> Default address pools can only be configured on `swarm init` and cannot be altered after cluster creation.
##### Overlay network size limitations
Docker recommends creating overlay networks with `/24` blocks. The `/24` overlay network blocks limit the network to 256 IP addresses.
This recommendation addresses [limitations with swarm mode](https://github.com/moby/moby/issues/30820).
If you need more than 256 IP addresses, do not increase the IP block size. You can either use `dnsrr`
endpoint mode with an external load balancer, or use multiple smaller overlay networks. See
[Configure service discovery](#configure-service-discovery) for more information about different endpoint modes.
#### Configure encryption of application data {#encryption}
Management and control plane data related to a swarm is always encrypted.
For more details about the encryption mechanisms, see the
[Docker swarm mode overlay network security model](/manuals/engine/network/drivers/overlay.md).
Application data among swarm nodes is not encrypted by default. To encrypt this
traffic on a given overlay network, use the `--opt encrypted` flag on `docker
network create`. This enables IPSEC encryption at the level of the vxlan. This
encryption imposes a non-negligible performance penalty, so you should test this
option before using it in production.
> [!NOTE]
>
> You must [customize the automatically created ingress](#customize-ingress)
> to enable encryption. By default, all ingress traffic is unencrypted, as encryption
> is a network-level option.
## Attach a service to an overlay network
To attach a service to an existing overlay network, pass the `--network` flag to
`docker service create`, or the `--network-add` flag to `docker service update`.
```console
$ docker service create \
--replicas 3 \
--name my-web \
--network my-network \
nginx
```
Service containers connected to an overlay network can communicate with
each other across it.
To see which networks a service is connected to, use `docker service ls` to find
the name of the service, then `docker service ps <service-name>` to list the
networks. Alternately, to see which services' containers are connected to a
network, use `docker network inspect <network-name>`. You can run these commands
from any swarm node which is joined to the swarm and is in a `running` state.
### Configure service discovery
Service discovery is the mechanism Docker uses to route a request from your
service's external clients to an individual swarm node, without the client
needing to know how many nodes are participating in the service or their
IP addresses or ports. You don't need to publish ports which are used between
services on the same network. For instance, if you have a
[WordPress service that stores its data in a MySQL service](https://training.play-with-docker.com/swarm-service-discovery/),
and they are connected to the same overlay network, you do not need to publish
the MySQL port to the client, only the WordPress HTTP port.
Service discovery can work in two different ways: internal connection-based
load-balancing at Layers 3 and 4 using the embedded DNS and a virtual IP (VIP),
or external and customized request-based load-balancing at Layer 7 using DNS
round robin (DNSRR). You can configure this per service.
- By default, when you attach a service to a network and that service publishes
one or more ports, Docker assigns the service a virtual IP (VIP), which is the
"front end" for clients to reach the service. Docker keeps a list of all
worker nodes in the service, and routes requests between the client and one of
the nodes. Each request from the client might be routed to a different node.
- If you configure a service to use DNS round-robin (DNSRR) service discovery,
there is not a single virtual IP. Instead, Docker sets up DNS entries for the
service such that a DNS query for the service name returns a list of IP
addresses, and the client connects directly to one of these.