Container networking is one of the biggest challenges of supporting containers in production. Container-based networking was not designed to scale to production levels, and operators have used workarounds that are difficult to scale.

To ease data center managers’ concerns about security and management issues, Docker has introduced a modular approach to networking. Docker’s new framework allows network providers including VMware and Cisco to provide container-level network services. VMware previewed this capability during an advanced session at VMworld 2015.

VMware’s preview of managing Docker networking using NSX

VMware’s Networking & Security Business Unit (NSBU) Chief Technology Strategy Officer Guido Appenzeller walked me through the tech preview of the company’s approach to managing Docker networks.

Docker Libnetwork framework brings its plugin model to the network stack. Docker’s new network model allows for out-of-the-box networking or plug-ins from the ecosystem. VMware leveraged this plugin model to create a module for Docker containers.

According to Appenzeller, VMware pulled the latest Docker code to build the plugin. To me, this indicates that a production-level solution is further in the future than some would like. He assured me that I’m more anxious than a great majority of NSX customers; his off-the-cuff estimate is that 95% of VMware’s 150 production installs had no need for container networking.

Docker’s new network framework allows VMware NSX to extend the abstraction of the full layer-2 network to containers. VMware showed the capability of filtering network traffic in between containers. Administrators have had the capability to do filtering in between container hosts in previous Docker network solutions — the added value is that VMware showed isolation between containers on the same physical host, preventing container escalation.

Container escalation is the ability to access the host due to weak or non-existent network security between the host and the containers running on that host. Container escalation has long been a security weakness of Docker networking. If all holds consistent, future versions of NSX will allow security admins to apply virtual machine-like filtering rules to containers.


The VMware NSX preview shows the promise of Docker container management. VMware has demonstrated the potential to eliminate a critical hole in Docker security.

I do find Appenzeller’s comment about the lack of requests for the capability interesting. Has Docker networking been an inhibitor to your organization embracing containers? Let us know in the comments.