addr
4789/udp: The default overlay traffic port, configurable with docker swarm init --data-path-addr
7946/tcp, 7946/udp: Used for communication among nodes, not configurable
Here are the steps to create an overlay network in Docker Swarm:
π Initialize Docker Swarm :
docker swarm init
This command initializes Docker Swarm on the host and creates a Swarm manager node.
π Create an Overlay Network:
Once Docker Swarm is initialized, you can create an overlay network using the docker network create command with the --driver option set to overlay. Optionally, you can specify additional parameters such as subnet, gateway, and network name.
docker network create --driver overlay my-overlay-network
You can also specify subnet and gateway parameters while creating the overlay network:
docker network create --driver overlay --subnet=10.0.1.0/24 --gateway=10.0.1.1 my-overlay-network
You Can also use β attachable Command
To create an overlay network that containers on other Docker hosts can connect to, run the following command:
docker network create --driver overlay --attachable my-overlay-network
The --attachable option enables both standalone containers and Swarm services to connect to the overlay network. Without --attachable, only Swarm services can connect to the network.
π Verify the Overlay Network:
After creating the overlay network, you can use the docker network ls command to list all networks and verify that your overlay network has been created:
docker network ls
π Encrypt traffic on an overlay network
Use the --opt encrypted flag to encrypt the application data transmitted over the overlay network:
docker network create \
--opt encrypted \
--driver overlay \
--attachable \
my-attachable-multi-host-network
This enables IPsec encryption at the level of the Virtual Extensible LAN (VXLAN). This encryption imposes a non-negligible performance penalty, so you should test this option before using it in production.
π Attach a container to an overlay network
Adding containers to an overlay network gives them the ability to communicate with other containers without having to set up routing on the individual Docker daemon hosts. A prerequisite for doing this is that the hosts have joined the same Swarm.
To join an overlay network named multi-host-network with a busybox container:
$ docker run --network multi-host-network busybox sh
Note: Due to limitations set by the Linux kernel, overlay networks become unstable and inter-container communications may break when 1000 containers are co-located on the same host.