Read on:
Beginners’ Guide for Microsoft Hyper-V: Overview of Hyper-V – Part 1
Beginners’ Guide for Microsoft Hyper-V: How to Install Microsoft Hyper-V Using Server Manager – Part 2
Beginners’ Guide for Microsoft Hyper-V: How to Install Microsoft Hyper-V with PowerShell – Part 3
Read More
As you start to work with Docker on Windows Server running Hyper-V, one of the fundamental concepts is Docker networking. Therefore, understanding how the Docker containers in a Windows environment connect to other containers and the external network is a great way to increase your knowledge of how container networking works in a Windows environment. For beginners, let’s consider Windows Docker container networking in Hyper-V and learn the basic architecture, capabilities, and configuration.
Hyper-V Virtual Machine vs. Container networking
If you already have a basic understanding of how Hyper-V virtual machine networking is configured, you have a head start with understanding Windows container networking. Like a Hyper-V virtual machine, Windows containers have a virtual network adapter connecting a Hyper-V virtual switch (vSwitch) in your environment.
Windows vs. Linux Docker networking commands
You may wonder if all the networking options, commands, and capabilities are supported with Windows compared to Linux environments when running containers. All Docker networking commands are supported on Windows using the same syntax found in Linux. However, there are a few exceptions to note that are not supported in Windows. In addition, understanding the core Docker networking stacks that are different between Windows and Linux is essential.
There are a few unsupported Docker network features in Windows. These include limitations for containers attached to NAT and overlay networks. These do not support IPv6. Also, note the following that is not supported
- Encrypted network communication using IPsec
- Host mode networking
- Networking on Azure infrastructure using the transparent network driver
Windows Docker networking modes
With Windows Docker containers, Windows supports a total of five networking modes. You can create these Docker networking modes using Docker commands. What are the available Docker network modes available in Windows?
- NAT
- Overlay
- Transparent
- L2Bridge
- L2Tunnel
Each networking mode has its requirements and capabilities that organizations will choose depending on their use cases.
NAT
When the NAT network driver mode is used, containers are attached to an internal Hyper-V switch. It means they receive an IP address from the user-specific IP prefix. When this mode is used, it supports mapping or port forwarding ports from the host side into the container endpoints. If you are using a Windows Server 2019 or higher Windows container host, the NAT networks are not persisted after a reboot.
Overlay
The overlay network driver is a standard mode used with container orchestration platforms such as Kubernetes and Docker Swarm. Overlay networks are created with their IP subnets and private IP prefix. VXLAN overlay network encapsulation is used across the overlay and allows containers to communicate with other containers attached to the same overlay network.
Transparent
With the transparent network driver, containers are directly connected to the physical network using an external Hyper-V virtual switch. In this configuration, IP addresses from the physical network can be assigned manually with a static configuration or dynamically using a DHCP server. You cannot use the transparent network mode if your container host is located in Microsoft Azure.
L2Bridge
Using the L2Bridge configuration, the container network traffic assumes the MAC address of the container host using the layer-2 address translation operation during the ingress and egress network communication. Like the transparent mode, the L2Bridge mode connects the container to the physical network using a Hyper-V external switch.
L2Tunnel
The L2Tunnel network mode is only used in the Microsoft Cloud Stack in Azure. With the L2Bridge, container traffic is communicated with the virtualization host. Since the SDN policy is applied at this layer, it enables solutions like Azure Network Security Groups for containers.
Note the following comparison table from Microsoft, showing the difference between network modes
| Docker Windows Network Driver | Common uses | Container-to-container (Single node) | Container-to-external (single node + multi-node) | Container-to-container (multi-node) |
|---|---|---|---|---|
| NAT (Default) | Good for Developers | Bridged connection, same subnet through Hyper-V virtual switch
Cross subnet isn’t supported. You can only have one NAT internal prefix) |
Routed through Management vNIC (bound to WinNAT) | Not directly supported: requires exposing ports through host |
| Transparent | Good for Developers or small deployments | Same Subnet: Bridged connection through Hyper-V virtual switch
Cross Subnet: Routed through container host |
Routed through container host with direct access to (physical) network adapter | Routed through container host with direct access to (physical) network adapter |
| Overlay | Good for multi-node; required for Docker Swarm, available in Kubernetes | Same Subnet: Bridged connection through Hyper-V virtual switch
Cross Subnet: Network traffic is encapsulated and routed through Mgmt vNIC |
Not directly supported – requires second container endpoint attached to NAT network on Windows Server 2016 or VFP NAT rule on Windows Server 2019. | Same/Cross Subnet: Network traffic is encapsulated using VXLAN and routed through Mgmt vNIC |
| L2Bridge | Kubernetes and Microsoft SDN | Same Subnet: Bridged connection through Hyper-V virtual switch
Cross Subnet: Container MAC address re-written on ingress and egress and routed |
Container MAC address re-written on ingress and egress | Same Subnet: Bridged connection
Cross Subnet: routed through Mgmt vNIC on WSv1809 and above |
| L2Tunnel | Azure specific | Same/Cross Subnet: Hair-pinned to physical host’s Hyper-V virtual switch to where policy is applied | Traffic required to traverse Azure virtual network gateway | Same/Cross Subnet: Hair-pinned to physical host’s Hyper-V virtual switch to where policy is applied |
Windows Docker networking default configuration
When you run the Docker engine in Windows, it will create a default NAT network. The NAT network uses an internal vSwitch and a unique component called WinNAT. These will be available with the transparent network driver if you have already created Hyper-V virtual switches using Hyper-V Manager or PowerShell.
The Windows Docker NAT network is the default container network used for Docker containers in a Windows environment. When you run containers on a Windows container host and no network configuration is specified, the container is attached to the NAT network. When connected to the NAT network, the container is assigned an IP address from the internal IP subnet used for the Docker NAT network. The default IP subnet configuration is 172.16.0.0/16.
You can easily see the networks created and used in a Windows Docker configuration using the command
- docker network ls
Below, you can see the drivers used, including transparent and NAT.
Windows Docker container networking FAQs
- What modes are supported with Windows Docker container networking?
- Is the Docker networking commands the same in Windows as in Linux?
- Can you use Docker overlay networks in Windows?
There are five supported modes: NAT, Overlay, Transparent, L2Bridge, and L2Tunnel.
Docker networking commands in Windows are identical to the networking commands in Linux. However, the similarities end there as the underlying network stack differs between the two. In addition, Windows Docker networking has a few limitations compared to Linux.
This mode is commonly used with Kubernetes and Docker Swarm and is available in Windows Docker networking.
Wrapping up
Windows Docker container networking is very similar to virtual machine networking in Hyper-V. Containers are connected using vNICs to vSwitches. Keep in mind the different network modes used with Windows container networking and the capabilities and limitations of each, as you decide which mode to use with Windows containers. There are also a few limitations with Windows container networking not found in Linux, such as host mode networking.
Beginners Guide for Microsoft Hyper-V: How to Install Microsoft Hyper-V in Windows Server Core – Part 4
Beginners Guide for Microsoft Hyper-V: Remote Management of Hyper-V – Part 5
Beginners Guide for Microsoft Hyper-V: How to Install Hyper-V Server – Part 6
Beginner’s Guide for Microsoft Hyper-V: What is Azure Stack HCI – Part 7
Beginner’s Guide for Microsoft Hyper-V: Windows Admin Center Hyper-V Management – Part 8
Beginner’s Guide for Microsoft Hyper-V: Configuration of Hyper-V Networking Best Practices – Part 9
Beginner’s Guide for Microsoft Hyper-V: Hyper-V Storage Best Practices and Configuration – Part 10
Beginner’s Guide for Microsoft Hyper-V: How to build a Virtual Lab with Hyper-V – Part 11
Beginner’s Guide for Microsoft Hyper-V: Top 10 PowerShell Commands for Hyper-V – Part 12
Beginner’s Guide for Microsoft Hyper-V: How to Create a Hyper-V Virtual Machine – Part 13
Beginner’s Guide for Microsoft Hyper-V: Hyper-V Shared Storage for Beginners – Part 14
Beginner’s Guide for Microsoft Hyper-V: How to Create Hyper-V Cluster – Part 15
Beginner’s Guide for Microsoft Hyper-V: What is Non-Uniform Memory Access (NUMA) – Part 16
Beginner’s Guide for Microsoft Hyper-V: Hyper-V Dynamic Memory – Part 17
Beginner’s Guide for Microsoft Hyper-V: Cluster Aware Updating (CAU) – Part 18
Beginner’s Guide for Microsoft Hyper-V: Hyper-V Containers – Part 19
Beginner’s Guide for Microsoft Hyper-V: Managing Windows Server Containers with Windows Admin Center – Part 20
Beginner’s Guide for Microsoft Hyper-V: What are Hyper-V Checkpoints – Part 21
Beginners Guide for Microsoft Hyper-V: How to Create Cluster Shared Volumes (CSVs) – Part 22
Beginners’ Guide for Microsoft Hyper-V: VHD vs VHDX Vs AVHD/AVHDX: Overview of Virtual Disk Formats – Part 23
Beginners’ Guide for Microsoft Hyper-V: Hyper-V Live Migration – Part 24
Beginners’ Guide for Microsoft Hyper-V: Hyper-V High Availability – Part 25
Beginners’ Guide for Microsoft Hyper-V: How to Export and Import Hyper-V VM’s – Part 26
Beginners’ Guide for Microsoft Hyper-V: How To Install Docker Container on Windows Server – Part 27
Beginners’ Guide for Microsoft Hyper-V: How to Run Linux Containers on Hyper-V – Part 28
Beginners’ Guide for Microsoft Hyper-V: Containers vs Virtual Machines – Part 29
Beginners’ Guide for Microsoft Hyper-V: What is Azure Arc VM Management – Part 30
Beginners’ Guide for Microsoft Hyper-V: Azure Features in Windows Admin Center – Part 31
Beginners’ Guide for Microsoft Hyper-V: What is Microsoft Azure Arc – Part 32
Beginners Guide for Microsoft Hyper-V: How to Create a Virtual Switch in Hyper-V using Windows Admin Center – Part 33
Beginners Guide for Microsoft Hyper-V: Managing Hyper-V Server with Azure Arc – Part 34
Beginners Guide for Microsoft Hyper-V: Learn How to Install MicroK8s on Windows Kubernetes – Part 35
Beginners Guide for Microsoft Hyper-V: Top 8 Basic Docker Commands You Should Know – Part 36
Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.
