Choose the right networking mode for your containers. Understand when isolation matters and when performance is key.
Bridge mode (default)
The default and most secure option - containers get their own network namespace:
services:
web:
image: nginx
ports:
- "8080:80" # Port mapping required
networks:
- app_network
db:
image: postgres:15
networks:
- app_network
networks:
app_network:
driver: bridge
Containers can communicate using service names (web, db) within the network.
Host mode
Container shares the host’s network stack - no network isolation:
services:
monitoring:
image: prometheus/node-exporter
network_mode: host
# No port mapping needed - uses host ports directly
The container can access all host network interfaces directly.
Key differences
| Feature | Bridge | Host |
|---|---|---|
| Port mapping | Required (8080:80) | Not needed |
| Network isolation | Yes | No |
| Container DNS | Service names work | Use localhost/IPs |
| Performance | Small overhead | Native speed |
| Security | Better isolation | Less secure |
When to use each
Use Bridge for:
services:
# Application services
api:
networks: [app]
# Databases
postgres:
networks: [app]
# Web servers
nginx:
networks: [app]
Use Host for:
services:
# System monitoring
node-exporter:
network_mode: host
# Network tools
tcpdump:
network_mode: host
# Performance-critical
game-server:
network_mode: host
Security considerations
Bridge mode provides better security:
services:
# Isolated database
database:
image: postgres
networks:
- backend
# Not exposed to host network
# Only web is exposed
web:
image: nginx
networks:
- backend
ports:
- "443:443" # Controlled exposure
Host mode risks:
- Container can access all host ports
- Can see all network traffic
- No network-level isolation
Mixing modes
You can mix both in one project:
services:
app:
image: myapp
networks:
- isolated
ports:
- "3000:3000"
monitoring:
image: netdata/netdata
network_mode: host
# Can monitor host system and services on host ports
networks:
isolated:
driver: bridge
Pro tip
Test network isolation:
# Bridge mode - can't access host services directly
docker compose exec web curl localhost:5432 # Fails
# Host mode - full access
docker compose exec monitoring curl localhost:5432 # Works
Choose bridge for security, host for system-level tools.