What are Docker's built-in network drivers?
Quick Answer
bridge (the default) creates a private, isolated virtual network on the host that containers attach to, with NAT to reach the outside world. host removes network isolation entirely, sharing the host's own network namespace directly. none gives a container no networking at all beyond loopback. overlay connects containers across multiple different Docker hosts, used in Swarm mode. macvlan assigns a container its own MAC address, making it appear as a physical device directly on the host's network. Most single-host application setups use bridge networking, typically via a custom user-defined bridge rather than the default one.
Detailed Answer
bridge — the default, isolated virtual network
docker run -d --name web nginx # attaches to the default bridge network automatically
docker network create my-network # or create a custom, user-defined bridge network
docker run -d --network my-network --name web nginx
Creates a private, virtual network on the host. Containers on the same bridge network can reach each other by IP — and, on a user-defined bridge specifically, by container name via DNS (see the DNS question) — and reach the outside world via NAT through the host. This is the right default for the overwhelming majority of single-host container setups.
host — no network isolation at all
docker run -d --network host nginx
The container shares the host's network namespace directly — no isolation, no virtual interface, no port mapping needed (a container binding to port 80 with --network host is genuinely binding to port 80 on the host itself, directly). This eliminates a layer of network translation overhead, which occasionally matters for latency-sensitive or high-throughput networking use cases. But it sacrifices the isolation benefit entirely. Port conflicts between containers become a real, direct concern — two containers can't both bind the same host port — and a compromised container has direct access to the host's network stack.
none — no networking beyond loopback
docker run --network none myapp
The container gets no external network interface at all — only its own internal loopback (127.0.0.1). Useful for workloads that genuinely need zero network access, either for isolation/security reasons (a batch job processing only local files, with no legitimate reason to reach the network at all) or as an extra layer of defense-in-depth.
overlay — connecting containers across multiple hosts
docker network create -d overlay my-overlay-network # used with Docker Swarm
Extends bridge-like networking across multiple Docker hosts, letting containers on different physical or virtual machines communicate as if they were on the same local network. This is specifically what Docker Swarm mode (see the production topic) uses to let services span multiple nodes while still reaching each other by name.
macvlan — a container appears as a physical device
docker network create -d macvlan --subnet=192.168.1.0/24 --gateway=192.168.1.1 -o parent=eth0 my-macvlan
Assigns each container its own MAC address and effectively makes it appear as a distinct physical device directly on the host's physical network, bypassing Docker's usual NAT-based bridge networking entirely. Used for niche cases where legacy applications or network monitoring tools expect containers to look like real, individually-addressable devices on the network, rather than being hidden behind the host's single IP via NAT.
Choosing between them, in practice
| Driver | Typical use case |
|---|---|
| bridge (user-defined) | The default choice for nearly all single-host multi-container applications |
| host | Performance-sensitive networking, or single-purpose hosts running one dominant service |
| none | Workloads that should have no network access at all |
| overlay | Multi-host Swarm deployments |
| macvlan | Legacy applications or tooling that specifically requires containers to appear as distinct physical network devices |
For the large majority of everyday Docker usage — a web application talking to a database, a handful of services communicating with each other on one machine — a user-defined bridge network (not even the default bridge network, for reasons covered in that question) is the right choice, and the most common one by a wide margin.