Painless Docker - 2nd Edition

Networking in Docker Swarm

When initially creating a Swarm cluster, Docker automatically creates a network called ingress. This network is utilized for inter-node communication and functions as the load balancer for distributing incoming requests among containers within a service.

To view all the default networks, use the following command:

docker network ls

You will see the following default networks (including the automatically-created ingress network):

• bridge: This is the default network used when you run a container without specifying a network. It's a single-host network that allows containers to communicate with each other on the same host.
• docker_gwbridge: Connects the individual Docker daemon to other daemons participating in the swarm. This network is used for communication between the swarm and the outside world.
• host: This is the network used when you run a container in host mode (using the --network host option).
• ingress: The routing mesh network created automatically for publishing service ports across the cluster.
• none: This is the network used when you run a container without a network.

The only network that is used for inter-node communication in this list is the ingress network. The other networks are locally scoped to the node where they are created.

The ingress network uses the overlay driver, which enables containers running on different Swarm nodes to communicate over a virtual network that spans the cluster:

docker network inspect ingress | jq '.[0].Driver'

Before going further, it's important to clarify how networking works in Docker Swarm:

• Services are not automatically attached to a Swarm network.
• A service is attached to an overlay network only if:
• you explicitly specify one with --network, or
• you publish a port, which implicitly attaches the service to the ingress network.

An overlay network is a software-defined network that connects Docker daemons across multiple hosts, providing built-in service discovery and optional load balancing.

The ingress network is a special overlay network used by Docker Swarm only for published ports. It implements the routing mesh and allows external traffic hitting any node to be routed to a service task running anywhere in the cluster.

Usually, when we create a service, we explicitly create a custom overlay network and attach the service to it. If the service needs to be accessible from outside the cluster, we can publish a port, which will automatically attach the service to the ingress network as well.

For example, let's create a service called webserver that runs the nginx image and uses a custom network called webserver-network.

To begin, create the network:

docker network create --driver overlay webserver-network

Now, you have two choices:

• Remove the service and recreate it using the --network option.
• Update the service using the --network option.

Let's proceed with removing the service and recreating it using the --network option.

docker service rm webserver
docker service create --name webserver -p 80:80 --network webserver-network nginx:1.29.5

Alternatively, you can update the service to use the new network without removing it:

docker service update --network-add webserver-network webserver

Now you can inspect the service and see that it's using the webserver-network network:

docker service inspect webserver --pretty | grep -i network