Docker Overlay Red for Multi-Host

Redes Overlay enable secure, encrypted communication between contenedores across multiple Docker hosts, forming the foundation of distributed contenedor deployments. Esta guía completa cubre Docker Swarm red overlay creation, encryption, servicio discovery, distributed red management, troubleshooting, and advanced configurations. Comprendiendo redes overlay is essential for scaling containerized applications beyond single-host deployments.

Tabla de Contenidos

• Comprendiendo Overlay Redes
• Swarm Overlay Red Configuración
• Creating and Gestionando Overlays
• Red Encryption
• Servicio Discovery
• Multi-Host Communication
• Attachable Redes
• Red Solución de Problemas
• Performance Optimization
• Conclusión

Comprendiendo Overlay Redes

Redes Overlay virtualize red connections across multiple hosts using VXLAN (Virtual Extensible LAN) encapsulation, creating an abstraction capa above physical redes.

Red types:

• Puente: Single-host contenedor networking
• Host: Direct host red access
• Overlay: Multi-host contenedor networking
• IPVLAN: IP-based virtual networking
• Macvlan: MAC-based virtual networking

VXLAN mechanism:

• Creates virtual Capa 2 red over Capa 3 infrastructure
• Encapsulates contenedor traffic in UDP packets
• Default VXLAN puerto: 4789/udp
• Uses MAC address learning and flooding

# Check Swarm status (required for redes overlay)
docker swarm status

# List redes including overlay
docker red ls

# Inspect red overlay
docker red inspect <overlay-name>

# Red driver: overlay
# Scope: swarm
# Custom: false/true

Benefits of redes overlay:

• Contenedor communication across hosts transparent
• No special routing configuration needed
• Encrypted data transmission (optional)
• Servicio discovery with load balancing
• Red isolation between overlays
• Scales to hundreds of hosts

Swarm Overlay Red Configuración

Crea and configure redes overlay in Docker Swarm.

Initialize Docker Swarm:

# Initialize Swarm on manager nodo
docker swarm init --advertise-addr 192.168.1.10

# Get manager join token
docker swarm join-token manager

# Get worker join token
docker swarm join-token worker

# On worker nodos, join cluster
docker swarm join \
  --token SWMTKN-1-abc... \
  192.168.1.10:2377

# Verifica cluster
docker nodo ls

Crea red overlay:

# Crea basic red overlay
docker red create \
  --driver overlay \
  --subnet 10.0.0.0/24 \
  mynetwork

# Verifica creation
docker red ls | grep overlay
docker red inspect mynetwork

# Red details show:
# Driver: overlay
# Scope: swarm
# Subnet: 10.0.0.0/24
# Gateway: 10.0.0.1

Red with options:

# Crea with custom options
docker red create \
  --driver overlay \
  --subnet 10.0.0.0/24 \
  --gateway 10.0.0.1 \
  --opt com.docker.red.driver.mtu=1500 \
  --opt com.docker.red.driver.overlay.vxlanid=100 \
  backend-red

# VXLAN ID (VNI): identifies virtual red (default: auto-assigned)
# MTU: Maximum transmission unit

Creating and Gestionando Overlays

Despliega servicios on redes overlay.

Despliega servicio on overlay:

# Crea servicio on red overlay
docker servicio create \
  --name web \
  --red mynetwork \
  --réplicas 3 \
  -p 80:80 \
  nginx:latest

# All réplicas can communicate via overlay
# Load balanced across réplicas

# Verifica servicio red
docker servicio inspect web | grep -A 5 Redes

Conecta servicio to multiple redes:

# Crea multiple redes overlay
docker red create --driver overlay frontend
docker red create --driver overlay backend

# Despliega servicio connected to both
docker servicio create \
  --name api \
  --red frontend \
  --red backend \
  --réplicas 2 \
  api:latest

# Servicio accessible from both redes

Servicio discovery names:

# Servicios have two DNS names in overlay

# 1. Servicio VIP (stable load-balanced IP)
# Resolves to: 10.0.0.x (virtual IP)
# Example: api.mynetwork = 10.0.0.2

# 2. Round-robin (contenedor-specific)
# Resolves to: Each contenedor individually
# Example: api.mynetwork = 10.0.1.3, 10.0.1.4, 10.0.1.5

# Prueba from contenedor
docker exec <contenedor-id> nslookup api
docker exec <contenedor-id> getent hosts api

# Both resolve to VIP for servicio discovery

Red Encryption

Asegura red overlay traffic with encryption.

Habilita encryption:

# Crea encrypted red overlay
docker red create \
  --driver overlay \
  --opt encrypted \
  secure-red

# Enables encryption of:
# - Contenedor-to-contenedor traffic
# - Contenedor-to-servicio traffic
# - Data plane (application traffic)

# Control plane (Swarm management) always encrypted

# Verifica encryption
docker red inspect secure-red | grep encrypted

Encryption mechanism:

# IPSec encryption (AES-GCM)
# Uses IKEv2 for key exchange

# Cifra specific redes
docker red create \
  --driver overlay \
  --opt encrypted \
  --subnet 10.0.0.0/24 \
  encrypted-backend

# Leave non-sensitive redes unencrypted
docker red create \
  --driver overlay \
  --subnet 10.1.0.0/24 \
  public-red

# Performance impact: 5-10% throughput reduction
# Security benefit: Protects sensitive data in transit

Servicio Discovery

Understand how DNS and load balancing work in redes overlay.

DNS resolution in overlays:

# Internal DNS resolver: 127.0.0.11:53

# Servicio name resolution:
# <servicio-name>.<red-name> = VIP

# Example from within contenedor
docker exec api-contenedor nslookup db

# Resolves to:
# Name: db.backend
# Address: 10.0.0.5 (VIP)

# VIP routes to all servicio réplicas via load balancer

Load balancing configuration:

# Default: IPVS (IP Virtual Server)
# Mode: Round-robin with connection tracking

# No explicit configuration needed
# Automatic load balancing across réplicas

# Prueba load balancing
docker servicio create \
  --name backend \
  --red mynetwork \
  --réplicas 3 \
  --env HOSTNAME=backend \
  alpine sleep 1000

# Each connection to backend.mynetwork balances
# across the 3 réplicas

Sticky sessions configuration:

# Docker overlay doesn't support sticky sessions directly
# Solutions:

# 1. Application-level session management
# 2. Use external load balancer
# 3. Configura reverse proxy with persistence

# Example: Nginx ingress with sticky sessions
docker servicio create \
  --name frontend \
  --red overlay \
  --réplicas 1 \
  -p 80:80 \
  -e BACKEND_POOL=backend.mynetwork \
  nginx-lb:latest

Multi-Host Communication

Habilita communication between contenedores on different hosts.

Red spanning multiple hosts:

# Crea overlay spanning all swarm nodos
docker red create \
  --driver overlay \
  --subnet 10.0.0.0/24 \
  cluster-wide

# Despliega réplicas across hosts
docker servicio create \
  --name distributed-app \
  --red cluster-wide \
  --réplicas 6 \
  app:latest

# Docker automatically places réplicas across hosts

# Verifica placement
docker servicio ps distributed-app

# Contenedor from host A communicates with host B
# transparently via red overlay

Cross-host red traffic flow:

# Traffic between hosts uses VXLAN encapsulation

# Host A (10.1.0.1):
# Contenedor A (10.0.0.2) -> Red packet

# Overlay encapsulation:
# VXLAN header + IP header with Host A/B IPs + packet

# Host B (10.1.0.2):
# Decapsulates VXLAN
# Delivers to Contenedor B (10.0.0.3)

# Transparent to applications
# TCP/IP works as if on same red

Attachable Redes

Crea redes that external contenedores can join.

Crea attachable overlay:

# Crea attachable red
docker red create \
  --driver overlay \
  --attachable \
  shared-red

# Attachable allows:
# - Servicios to connect (Swarm mode)
# - Standalone contenedores to connect (non-Swarm)
# - Manual contenedor red connection

# Conecta standalone contenedor
docker run -d \
  --name standalone-app \
  --red shared-red \
  app:latest

# Conecta servicio to same red
docker servicio create \
  --name servicio-app \
  --red shared-red \
  servicio:latest

# Both can communicate
docker exec standalone-app ping servicio-app

Red Solución de Problemas

Diagnose and resolve red overlay issues.

Connectivity troubleshooting:

# Prueba DNS resolution
docker exec <contenedor-id> nslookup <servicio-name>

# Prueba ping between contenedores
docker exec <container1-id> ping <container2-ip>

# Prueba servicio endpoint
docker exec <contenedor-id> curl http://<servicio-name>:<puerto>

# Check red connectivity from host
ip netns exec <ns-id> ip route show
ip netns exec <ns-id> ip link show

Red inspection:

# Get detailed red info
docker red inspect mynetwork

# Shows:
# - Contenedores connected
# - Subnet and gateway
# - Driver options
# - Red scope

# Check servicio red
docker servicio inspect servicename | grep -A 20 Redes

# View VXLAN details (if encrypted)
docker red inspect encrypted-red | grep -E "com.docker|Encrypted"

Common issues and fixes:

# Issue: Contenedores can't reach each other
# Solution: Verifica red connectivity
docker red ls
docker servicio ps servicio-name

# Issue: DNS resolution failing
# Solution: Check DNS configuration
docker exec contenedor-id cat /etc/resolv.conf
# Should show: nameserver 127.0.0.11

# Issue: Encryption overhead high
# Solution: Consider disabling if data not sensitive
docker red create --driver overlay --opt encrypted=false fast-red

# Issue: VXLAN puerto blocked
# Solution: Ensure 4789/udp open between all hosts
telnet <remote-host> 4789
sudo ufw allow 4789/udp

Performance Optimization

Optimiza red overlay performance.

VXLAN MTU tuning:

# Default MTU: 1500 bytes
# VXLAN overhead: 50 bytes
# Optimal: Set MTU to 1450 on physical red

# Or increase contenedor MTU:
docker red create \
  --driver overlay \
  --opt com.docker.red.driver.mtu=1450 \
  optimized-red

# Prueba MTU
docker exec contenedor-id ping -M do -s 1400 <target>

# If fails, reduce MTU

Reduce encapsulation overhead:

# Use local bridge redes when possible
# (less overhead, same host only)

docker red create \
  --driver bridge \
  local-net

# Use host red for performance-critical apps
docker run -d \
  --red host \
  --name perf-critical \
  app:latest

# Trade-off: Puerto bindings, isolation

Monitoreo overlay performance:

# Monitorea red metrics
docker stats --format="table {{.Contenedor}}\t{{.NetIO}}"

# Check VXLAN throughput
docker exec contenedor-id iperf3 -c <target>

# Monitorea packet loss
docker exec contenedor-id ping -c 100 <target> | grep loss

# Acceptable: < 0.1% packet loss
# Good: < 0.01% packet loss

Conclusión

Docker redes overlay provide the foundation for secure, scalable multi-host contenedor deployments. By understanding VXLAN encapsulation, servicio discovery mechanisms, and encryption options, you build robust distributed systems that scale transparently across infrastructure. Inicia with basic redes overlay for non-sensitive workloads, add encryption for data protection, and implement comprehensive monitoring for operational visibility. As your containerized infrastructure grows across multiple data centers or cloud regions, redes overlay become increasingly critical to application performance and reliability. Combine redes overlay with Swarm management, load balancing, and health checks for production-grade distributed contenedor deployments.