What is a Bridge Network

A bridge network is a virtual Layer 2 network switch created by the Linux kernel. Docker creates a bridge called docker0 at startup and connects each container to it using veth pairs. Containers on the same bridge can communicate by IP address.

How it works

A Linux bridge works like a physical network switch — it forwards Ethernet frames between connected interfaces based on MAC addresses. The docker0 bridge is in the host's network namespace. Each container has its own network namespace with an eth0 interface connected to the bridge via a veth pair.

The bridge assigns IP addresses from a private subnet (typically 172.17.0.0/16). The bridge itself has an IP (172.17.0.1) and acts as the default gateway for containers. Outbound traffic from containers is NATed through the host's IP via iptables MASQUERADE rules.

User-defined bridge networks (docker network create mynet) provide DNS-based service discovery — containers on the same user-defined network can resolve each other by container name. The default bridge does not provide this.

Containers on different bridge networks are isolated from each other. The bridge does not forward packets between networks unless a container is explicitly connected to both.

Why it matters

Bridge networking is the default container networking mode. Understanding how it works explains why containers can communicate on the same network, why port mapping is needed for external access, and why user-defined networks are preferred over the default bridge for multi-container applications.

See How Container Networking Works for the full network architecture.