Docker Networking
Docker provides several network drivers. bridge (default) creates a private network; containers communicate via virtual ethernet. host shares the host network stack.
Bridge network = a private office floor with an internal phone directory. Containers are offices on the same floor — they call each other by name. Host network = tearing down the office walls and sitting directly in the lobby.
Network drivers: bridge (default, isolated network, NAT to host), host (no isolation, container uses host's IP and ports directly, best performance), none (no network), overlay (multi-host, used by Docker Swarm and K8s CNI plugins), macvlan (container gets a MAC address visible on the physical network). Containers on the same user-defined bridge network resolve each other by container name (built-in DNS). The default bridge network doesn't have automatic DNS — must use --link (deprecated) or user-defined networks.
docker network create --driver bridge mynet creates an isolated bridge with a Docker-managed iptables NAT. Under the hood: a virtual ethernet pair (veth) connects the container's eth0 to the host's bridge. Docker manages iptables FORWARD rules and MASQUERADE for outbound NAT. Port mapping (-p 8080:80) adds a DNAT iptables rule. In Kubernetes, CNI plugins (Calico, Flannel, Cilium) implement overlay networking for cross-node pod communication. Cilium uses eBPF instead of iptables for better performance and observability.
Docker containers get their own network namespace with a virtual eth0. The bridge driver connects containers to a virtual bridge on the host with NAT for outbound traffic. Port publishing (-p) adds iptables DNAT rules. User-defined bridge networks get automatic DNS resolution by container name — always use these instead of the default bridge. The host driver gives the container direct access to the host's network stack — no NAT overhead, useful for performance-critical services.
The default bridge network does NOT support container name DNS resolution. Two containers on the default bridge network can't reach each other by name — only by IP. Always create user-defined bridge networks for multi-container apps.