Configure Bridge Networks
Bridge networks are the network or networks that container VMs use to communicate with each other. Every virtual container host (VCH) must have a dedicated bridge network.
In Docker terminology, the bridge network on a VCH corresponds to the default bridge network, or
docker0 interface, on a Docker host. Container application developers can use
docker network create to create additional, user-defined bridge networks when they run containers. For information about default bridge networks and user-defined networks, see Docker container networking in the Docker documentation.
- For information about VCH networking requirements, see Networking Requirements for VCH Deployment.
- If you use NSX-T Data Center logical switches, it is not mandatory for T1 or T0 routers to be present. The bridge network does not use layer 3, so does not require T1 and T0 routers.
The sections in this topic each correspond to an entry in the Configure Networks page of the Create Virtual Container Host wizard, and to the corresponding
vic-machine create options.
A network interface that container VMs use to communicate with each other.
Before you deploy a VCH, you must create a VMware vSphere Distributed Switch and a port group, an NSX Data Center for vSphere logical switch, or an NSX-T Data Center logical switch for the bridge network. For information about how to create a port group or logical switch, see Networking Requirements for VCH Deployment.
- You must create a dedicated vSphere port group, or an NSX Datacenter for vSphere logical switch, or an NSX-T Data Center logical switch for the bridge network for every VCH. Do not specify the same port group or logical switch as the bridge network for multiple VCHs. Sharing a bridge network between VCHs might result in multiple container VMs being assigned the same IP address.
- Do not use the bridge network for any of the other VCH networking options.
- Do not use the bridge network for any other VM workloads.
Create VCH Wizard
Select an existing port group or logical switch from the Bridge network drop-down menu. It is mandatory to specify a bridge network.
You designate the bridge network by specifying an existing port group or logical switch in the
vic-machine create --bridge-network option.
--bridge-network option is mandatory if you are deploying a VCH to vCenter Server.
--bridge-network option is optional if you are deploying a VCH to an ESXi host that is not managed by vCenter Server. In this case, if you do not specify
vic-machine creates a vSphere Distributed Switch and a port group that each have the same name as the VCH. You can optionally specify this option to assign an existing port group or logical switch for use as the bridge network for container VMs. You can also optionally specify this option to create a new port group that has a different name to the VCH.
If you do not specify
--bridge-network or if you specify an invalid port group or logical switch name,
vic-machine create fails and suggests valid port groups or logical switches.
A range of IP addresses that additional bridge networks can use when container application developers use
docker network create to create new user-defined networks. VCHs create these additional user-defined bridge networks by using IP address segregation within a set address range, so user-defined bridge networks do not require you to assign dedicated port groups. By default, all VCHs use the standard Docker range of 172.16.0.0/12 for additional user-defined networks. You can override the default range if that range is already in use in your network. You can reuse the same network address range across all VCHs.
When you specify a bridge network IP range, you specify the IP range as a CIDR.
- In releases up to and including vSphere Integrated Containers 1.5.1, the smallest subnet that you can specify is /16.
- In vSphere Integrated Containers 1.5.2 and later, the default subnet is /16, but you can configure different default subnets. If you set a subnet value in the
--bridge-network-rangeoption that is larger than the default of 16, you must also use the
--bridge-network-widthoption to increase the size of the default subnet mask for user-defined bridge networks.
Create VCH Wizard
If the default range of 172.16.0.0.0/12 is in use in your network, enter a new range as a CIDR. For example, enter
If the default range of 172.16.0.0.0/12 is in use in your network, specify a new range in the
If you specify an invalid value for
vic-machine create fails with an error.
If you need to configure bridge networks to have subnet masks that are smaller than the default of 16 bits, you can set a new default bridge network width. For example, if container application developers use
docker network create to create multiple new user-defined networks in their VCHs, you might need to configure a smaller subnet mask to avoid overuse of the VLANs that are assigned to those VCHs. By default the IP range is 172.16.0.0/12 and the network allocation width is /16.
The value that you specify must be larger than the subnet value specified in the
--bridge-network-range option. This is because a larger subnet mask value results in a smaller range of available IP addresses. So, for example, if you set the default bridge network range to 172.16.0.0.0/22, you must set the default bridge network width to 22 or greater. If you use the default bridge network range subnet mask value of 16, you must set a value of 16 or more.
If you change the default bridge network width, any additional bridge networks that container application developers create in the VCH will have the specified subnet mask. Container application developers can override the default value by specifying
docker network create --subnet when they create a new bridge network.
NOTE: This option is available in vSphere Integrated Containers 1.5.2 and later.
Create VCH Wizard
Enter a value in the Bridge network width text box. For example, enter 24 to reduce the size of the subnet mask.
If the default subnet mask for the bridge network is too large, specify a new subnet mask in the
If you are using the Create Virtual Container Host wizard, stay on the Configure Networks page and Configure the Public Network settings.
vic-machine create command deploys a VCH that designates an existing network named
vch1-bridge as the bridge network. It specifies IP addresses in the range 192.168.100.0/16 for use by user-defined bridge networks.
vic-machine-operating_system create --target 'Administrator@vsphere.local':password@vcenter_server_address/dc1 --compute-resource cluster1 --image-store datastore1 --bridge-network vch1-bridge --bridge-network-range 192.168.100.0/16 --public-network vic-public --name vch1 --thumbprint certificate_thumbprint --no-tlsverify