Back to Blog
team@tinypod.app

Understanding Docker Networking: Bridge, Host, and Overlay

Container networking is confusing. Bridge networks, port mapping, host networking — here's how it all works.

dockernetworkingcontainers

The Basics


Every container gets its own network namespace — it has its own IP address, routing table, and network interfaces. The question is: how do containers communicate with each other and the outside world?


Network Modes


Bridge (Default)

Containers connect to a virtual bridge network on the host. Each container gets a private IP (172.17.x.x by default).


  • Containers on the same bridge can communicate
  • Use port mapping (-p 8080:80) to expose to the host
  • Default for single-host Docker/Podman setups

    • Host

    Container shares the host's network directly. No network isolation.


  • Container binds to host ports directly
  • Best performance (no NAT overhead)
  • No port mapping needed
  • Less secure (no network isolation)
  • Use for performance-critical applications

    • None

    No networking. Container is completely isolated.


    User-Defined Bridge Networks


    Always create your own bridge networks instead of using the default:


    docker network create mynetwork


    Benefits over the default bridge:

  • DNS resolution by container name (container1 can reach container2 by name)
  • Better isolation between groups of containers
  • Containers can be connected/disconnected dynamically

    • Port Mapping


    -p 8080:80 maps host port 8080 to container port 80.

    -p 127.0.0.1:8080:80 binds only to localhost (not accessible from outside).

    -p 8080:80/udp for UDP ports.


    Container-to-Container Communication


    Containers on the same user-defined bridge network can communicate by name:


    App container connects to database as: postgres://db:5432/mydb

    (where "db" is the database container's name)


    DNS Resolution


    Docker's embedded DNS server resolves container names to IPs within user-defined networks. This is why you see hostnames like "db" or "redis" in docker-compose files instead of IP addresses.


    Common Patterns


    Web App + Database

  • App and database on the same bridge network
  • Only the app exposes a port to the host
  • Database is only accessible from the app container

    • Reverse Proxy

  • Caddy/Nginx on a frontend network
  • Apps on both frontend and backend networks
  • Databases only on backend network

    • Podman Networking


    Podman networking is similar to Docker's but with a key difference: rootless Podman uses slirp4netns or pasta for network namespace setup instead of iptables, since regular users can't modify iptables rules.