Overlay Network Driver: Creating Distributed Networks Across Docker Hosts

--- title: Overlay network driver description: All about using overlay networks keywords: network, overlay, user-defined, swarm, service aliases: - /config/containers/overlay/ - /engine/userguide/networking/overlay-security-model/ - /network/overlay/ - /network/drivers/overlay/ --- The `overlay` network driver creates a distributed network among multiple Docker daemon hosts. This network sits on top of (overlays) the host-specific networks, allowing containers connected to it to communicate securely when encryption is enabled. Docker transparently handles routing of each packet to and from the correct Docker daemon host and the correct destination container. You can create user-defined `overlay` networks using `docker network create`, in the same way that you can create user-defined `bridge` networks. Services or containers can be connected to more than one network at a time. Services or containers can only communicate across networks they're each connected to. Overlay networks are often used to create a connection between Swarm services, but you can also use it to connect standalone containers running on different hosts. When using standalone containers, it's still required that you use Swarm mode to establish a connection between the hosts. This page describes overlay networks in general, and when used with standalone containers. For information about overlay for Swarm services, see [Manage Swarm service networks](/manuals/engine/swarm/networking.md). ## Create an overlay network Before you start, you must ensure that participating nodes can communicate over the network. The following table lists ports that need to be open to each host participating in an overlay network: | Ports | Description | | :--------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `2377/tcp` | The default Swarm control plane port, is configurable with [`docker swarm join --listen-addr`](/reference/cli/docker/swarm/join.md#--listen-addr-value) | | `4789/udp` | The default overlay traffic port, configurable with [`docker swarm init --data-path-addr`](/reference/cli/docker/swarm/init.md#data-path-port) | | `7946/tcp`, `7946/udp` | Used for communication among nodes, not configurable | To create an overlay network that containers on other Docker hosts can connect to, run the following command: ```console $ docker network create -d overlay --attachable my-attachable-overlay ``` The `--attachable` option enables both standalone containers and Swarm services to connect to the overlay network. Without `--attachable`, only Swarm services can connect to the network. You can specify the IP address range, subnet, gateway, and other options. See `docker network create --help` for details. ## Encrypt traffic on an overlay network Use the `--opt encrypted` flag to encrypt the application data transmitted over the overlay network: ```console $ docker network create \

The `overlay` network driver facilitates the creation of distributed networks across multiple Docker daemon hosts, enabling secure communication between containers, especially when encryption is enabled. It can be used to connect Swarm services or standalone containers running on different hosts. To create an overlay network, ensure the required ports are open, and use the `docker network create` command with the `-d overlay` option. The `--attachable` option allows both standalone containers and Swarm services to connect to the network. Traffic encryption can be enabled using the `--opt encrypted` flag.