9.2.2.3 Compose Internal Networks
A focused guide to Compose Internal Networks, connecting core concepts with practical Docker and container operations.
Compose internal networks are networks marked with the internal: true option, preventing any service attached to them from reaching (or being reached from) anything outside that network, including the host's own external network access entirely.
Declaring an Internal Network
The internal option, set on a network's declaration, removes that network's external connectivity entirely.
services:
db:
networks:
- data-tier
api:
networks:
- data-tier
- public-tier
networks:
data-tier:
internal: true
public-tier:
Services attached only to data-tier, such as db, have no route to the broader internet at all — only api, also attached to public-tier, has that external connectivity.
Why Internal Networks Provide a Meaningful Security Boundary
A service with no route to the external internet cannot make outbound connections to an attacker-controlled destination, even if that service were somehow compromised — a meaningful defense-in-depth measure for services that have no legitimate need for outbound internet access.
docker compose exec db ping 8.8.8.8
ping: bad address '8.8.8.8'
This confirms db, attached only to the internal network, genuinely has no path to the broader internet.
Choosing Which Services Belong on an Internal Network
A database, internal cache, or any other service that only ever needs to communicate with other services within the same application — never with anything external — is a good candidate for being confined to an internal network.
services:
db:
networks:
- data-tier
networks:
data-tier:
internal: true
Why Compose Internal Networks Matter
Marking a network as internal provides a concrete way to enforce that certain services genuinely have no external network access, reducing the potential impact of a compromised service that legitimately has no need to reach anything outside the application itself.