Hardening Docker containers with network isolation


It’s possible to specify a network for a container when you start it with docker run through the --network (or --net) flag. When you don’t specify which network the new container should use, Docker attaches it to the default bridge network.

The default bridge network configuration allows network traffic between all containers connected to it, all that is required for one container to make a request to another is the IP address of the latter. That is, without any extra configuration, starting containers in a Docker host allows network traffic between them without any restriction.

Why you should disable inter-container communication

Docker documentation states that user-defined networks are superior to the default bridge. Such networks provide some benefits over the default bridge, one of them is better isolation because it controls which containers can communicate with each other.

Running containers in the default network is risky because unrelated services are able to communicate, causing an unwanted or unintended exchange of data. A malfunctioning or ill-intended container could disrupt other containers through network requests. This risk is mitigated if inter-container communication is disabled.

How to isolate Docker containers running in the default bridge network

You need to add a configuration to the daemon configuration file.

Edit the file /etc/docker/daemon.json, create it if it doesn’t exist yet.

Use the JSON shown below:

  "icc": false
Make sure this file contains valid JSON before restarting the service. To validate with jq run jq empty /etc/docker/daemon.json.

Then restart the Docker daemon:

sudo systemctl restart docker