4.2.10 EXPOSE
A focused guide to EXPOSE, connecting core concepts with practical Docker and container operations.
EXPOSE is the Dockerfile instruction that documents which network ports a container is expected to listen on, serving primarily as metadata and a hint to tooling rather than actually making those ports reachable from outside the container on its own.
Basic Usage
EXPOSE declares one or more ports the application inside the container listens on.
EXPOSE 8080
EXPOSE 9090
This records that the application uses these two ports, without itself publishing either of them to the host.
Why EXPOSE Alone Doesn't Publish a Port
Actually making a container's port reachable from outside requires an explicit port mapping at run time, using the -p flag — EXPOSE only documents intent, it does not configure networking.
docker run myapp
docker run -p 8080:8080 myapp
The first command starts the container with the documented port still inaccessible from outside; the second explicitly publishes it to the host.
EXPOSE and Container-to-Container Communication
Containers on the same user-defined network can reach each other's ports directly, regardless of whether those ports were declared with EXPOSE — the instruction's effect is purely informational, not an access control mechanism.
docker network create mynet
docker run -d --name db --network mynet postgres:16
docker run -d --name app --network mynet myapp:1.0
The app container can reach db on its default port even without any EXPOSE instruction in db's image, since EXPOSE does not enforce network isolation either way.
Specifying the Protocol
EXPOSE can also indicate whether a port uses TCP or UDP, which matters for applications using UDP-based protocols.
EXPOSE 53/udp
Why EXPOSE Still Matters Despite Not Enforcing Anything
Even though EXPOSE has no enforcement effect, it remains valuable as accurate, embedded documentation of an application's expected ports, and some tooling (including docker run -P, which publishes all exposed ports automatically) does act on this declared information.
docker run -P myapp
This automatically publishes every port declared with EXPOSE to a randomly assigned host port, relying directly on the instruction's declared information.