Networks - what is new?

Docker Swarm - Overview and how to use it

4 min read

Published Jul 13 2025, updated Jul 14 2025

CLIDockerMulti-NodeOrchestrationReplicasServicesStacks

Docker provides networking out of the box for standalone containers. When you shift into using Docker Swarm for container orchestration, the network model adapts to the needs of multi-host communication, scalability, and service discovery. Though both systems share some fundamentals, there are important differences in how networks behave, how containers discover each other, and how traffic is routed.

Standard Docker Networking Overview

In standalone Docker (non-Swarm mode), networking is relatively simple and mostly limited to the local host. Docker sets up several drivers for different networking strategies:

Common Docker Network Drivers:

bridge - Default driver for containers on a single host. Each container gets a virtual Ethernet interface on a private subnet.
host - Removes network isolation. Container uses the host’s network stack.
none - Disables all networking for the container.
macvlan - Assigns a MAC address to the container so it appears as a physical device on the network.
overlay - Enables multi-host communication (requires Swarm mode).
custom plugins - 3rd party or user-defined network drivers for advanced use cases.

Communication in Standard Docker:

Containers on the same custom bridge can talk to each other by container name.
Containers on different bridges or different hosts require port mapping or more complex networking solutions.
Docker assigns random names to networks unless specified.

Docker Swarm Networking Overview

When you initialise or join a Swarm, Docker automatically creates a different set of networking constructs to support cluster-wide communication.

Feature	Standard Docker	Docker Swarm
Scope	Single host	Multi-host (cluster-wide)
Service discovery	Manual or via DNS on bridge	Built-in DNS, automatic across nodes
Overlay support	Must be created manually	Created automatically for services
Routing Mesh	Not available	Available for published ports
Load balancing	Manual (via nginx/haproxy etc.)	Built-in at ingress and DNS levels
Global network awareness	No	Yes
TLS encrypted traffic	No	Yes

Overlay Networks in Swarm

Swarm primarily uses the overlay network driver for services. Overlay networks enable containers on different physical hosts to communicate as if they were on the same network.

When you deploy a service using Docker Swarm, Docker will either:

Attach the service to a user-defined overlay network, or
Use the default ingress network for published ports.

Example of Creating a Custom Overlay Network:

docker network create \

--driver overlay \

--attachable \

my_swarm_net

--attachable allows standalone containers to connect to this network (useful for debugging or sidecars).

Deploying with the Network:

docker service create \

--name webapp \

--network my_swarm_net \

nginx

All replicas of webapp, no matter where they’re deployed, can now talk to each other securely.

Service Discovery and DNS in Swarm

In standard Docker, container-to-container communication usually requires linking or using bridge networks. In Swarm, this is automated.

Every service gets a DNS entry.
Containers can resolve service names (e.g., redis) to one or more container IPs (replicas).
Docker Swarm uses internal DNS round-robin for load distribution.

So if you create:

docker service create --name redis redis

docker service create --name api --network my_swarm_net my-api

The api service can connect to redis just by calling redis:6379 — no IP management required.

Routing Mesh and Ingress Networking

Docker Swarm introduces a concept called the Routing Mesh that allows you to publish a port on all nodes, regardless of whether a container is running on that node.

How it Works:

A published port (e.g., --publish 80:80) is exposed on every node.
Incoming traffic on any node is routed to a container that is part of the service.
Internal load balancing decides which replica gets the traffic.

This provides load balancing and high availability out of the box.

Example:

docker service create \

--name web \

--replicas 3 \

--publish published=8080,target=80 \

nginx

Even if only 1 replica is on node-2, all nodes in the cluster will route traffic from port 8080 to it.

Is Traffic Encrypted in Swarm?

Yes — inter-node communication over overlay networks in Swarm is encrypted by default, using mutual TLS.

Features:

Automatically manages certificates for each node
Encrypts traffic between services and managers
Optionally encrypts overlay network data at the network level using:

docker network create \

--driver overlay \

--opt encrypted \

my_encrypted_net

This ensures that even if someone taps into your physical network, the data moving between containers remains secure.

Compose Networking Differences (Standard vs Swarm)

When using Docker Compose:

In standard Docker, Compose creates a bridge network named after the project.
In Swarm mode, Compose with docker stack deploy creates overlay networks with the same names.

Example (docker-compose.yml):

services:

app:

image: myapp

networks:

- frontend

redis:

image: redis

networks:

- frontend

networks:

frontend: