I'm relatively new to using Docker in production, and I'm wondering about the best practices when it comes to networking. Specifically, do you separate subnets for Docker containers? For example, we already have a subnet of 172.19.0.0/24 in our production environment. However, when I created an Nginx container, it automatically set up a bridge network using 172.19.0.0/16 on the Docker host. This raises a concern about potential conflicts. Should I coordinate with our network team to allocate a specific subnet for Docker use? If they provide us a subnet like 172.30.15.0/24, do you typically further divide that for different container stacks? For instance, could web servers take 172.30.15.0/29 and SQL servers get 172.30.15.8/29?
1 Answer
It's crucial to keep your Docker network separate from your production network to avoid conflicts. Docker networks are isolated to the host, but if you try to connect containers to production resources, like databases, you might run into issues if those subnets overlap. It’s a good idea to work with your network team to allocate a dedicated subnet for Docker, and using something larger than /24 might be wise depending on your container requirements. Many folks set aside a /16 range solely for Docker, giving enough room for scaling and ensuring everything runs smoothly.
I definitely agree. If you're expecting to run multiple services, make sure to plan ahead! It saved us a lot of headaches.