Overlay network driver Explain

The overlay network driver creates a distributed network among multiple Docker daemon hosts. This network sits on top of (overlays) the host-specific networks, allowing containers connected to it to communicate securely when encryption is enabled. Docker transparently handles routing of each packet to and from the correct Docker daemon host and the correct destination container.

You can create user-defined overlay networks using docker network create, in the same way that you can create user-defined bridge networks. Services or containers can be connected to more than one network at a time. Services or containers can only communicate across networks they're each connected to.

Overlay networks are often used to create a connection between Swarm services, but you can also use it to connect standalone containers running on different hosts. When using standalone containers, it’s still required that you use Swarm mode to establish a connection between the hosts.

Before you start, you must ensure that participating nodes can communicate over the network. The following lists ports that need to be open to each host participating in an overlay network:

2377/tcp: The default Swarm control plane port, is configurable with docker swarm join --listen-addr

4789/udp: The default overlay traffic port, configurable with docker swarm init --data-path-addr

7946/tcp, 7946/udp: Used for communication among nodes, not configurable

This command initializes Docker Swarm on the host and creates a Swarm manager node.

Once Docker Swarm is initialized, you can create an overlay network using the docker network create command with the --driver option set to overlay. Optionally, you can specify additional parameters such as subnet, gateway, and network name.

You can also specify subnet and gateway parameters while creating the overlay network:

You Can also use — attachable Command:

To create an overlay network that containers on other Docker hosts can connect to, run the following command:

The --attachable option enables both standalone containers and Swarm services to connect to the overlay network. Without --attachable, only Swarm services can connect to the network.

After creating the overlay network, you can use the docker network ls command to list all networks and verify that your overlay network has been created:

Use the --opt encrypted flag to encrypt the application data transmitted over the overlay network:

This enables IPsec encryption at the level of the Virtual Extensible LAN (VXLAN). This encryption imposes a non-negligible performance penalty, so you should test this option before using it in production.

Adding containers to an overlay network gives them the ability to communicate with other containers without having to set up routing on the individual Docker daemon hosts. A prerequisite for doing this is that the hosts have joined the same Swarm.

To join an overlay network named multi-host-network with a busybox container:

Note: Due to limitations set by the Linux kernel, overlay networks become unstable and inter-container communications may break when 1000 containers are co-located on the same host.