7.2.4.3 Overlay Encapsulation

Overlay encapsulation is the underlying mechanism that makes multi-host overlay networking possible: container traffic is wrapped (encapsulated) within an additional network layer, typically using VXLAN, that can be carried across the physical network connecting separate hosts in a cluster.

Why Encapsulation Is Necessary

A container's overlay network address has no inherent meaning on the physical network connecting the cluster's hosts — encapsulation wraps each packet so that it can be correctly routed across that physical network and unwrapped correctly upon arriving at its destination host.

docker network create --driver overlay app-overlay

Traffic between containers on this network is automatically encapsulated for transit across the physical network, then de-encapsulated upon reaching the destination host, entirely transparent to the containers themselves.

VXLAN as the Typical Encapsulation Technology

Docker's overlay driver commonly uses VXLAN (Virtual Extensible LAN), a well-established networking technology designed specifically for this kind of large-scale, virtual network overlay use case.

docker network inspect app-overlay --format '{{.Driver}}'

Why This Encapsulation Layer Is Invisible to Applications

Applications running inside containers on an overlay network simply see ordinary network connectivity — they have no awareness of, or need to interact with, the underlying encapsulation happening beneath them.

docker exec container-a ping container-b

From inside either container, this looks and behaves exactly like ordinary network communication, despite the considerable underlying complexity of encapsulation, physical network transit, and de-encapsulation actually occurring.

Why a Properly Configured Physical Network Still Matters

Although encapsulation is transparent to applications, it does require the underlying physical network connecting the cluster's hosts to correctly carry this encapsulated traffic, meaning certain network configurations (such as overly restrictive firewalls) can interfere with overlay networking if not properly accounted for.

docker network create --driver overlay --opt encrypted app-overlay

Encryption can additionally be applied to this encapsulated traffic for environments where the underlying physical network isn't fully trusted.

Why Overlay Encapsulation Matters

Understanding this underlying mechanism clarifies how overlay networking achieves transparent, multi-host container connectivity, and provides useful context for diagnosing the rarer cases where underlying physical network configuration interferes with this otherwise invisible process.