7.1.1.3 Virtual Ethernet Pair

A virtual ethernet pair (veth pair) is the underlying Linux networking primitive Docker uses to connect a container's isolated network namespace to a bridge network, functioning conceptually like a virtual network cable with one end inside the container's namespace and the other end attached to the bridge.

How a veth Pair Connects a Container to a Network

One end of the veth pair lives inside the container's network namespace (typically appearing as eth0 from the container's perspective), while the other end attaches to the host-side bridge representing the Docker network.

docker run -d --name myapp alpine sleep 1000
docker exec myapp ip addr show eth0

This shows the container-side end of the veth pair, appearing as a normal network interface from within the container's own namespace.

Viewing the Host-Side End of the Pair

The corresponding host-side end of the veth pair can also be observed, typically with a name reflecting Docker's own internal bookkeeping.

ip addr show | grep veth

This reveals host-side veth interfaces, each one corresponding to a specific container's connection to its network.

Why This Mechanism Enables Both Isolation and Connectivity

The veth pair is precisely what allows a container to have its own fully isolated network namespace while still being connected to a broader network — traffic crosses between the container's isolated namespace and the shared bridge network specifically through this virtual cable.

docker network inspect bridge --format '{{json .Containers}}'

This reveals which containers are currently connected to the bridge network, each via their own dedicated veth pair.

Why Understanding veth Pairs Matters

While most everyday Docker usage doesn't require directly manipulating veth pairs, understanding this underlying mechanism clarifies exactly how a container's isolated networking is bridged to the broader network, providing a clearer mental model for diagnosing more advanced or unusual networking issues.