Docker Deep Dive
by Sergey Okinchuk
Connecting Containers and Network IsolationChapter 8: Docker Compose
Chapter 7: Networking
Topic 45

Overlay Networks

Multi-hostOrchestration

Every network so far has been a Linux bridge on one host. An overlay network spans multiple hosts: it tunnels container traffic between machines over VXLAN so containers on different physical hosts share one virtual network and resolve each other by name, exactly as if they were on the same bridge. The address and the name resolution work across the machines.

This is the deliberate edge of this book — the moment networking stops being single-host. The honest move is to name the concept, show where the boundary is, and point across it to orchestration, not to half-teach a multi-host system this course was never scoped to cover. Docker builds and runs containers on one host; orchestrators run them across many.

An overlay spans hosts
container on host A
VXLAN tunnel
container on host B

The Single-Host Boundary

A bridge network connects containers on one machine, and that is the entire scope of everything in topics 39 through 44. The instant containers must talk across machines — web on one server reaching db on another — a bridge is not enough, because a bridge is host-local. You need a network that exists on several hosts at once, which is what an overlay provides and a bridge cannot.

VXLAN Tunneling, Briefly

An overlay encapsulates each container's ethernet frame inside a UDP packet — VXLAN — and sends it to the host running the destination container, where it is decapsulated and delivered. The containers behave as if they are on one LAN even though their hosts may sit in different racks or regions. The encapsulation is what makes the trick work, and it is also what makes an overlay heavier than a plain bridge.

Overlay Needs a Control Plane

An overlay does not exist for plain docker run. It requires Docker Swarm — or another orchestrator — to manage which container runs on which host, distribute the network state to every machine, and assign addresses across the cluster. Something has to coordinate the multiple hosts, and that something is the control plane an orchestrator provides. Without it, there is no overlay to join.

The Hand-Off to Orchestration

Multi-host networking is one piece of a much larger problem: scheduling containers onto machines, scaling them, health-checking them, and rolling out new versions. Single-host Docker does not solve that problem and does not pretend to. Swarm's overlay (Chapter 12, topic 75) and Kubernetes' cluster networking (Chapter 12, topic 76) are where multi-host networking is treated properly, as part of orchestration rather than as a networking flag bolted onto docker run.

Why Driftwood Stays Single-Host Here

Driftwood's three containers on driftwood-net are a one-machine bridge topology, and that is the whole scope of this book. Scaling web across several machines is an orchestration decision — where do the replicas run, how does traffic spread across them, what happens when a host dies — and it is deferred to Chapter 12, not retrofitted onto a bridge here. The bridge topology you built in topic 40 is the finished single-host shape; the multi-host version is a different course's worth of machinery.

Common Mistakes
  • Trying to make containers on two separate hosts talk by putting them on the same bridge network — a bridge is host-local; cross-host communication needs an overlay, which needs an orchestrator.
  • Reaching for an overlay on a single host where a user-defined bridge already does the job — the overlay adds a control plane and VXLAN overhead for no benefit when everything runs on one machine.
  • Treating an overlay as a drop-in replacement for orchestration — the overlay is only the network layer; scheduling, scaling, and health checks are separate problems Swarm or Kubernetes solve.
  • Underestimating that VXLAN encapsulation adds overhead and shrinks the effective MTU — frames carry extra headers, so a misconfigured MTU causes mysterious large-packet failures that look like random connection hangs.
Best Practices
  • Keep to user-defined bridge networks for everything on one host, and treat the need for an overlay as the signal that you have crossed into orchestration territory.
  • When multi-host networking is genuinely required, adopt the orchestrator that owns it — Swarm (Chapter 12, topic 75) or Kubernetes (Chapter 12, topic 76) — rather than wiring overlays by hand.
  • Plan capacity and topology at the orchestration layer, since the overlay's behavior is inseparable from how the scheduler places containers.
  • Account for VXLAN's reduced MTU when an overlay is in play, so large packets do not fail silently.
Comparable tools Docker Swarm provides the built-in overlay driver and routing mesh Kubernetes CNI Calico · Cilium · Flannel · Weave solve the same cross-host problem at larger scale Istio · Linkerd service meshes layer traffic policy on top, across the orchestration boundary

Knowledge Check

What does an overlay network span that a bridge network cannot?

  • Multiple hosts — containers on different machines share one virtual network and resolve each other by name
  • More containers — a single bridge is hard-limited to only a few containers while an overlay has no such cap
  • The public internet — an overlay hands every attached container its own routable public IP address
  • Higher throughput — an overlay moves packets faster than a plain bridge even on the same host

What role does VXLAN play in an overlay network?

  • It encapsulates each container's ethernet frame in a UDP packet sent to the destination host and decapsulated there
  • It schedules which container runs on which host across the whole cluster and rebalances them
  • It encrypts all of the container traffic end to end so that it always stays fully safe to send over the public internet
  • It compresses the frames in transit to reduce the bandwidth consumed between cluster hosts

Why does an overlay network require an orchestrator or control plane?

  • Something must coordinate the hosts — manage placement, distribute network state, and assign cluster-wide addresses
  • A plain docker run on a single host can create an overlay on its own; the orchestrator is only optional convenience tooling
  • Because all VXLAN traffic must first be authorized by a paid, cluster-wide license server before flowing
  • Because the Linux kernel by itself cannot forward any VXLAN frames at all without an orchestrator present

Where does single-host Docker hand off, and to what?

  • At multi-host networking, scheduling, and scaling — handed to Swarm (topic 75) and Kubernetes (topic 76)
  • At multi-container apps running on one host — handed off to Docker Compose and its declarative file
  • At persistent storage for stateful data — handed off entirely to the volume drivers introduced back in Chapter 6
  • At building container images from source — handed off to the Dockerfile and the BuildKit engine

You got correct