La red Docker es uno de los aspectos más críticos de la arquitectura de aplicaciones contenedorizadas. Comprender cómo se comunican los contenedores entre sí, con el sistema host y con redes externas es esencial.
Visión general de Docker Networking
Docker crea entornos de red aislados para los contenedores.
# List all Docker networks
$ docker network ls
NETWORK ID NAME DRIVER SCOPE
a1b2c3d4e5f6 bridge bridge local
f6e5d4c3b2a1 host host local
1a2b3c4d5e6f none null localTipos de redes Docker
Red Bridge (predeterminada)
La red bridge es el controlador de red predeterminado para contenedores.
# Create a user-defined bridge network
$ docker network create my-app-network
# Run containers on the custom network
$ docker run -d --name web --network my-app-network nginx:alpine
$ docker run -d --name api --network my-app-network node:20-alpine
# Containers can now reach each other by name
$ docker exec web ping api
PING api (172.18.0.3): 56 data bytes
64 bytes from 172.18.0.3: seq=0 ttl=64 time=0.089 ms
# User-defined bridge vs default bridge
# Default bridge: containers communicate only via IP addresses
# User-defined bridge: automatic DNS resolution by container name
# Create bridge with custom subnet
$ docker network create \
--driver bridge \
--subnet 172.20.0.0/16 \
--gateway 172.20.0.1 \
custom-bridgeRed Host
El modo de red host elimina el aislamiento de red entre el contenedor y el host.
# Run container with host networking
$ docker run -d --network host nginx:alpine
# No port mapping needed — container uses host ports directly
# The nginx server is accessible at localhost:80
# Check: container shares host's network interfaces
$ docker exec <container-id> ip addr
# Shows the same interfaces as the host machine
# Warning: Only one container can bind to a given host port
# Host networking is only supported on Linux (not macOS/Windows)Red Overlay
Las redes overlay conectan múltiples demonios Docker.
# Initialize Docker Swarm (required for overlay networks)
$ docker swarm init
# Create an overlay network
$ docker network create \
--driver overlay \
--attachable \
my-overlay-network
# Create a service on the overlay network
$ docker service create \
--name web \
--network my-overlay-network \
--replicas 3 \
nginx:alpine
# Create encrypted overlay network for sensitive data
$ docker network create \
--driver overlay \
--opt encrypted \
secure-overlayRed Macvlan
Macvlan permite asignar una dirección MAC a un contenedor.
# Create a Macvlan network
$ docker network create \
--driver macvlan \
--subnet 192.168.1.0/24 \
--gateway 192.168.1.1 \
-o parent=eth0 \
my-macvlan
# Run container with its own IP on the LAN
$ docker run -d \
--network my-macvlan \
--ip 192.168.1.100 \
--name legacy-app \
my-app:latest
# The container appears as 192.168.1.100 on the physical networkRed None
None desactiva toda la red para un contenedor.
# Run container with no networking
$ docker run -d --network none alpine sleep 3600
# Only loopback interface is available
$ docker exec <container-id> ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536
inet 127.0.0.1/8 scope host loRedes en Docker Compose
Docker Compose configura una red única por defecto.
# docker-compose.yml — Default networking
# All services share a network named <project>_default
services:
web:
image: nginx:alpine
ports:
- "80:80"
api:
image: node:20-alpine
# Can reach web service at http://web:80
# Can reach db service at postgres://db:5432
db:
image: postgres:16
environment:
POSTGRES_PASSWORD: secretRedes personalizadas en Compose
# docker-compose.yml — Custom networks for isolation
services:
nginx:
image: nginx:alpine
ports:
- "80:80"
- "443:443"
networks:
- frontend
api:
build: ./api
networks:
- frontend
- backend
depends_on:
- db
- redis
db:
image: postgres:16
volumes:
- pg-data:/var/lib/postgresql/data
networks:
- backend
redis:
image: redis:7-alpine
networks:
- backend
admin:
image: adminer
ports:
- "8080:8080"
networks:
- backend
networks:
frontend:
driver: bridge
backend:
driver: bridge
internal: true # No external access
volumes:
pg-data:Patrones de aislamiento de red
Use múltiples redes para aislar servicios.
# Three-tier architecture with network isolation
#
# Internet
# |
# [nginx] <-- frontend network
# |
# [api] <-- frontend + backend network
# |
# [db] <-- backend network (internal)
#
# nginx can reach api, but NOT db
# api can reach both nginx and db
# db is completely isolated from external accessDNS y descubrimiento de servicios
Docker proporciona resolución DNS integrada.
Reglas de resolución DNS
# DNS resolution in user-defined networks
# 1. Container name → IP address
$ docker exec web nslookup api
Server: 127.0.0.11
Address: 127.0.0.11#53
Name: api
Address: 172.18.0.3
# 2. Service name in Compose → all container IPs (round-robin)
$ docker exec web nslookup api
# Returns IPs of all 'api' service replicas
# 3. Network aliases
$ docker run -d \
--network my-network \
--network-alias database \
--network-alias db \
--name postgres-primary \
postgres:16
# Container is reachable as: postgres-primary, database, or db
# 4. Check DNS configuration inside a container
$ docker exec web cat /etc/resolv.conf
nameserver 127.0.0.11
options ndots:0Conectar contenedores entre redes
Puede conectar contenedores a múltiples redes.
# Connect a running container to an additional network
$ docker network connect backend api-container
# Connect with a specific IP address
$ docker network connect --ip 172.20.0.10 backend api-container
# Disconnect from a network
$ docker network disconnect frontend api-container
# A container connected to multiple networks can route between them
# This is useful for "gateway" containersInspección de redes
Docker proporciona comandos para inspeccionar redes.
# List all networks
$ docker network ls
# Inspect a network (shows connected containers, config)
$ docker network inspect my-app-network
# Find which networks a container is connected to
$ docker inspect --format='{{json .NetworkSettings.Networks}}' my-container
# Check container IP address
$ docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' my-container
# Check port mappings
$ docker port my-container
# Test connectivity between containers
$ docker exec web ping -c 3 api
$ docker exec web wget -qO- http://api:3000/health
# Debug with a temporary network tools container
$ docker run --rm -it --network my-app-network \
nicolaka/netshoot bashSolución de problemas de red Docker
Contenedores no pueden comunicarse
Verifique que están en la misma red.
# Check if containers are on the same network
$ docker network inspect bridge --format='{{range .Containers}}{{.Name}} {{end}}'
# Solution: Use a user-defined network
$ docker network create app-net
$ docker run -d --name web --network app-net nginx
$ docker run -d --name api --network app-net node:20-alpine
# Now name resolution works
$ docker exec web ping api # Works!Conflictos de puertos
Verifique puertos en conflicto.
# Error: port is already allocated
# Find what is using the port
$ lsof -i :8080
$ ss -tlnp | grep 8080
# Solution 1: Map to a different host port
$ docker run -d -p 8081:80 nginx
# Solution 2: Stop the conflicting service
$ sudo systemctl stop apache2Fallos de resolución DNS
Especifique servidores DNS personalizados.
# Specify custom DNS servers
$ docker run -d --dns 8.8.8.8 --dns 8.8.4.4 my-app
# Or in docker-compose.yml
services:
web:
image: nginx
dns:
- 8.8.8.8
- 8.8.4.4Problemas de rendimiento de red
Considere red host para servicios críticos.
# Check MTU settings
$ docker network inspect bridge | grep -i mtu
# Set custom MTU for a network
$ docker network create --opt com.docker.network.driver.mtu=1400 my-network
# Use host networking for maximum performance
$ docker run --network host my-performance-appMejores prácticas de seguridad de red
Siga estas mejores prácticas:
- Use redes bridge definidas por el usuario.
- Use redes internas.
- Publique solo puertos necesarios.
- Use redes overlay cifradas.
- Implemente políticas de red.
- Audite configuraciones regularmente.
# Bind to localhost only (not accessible from outside)
$ docker run -d -p 127.0.0.1:5432:5432 postgres:16
# Create internal network (no outbound internet)
$ docker network create --internal isolated-net
# In docker-compose.yml
networks:
database:
internal: true # Containers cannot reach the internetTemas avanzados
Configuración IPAM personalizada
Configure la gestión de direcciones IP personalizada.
# Custom IPAM configuration
$ docker network create \
--driver bridge \
--subnet 10.10.0.0/16 \
--ip-range 10.10.1.0/24 \
--gateway 10.10.0.1 \
--aux-address "dns=10.10.0.2" \
custom-ipam-net
# In docker-compose.yml
networks:
app-net:
driver: bridge
ipam:
config:
- subnet: 172.28.0.0/16
ip_range: 172.28.5.0/24
gateway: 172.28.0.1Soporte IPv6
Docker soporta IPv6.
# Enable IPv6 in Docker daemon (/etc/docker/daemon.json)
{
"ipv6": true,
"fixed-cidr-v6": "2001:db8:1::/64"
}
# Create a dual-stack network
$ docker network create \
--ipv6 \
--subnet 172.20.0.0/16 \
--subnet 2001:db8:2::/64 \
dual-stack-netBalanceo de carga integrado
Docker Swarm proporciona balanceo de carga integrado.
# Docker Swarm built-in load balancing
$ docker service create \
--name web \
--replicas 5 \
--publish published=80,target=80 \
--network my-overlay \
nginx:alpine
# Requests to port 80 on ANY swarm node
# are load-balanced across all 5 replicas
# using ingress routing mesh
# Scale the service
$ docker service scale web=10Comparación de controladores de red
| Controlador | Caso de uso | Aislamiento | Rendimiento | Multi-host |
|---|---|---|---|---|
| Bridge | Single-host containers | High | Good | No |
| Host | Performance-critical apps | None | Best | No |
| Overlay | Multi-host / Swarm | High | Good | Yes |
| Macvlan | Legacy / physical network | High | Good | No |
| None | Maximum isolation | Complete | N/A | No |
Conclusión
La red Docker es una habilidad fundamental para desarrolladores. Domine estos conceptos para construir aplicaciones contenedorizadas robustas y escalables.
FAQ
¿Cuál es la diferencia entre bridge y host?
Bridge crea un namespace de red aislado. Host comparte directamente la pila de red del host.
¿Cuándo usar redes overlay?
Cuando contenedores en diferentes hosts necesitan comunicarse.
¿Pueden comunicarse contenedores de diferentes redes?
Por defecto no. Use docker network connect.
¿Cómo depurar la resolución DNS de Docker?
Asegúrese de que los contenedores estén en una red definida por el usuario.