What is Overlay Network? | DevOps Dictionary

Overlay Network — Connecting Containers Across Multiple Hosts

What Is an Overlay Network in Simple Terms?

A bridge network connects containers on the same host. An overlay network connects containers across multiple hosts — containers running on different physical or virtual machines communicate as if they are on the same local network, with Docker handling all the routing transparently.

Overlay networks use VXLAN (Virtual Extensible LAN) to encapsulate container traffic inside UDP packets that travel across the real network between hosts.

◈ DIAGRAM

+------------------+      +------------------+
| Host 1           |      | Host 2           |
|                  |      |                  |
| +----------+     |      | +----------+     |
| | api      |     |      | | worker   |     |
| | 10.0.0.2 |     |      | | 10.0.0.3 |     |
| +-----+----+     |      | +-----+----+     |
|       |          |      |       |          |
|  overlay network |=====>|  overlay network  |
|  VXLAN tunnel    |      |  VXLAN tunnel     |
+------------------+      +------------------+
 
api pings 10.0.0.3 -> VXLAN encapsulates -> travels across real network
-> Host 2 decapsulates -> delivers to worker
Containers see a flat network — VXLAN is invisible to them

Creating and Using Overlay Networks

Bash

# Overlay networks require Docker Swarm mode
docker swarm init
 
# Create an overlay network
docker network create \
  --driver overlay \
  --attachable \
  payment-overlay
# --attachable: allows standalone containers (not just Swarm services) to join
 
# Deploy a Swarm service on the overlay network
docker service create \
  --name payment-api \
  --network payment-overlay \
  registry.razorpay.in/payment-api:v3.1.0
 
# Services on the same overlay network find each other by service name
# Docker's built-in load balancing distributes traffic across replicas

Encrypted Overlay Networks

Bash

# Create encrypted overlay (traffic encrypted with AES-GCM)
docker network create \
  --driver overlay \
  --opt encrypted \
  --attachable \
  secure-payment-overlay
# All traffic between containers encrypted
# Small performance overhead (~10%)

Overlay vs Bridge — When to Use Each

Need	Bridge	Overlay
Single host containers	Yes	No need
Multiple hosts	Cannot	Yes
Docker Swarm services	No	Yes
Kubernetes (CNI)	No	Similar concept

Connection to Kubernetes

Kubernetes CNI plugins (Calico, Cilium, Flannel) implement the same concept as Docker overlay networks — containers on different nodes communicate as if on the same flat network. Understanding Docker overlay networks makes Kubernetes pod networking immediately intuitive.

REMEMBER THIS
**Remember:** Overlay networks require Docker Swarm mode. If you are not using Swarm, you cannot create overlay networks — use bridge networks for single-host and look at Kubernetes for multi-host orchestration.