Swarm Networks

A Docker swarm generates two different kinds of traffic:

  1. Control and management plane traffic: This includes swarm management messages, such as requests to join or leave the swarm. This traffic is always encrypted.
  2. Application data plane traffic: This includes container traffic and traffic to and from external clients.

The following three network concepts are important to swarm services:

  1. Overlay networks manage communications among the Docker daemons participating in the swarm. You can create overlay networks, in the same way as user-defined networks for standalone containers. Overlay networks are Docker networks that use the overlay network driver.
  2. The ingress network is a special overlay network that facilitates load balancing among a service's nodes. When any swarm node receives a request on a published port, it hands that request off to a module called IPVS. IPVS keeps track of all the IP addresses participating in that service, selects one of them, and routes the request to it, over the ingress network.
  3. The docker_gwbridge is a bridge network that connects the overlay networks (including the ingress network) to an individual Docker daemon's physical network. By default, each container service is running is connected to its local Docker daemon host's docker_gwbridge network.

Create an overlay network

To create an overlay network, specify the overlay driver when using the docker network create command:

docker network create --driver overlay learningocean-network

You can see information about the network using docker network inspect.

docker network inspect learningocean-network

Encryption of application data

  • Management and control plane data related to a swarm is always encrypted.
  • Application data among swarm nodes is not encrypted by default. To encrypt this traffic on a given overlay network, use the --opt encrypted flag on docker network create. This enables IPSEC encryption at the level of the vxlan. This encryption imposes a non-negligible performance penalty, so you should test this option before using it in production.

Attach a service to an overlay network

To attach a service to an existing overlay network, pass the --network flag to docker service create, or the --network-add flag to docker service update.

$ docker service create replicas 3 \
  --name my-web \
  --network learningocean-network \
  nginx

you can check the network using the service inspect command.