✦ For everyone, free.

Practical knowledge for real and everyday life

Home

7.2.1.4 Bridge Local Services

A focused guide to Bridge Local Services, connecting core concepts with practical Docker and container operations.

Bridge local services are services intended to be reached only by other containers on the same bridge network, never published to the host or external network, representing the typical configuration for internal dependencies like databases, caches, and internal APIs.

Configuring a Purely Internal Service

A service intended only for internal, container-to-container use is run without any port publishing, relying entirely on the shared bridge network for reachability.

docker network create app-network
docker run -d --name cache --network app-network redis:7

This Redis container has no host-published port at all, since only other containers on app-network ever need to reach it.

Reaching a Local Service From Another Container

Containers sharing the same bridge network reach this local service directly through its internal port and resolvable name, with no need for the service to be published externally.

docker run -d --name api --network app-network -e CACHE_URL=redis://cache:6379 myapi:1.0
Why Keeping Services Local Improves Security

A service that never needs to be reached from outside the Docker network shouldn't be — keeping it unpublished, reachable only from other containers on its shared network, meaningfully reduces its exposure compared to publishing it unnecessarily.

docker ps --format 'table {{.Names}}\t{{.Ports}}'

Reviewing this confirms which services are local-only (no published ports) versus which are deliberately exposed externally.

Verifying a Local Service Genuinely Isn't Externally Reachable

Confirming that a local-only service cannot actually be reached from outside the Docker network validates the intended configuration.

curl http://localhost:6379

This should fail to connect, confirming cache is not externally reachable, exactly as intended for a purely internal, bridge-local service.

Why Bridge Local Services Matter

Correctly identifying which services genuinely need only internal reachability, and configuring them without any port publishing, is an important practice for minimizing a multi-container application's externally exposed attack surface to exactly what's actually necessary.

Related content