Q. What are the networking options for containers in Windows Server?
A. There are three networking modes available for containers running on Windows Server 2016 and all utilize the Hyper-V virtual switch component to provide the connectivity to the vNICs (for Windows containers) and the vmNICs (for Hyper-V containers). The three modes available are:
- NAT - By default a NAT network is created using the 172.16.0.0/12 address space when the Docker daemon (service) starts and in the RTM of Windows Server 2016 additional NAT networks cannot be created if the default NAT network exists. With the NAT network type an internal virtual switch is created which the containers connect to and the container host also has a vNIC connected to the switch which then through the WinNAT service provides NAT services for that address space via the physical network adapter in the container host that has the external connectivity.
- Transparent - This is the most familiar to Hyper-V administrators as an external type virtual switch is created and containers are connected directly to it with their packets sent directly out via the switch with no modifications. This can cause problems in environments with a large number of high rate of container churn as each container will have its own MAC which will constantly being added and removed which will cause a lot of work on the router infrastructure in the organization and even fill up router tables.
- L2Bridge/L2Tunnel - L2Bridge utilizes a virtual switch with traffic on the same subnet and container host bridged directly and not sent via the switch while other traffic is sent via an external virtual switch. This can integrate with technologies like network virtualization. L2Tunnel is only for public cloud scenarios which works like L2Bridge except all traffic is sent via the virtual switch to ensure policy can be applied.
Networks are created using the docker network create -d <type> <network name> [options such as --subnet --gateway]