As you start to work with Docker on Windows Server running Hyper-V, one of the fundamental concepts is Docker networking. Therefore, understanding how the Docker containers in a Windows environment connect to other containers and the external network is a great way to increase your knowledge of how container networking works in a Windows environment. For beginners, let’s consider Windows Docker container networking in Hyper-V and learn the basic architecture, capabilities, and configuration.

Table of Contents

  1. Hyper-V Virtual Machine vs. Container networking
  2. Windows vs. Linux Docker networking commands
  3. Windows Docker networking modes
  4. NAT
  5. Overlay
  6. Transparent
  7. L2Bridge
  8. L2Tunnel
  9. Windows Docker networking default configuration
  10. Windows Docker container networking FAQs
  11. Wrapping up

Protect Your Data with BDRSuite

Cost-Effective Backup Solution for VMs, Servers, Endpoints, Cloud VMs & SaaS applications. Supports On-Premise, Remote, Hybrid and Cloud Backup, including Disaster Recovery, Ransomware Defense & more!

Hyper-V Virtual Machine vs. Container networking

If you already have a basic understanding of how Hyper-V virtual machine networking is configured, you have a head start with understanding Windows container networking. Like a Hyper-V virtual machine, Windows containers have a virtual network adapter connecting a Hyper-V virtual switch (vSwitch) in your environment.

Windows Docker container Networking in Hyper-V

Windows vs. Linux Docker networking commands

You may wonder if all the networking options, commands, and capabilities are supported with Windows compared to Linux environments when running containers. All Docker networking commands are supported on Windows using the same syntax found in Linux. However, there are a few exceptions to note that are not supported in Windows. In addition, understanding the core Docker networking stacks that are different between Windows and Linux is essential.

Download Banner

There are a few unsupported Docker network features in Windows. These include limitations for containers attached to NAT and overlay networks. These do not support IPv6. Also, note the following that is not supported

  • Encrypted network communication using IPsec
  • Host mode networking
  • Networking on Azure infrastructure using the transparent network driver

Windows Docker networking modes

With Windows Docker containers, Windows supports a total of five networking modes. You can create these Docker networking modes using Docker commands. What are the available Docker network modes available in Windows?

  • NAT
  • Overlay
  • Transparent
  • L2Bridge
  • L2Tunnel

Each networking mode has its requirements and capabilities that organizations will choose depending on their use cases.

NAT

When the NAT network driver mode is used, containers are attached to an internal Hyper-V switch. It means they receive an IP address from the user-specific IP prefix. When this mode is used, it supports mapping or port forwarding ports from the host side into the container endpoints. If you are using a Windows Server 2019 or higher Windows container host, the NAT networks are not persisted after a reboot.

Overlay

The overlay network driver is a standard mode used with container orchestration platforms such as Kubernetes and Docker Swarm. Overlay networks are created with their IP subnets and private IP prefix. VXLAN overlay network encapsulation is used across the overlay and allows containers to communicate with other containers attached to the same overlay network.

Transparent

With the transparent network driver, containers are directly connected to the physical network using an external Hyper-V virtual switch. In this configuration, IP addresses from the physical network can be assigned manually with a static configuration or dynamically using a DHCP server. You cannot use the transparent network mode if your container host is located in Microsoft Azure.

L2Bridge

Using the L2Bridge configuration, the container network traffic assumes the MAC address of the container host using the layer-2 address translation operation during the ingress and egress network communication. Like the transparent mode, the L2Bridge mode connects the container to the physical network using a Hyper-V external switch.

L2Tunnel

The L2Tunnel network mode is only used in the Microsoft Cloud Stack in Azure. With the L2Bridge, container traffic is communicated with the virtualization host. Since the SDN policy is applied at this layer, it enables solutions like Azure Network Security Groups for containers.

Note the following comparison table from Microsoft, showing the difference between network modes

Docker Windows Network Driver Common uses Container-to-container (Single node) Container-to-external (single node + multi-node) Container-to-container (multi-node)
NAT (Default) Good for Developers Bridged connection, same subnet through Hyper-V virtual switch

Cross subnet isn’t supported. You can only have one NAT internal prefix)

 Routed through Management vNIC (bound to WinNAT) Not directly supported: requires exposing ports through host
Transparent Good for Developers or small deployments Same Subnet: Bridged connection through Hyper-V virtual switch

Cross Subnet: Routed through container host

 Routed through container host with direct access to (physical) network adapter Routed through container host with direct access to (physical) network adapter
Overlay Good for multi-node; required for Docker Swarm, available in Kubernetes Same Subnet: Bridged connection through Hyper-V virtual switch

Cross Subnet: Network traffic is encapsulated and routed through Mgmt vNIC

 Not directly supported – requires second container endpoint attached to NAT network on Windows Server 2016 or VFP NAT rule on Windows Server 2019. Same/Cross Subnet: Network traffic is encapsulated using VXLAN and routed through Mgmt vNIC
L2Bridge Kubernetes and Microsoft SDN Same Subnet: Bridged connection through Hyper-V virtual switch

Cross Subnet: Container MAC address re-written on ingress and egress and routed

 Container MAC address re-written on ingress and egress Same Subnet: Bridged connection

Cross Subnet: routed through Mgmt vNIC on WSv1809 and above
L2Tunnel Azure specific Same/Cross Subnet: Hair-pinned to physical host’s Hyper-V virtual switch to where policy is applied Traffic required to traverse Azure virtual network gateway Same/Cross Subnet: Hair-pinned to physical host’s Hyper-V virtual switch to where policy is applied

Windows Docker networking default configuration

When you run the Docker engine in Windows, it will create a default NAT network. The NAT network uses an internal vSwitch and a unique component called WinNAT. These will be available with the transparent network driver if you have already created Hyper-V virtual switches using Hyper-V Manager or PowerShell.
The Windows Docker NAT network is the default container network used for Docker containers in a Windows environment. When you run containers on a Windows container host and no network configuration is specified, the container is attached to the NAT network. When connected to the NAT network, the container is assigned an IP address from the internal IP subnet used for the Docker NAT network. The default IP subnet configuration is 172.16.0.0/16.

You can easily see the networks created and used in a Windows Docker configuration using the command

  • docker network ls

Below, you can see the drivers used, including transparent and NAT.

Windows Docker container Networking in Hyper-V

Viewing Windows docker networks

Windows Docker container networking FAQs

  • What modes are supported with Windows Docker container networking?

    • There are five supported modes: NAT, Overlay, Transparent, L2Bridge, and L2Tunnel.

  • Is the Docker networking commands the same in Windows as in Linux?

    • Docker networking commands in Windows are identical to the networking commands in Linux. However, the similarities end there as the underlying network stack differs between the two. In addition, Windows Docker networking has a few limitations compared to Linux.

  • Can you use Docker overlay networks in Windows?

    • This mode is commonly used with Kubernetes and Docker Swarm and is available in Windows Docker networking.

Wrapping up

Windows Docker container networking is very similar to virtual machine networking in Hyper-V. Containers are connected using vNICs to vSwitches. Keep in mind the different network modes used with Windows container networking and the capabilities and limitations of each, as you decide which mode to use with Windows containers. There are also a few limitations with Windows container networking not found in Linux, such as host mode networking.

Related Posts:
Hyper-V Mastery: A Step-by-Step Guide for Beginners to Elevate Your IT Skills and Boost Your Career
Beginners’ Guide for Microsoft Hyper-V: How To Install Docker Container on Windows Server – Part 27
Beginners Guide for Microsoft Hyper-V: Top 8 Basic Docker Commands You Should Know – Part 36

Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.

Rate this post