Creates a new network. The DRIVER accepts bridge or overlay which are thebuilt-in network drivers. If you have installed a third party or your own customnetwork driver you can specify that DRIVER here also. If you don't specify the--driver option, the command automatically creates a bridge network for you.When you install Docker Engine it creates a bridge network automatically. Thisnetwork corresponds to the docker0 bridge that Docker Engine has traditionally reliedon. When you launch a new container with docker run it automatically connects tothis bridge network. You cannot remove this default bridge network, but you cancreate new ones using the network create command.

Bridge networks are isolated networks on a single Docker Engine installation. If youwant to create a network that spans multiple Docker hosts each running DockerEngine, you must enable Swarm mode, and create an overlay network. To read moreabout overlay networks with Swarm mode, see"use overlay networks".

Once you have enabled swarm mode, you can create a swarm-scoped overlay network:

By default, swarm-scoped networks do not allow manually started containers tobe attached. This restriction is added to prevent someone that has access toa non-manager node in the swarm cluster from running a container that is ableto access the network stack of a swarm service.

The --attachable option used in the example above disables this restriction,and allows for both swarm services and manually started containers to attach tothe overlay network.

Network names must be unique. The Docker daemon attempts to identify namingconflicts but this is not guaranteed. It is the user's responsibility to avoidname conflicts.

You should create overlay networks with /24 blocks (the default), which limitsyou to 256 IP addresses, when you create networks using the default VIP-basedendpoint-mode. This recommendation addresseslimitations with swarm mode. If youneed more than 256 IP addresses, do not increase the IP block size. You caneither use dnsrr endpoint mode with an external load balancer, or use multiplesmaller overlay networks. SeeConfigure service discoveryfor more information about different endpoint modes.

When you start a container, use the --network flag to connect it to a network.This example adds the busybox container to the mynet network:

If you want to add a container to a network after the container is alreadyrunning, use the docker network connect subcommand.

You can connect multiple containers to the same network. Once connected, thecontainers can communicate using only another container's IP address or name.For overlay networks or custom plugins that support multi-host connectivity,containers connected to the same multi-host network but launched from differentdaemons can also communicate in this way.

You can disconnect a container from a network using the docker network disconnect command.

When you create a network, Docker Engine creates a non-overlapping subnetworkfor the network by default. This subnetwork is not a subdivision of an existingnetwork. It is purely for ip-addressing purposes. You can override this defaultand specify subnetwork values directly using the --subnet option. On abridge network you can only create a single subnet:

Additionally, you also specify the --gateway --ip-range and --aux-addressoptions.

If you omit the --gateway flag, Docker Engine selects one for you from insidea preferred pool. For overlay networks and for network driver plugins thatsupport it you can create multiple subnetworks. This example uses two /25subnet mask to adhere to the current guidance of not having more than 256 IPs ina single overlay network. Each of the subnetworks has 126 usable addresses.

Be sure that your subnetworks do not overlap. If they do, the network createfails and Docker Engine returns an error.

When creating a custom network, the default network driver (i.e. bridge) hasadditional options that can be passed. The following are those options and theequivalent Docker daemon flags used for docker0 bridge:

The following arguments can be passed to docker network create for anynetwork driver, again with their approximate equivalents to Docker daemonflags used for the docker0 bridge:

For example, let's use -o or --opt options to specify an IP address bindingwhen publishing ports:

Containers on an internal network may communicate between each other, but notwith any other network, as no default route is configured and firewall rulesare set up to drop all traffic to or from other networks. Communication withthe gateway IP address (and thus appropriately configured host services) ispossible, and the host may communicate with any container IP directly.

By default, when you connect a container to an overlay network, Docker alsoconnects a bridge network to it to provide external connectivity. If you wantto create an externally isolated overlay network, you can specify the--internal option.

You can create the network which will be used to provide the routing-mesh in theswarm cluster. You do so by specifying --ingress when creating the network. Onlyone ingress network can be created at the time. The network can be removed onlyif no services depend on it. Any option available when creating an overlay networkis also available when creating the ingress network, besides the --attachable option.

You can create services on the predefined Docker networks bridge and host.

You can create a swarm network with local scope network drivers. You do soby promoting the network scope to swarm during the creation of the network.You will then be able to use this network when creating services.

For network drivers which provide connectivity across hosts (ex. macvlan), ifnode specific configurations are needed in order to plumb the network on eachhost, you will supply that configuration via a configuration only network.When you create the swarm scoped network, you will then specify the name of thenetwork which contains the configuration.