Macvlan Networks
Imagine you’re in a large office building. Normally, employees share a single reception desk (like a bridge network), and outsiders only see one main phone number. But with Macvlan, every employee gets their own direct phone line and desk - outsiders can call them directly without going through reception.
That’s what Macvlan networks do: they give containers their own IP addresses on the physical network, making them look like independent devices.
Macvlan Network Foundations
1. What is a Macvlan Network?
- A Macvlan network assigns a unique MAC address and IP address to each container.
- Containers appear as physical devices on the LAN.
- Useful when containers need to be directly accessible on the same network as the host.
2. Characteristics of Macvlan Networks
- Direct Connectivity: Containers can communicate with other devices on the LAN without port mapping.
- Isolation: Containers are isolated from the host by default.
- Performance: High performance since traffic bypasses NAT.
- Use Cases:
- Running legacy applications that expect direct network presence.
- Assigning containers their own IPs for monitoring or compliance.
- Integrating containers into existing physical networks.
3. Macvlan Workflow
- Create a Macvlan network specifying parent interface and subnet.
- Assign containers to the Macvlan network.
- Containers receive unique IP addresses and appear as independent devices.
4. Macvlan vs Other Networks
| Feature | Bridge | Host | Overlay | Macvlan |
|---|---|---|---|---|
| Scope | Single host | Host stack | Multi‑host | Physical LAN |
| IP Address | Shared via NAT | Host IP | Virtual overlay | Unique LAN IP |
| Isolation | Moderate | Low | High | High (from host) |
| Use Case | General apps | Performance apps | Distributed apps | Legacy integration, direct LAN presence |
Things to Remember
- Macvlan makes containers look like physical devices on the LAN.
- Each container gets its own IP and MAC address.
- Ideal for legacy systems or environments requiring direct network presence.
Hands‑On Lab
Step 1: Create a Macvlan Network
docker network create -d macvlan \
--subnet=192.168.1.0/24 \
--gateway=192.168.1.1 \
-o parent=eth0 mymacvlan
--subnet: Defines the IP range.--gateway: Default gateway for containers.-o parent: Host interface connected to the LAN.
Step 2: Run a Container in Macvlan Network
docker run -d --network=mymacvlan --name web nginx
- The container gets its own IP address in the
192.168.1.0/24subnet.
Step 3: Verify IP Address
docker inspect web | grep IPAddress
- Shows the container’s unique LAN IP.
Step 4: Test Connectivity
- Ping the container from another device on the LAN.
- Access the Nginx server directly via its LAN IP.
Practice Exercise
- Create a Macvlan network called
corpnetwith subnet10.0.0.0/24. - Run two containers (
frontendandbackend) incorpnet. - Verify that each container gets its own IP address.
- Access the
frontendcontainer directly from another machine on the LAN. - Reflect on why Macvlan is useful for legacy integration.
Visual Learning Model
Physical LAN
├── Host Machine (eth0)
├── Container A (IP: 192.168.1.10)
└── Container B (IP: 192.168.1.11)
The Hackers Notebook
Macvlan networks allow containers to act like independent devices on the LAN, each with their own IP and MAC address. They bypass NAT, improve performance, and are ideal for legacy applications or environments requiring direct network presence. However, they reduce host‑container communication, so they should be used selectively.
