How to Set Up Windows Server 2019 Container Networking
Container networking on Windows Server 2019 enables isolated network communication for Windows containers and Hyper-V containers. The Host Networking Service (HNS) manages the underlying networking layer, creating virtual switches, endpoints, and network policies for containers. Windows Server 2019 supports multiple network drivers including nat, transparent, overlay, l2bridge, l2tunnel, and none. This guide walks through the setup and configuration of container networking on Windows Server 2019.
Installing Container and Docker Prerequisites
Before configuring container networking, ensure the container host is properly prepared. Install the Containers feature and Hyper-V:
Install-WindowsFeature Containers -RestartInstall Docker Engine on Windows Server 2019:
Install-Module -Name DockerMsftProvider -Repository PSGallery -Force
Install-Package -Name docker -ProviderName DockerMsftProvider -Force -RequiredVersion 20.10.9
Restart-Computer -ForceAlternatively, install Docker using the official method:
Invoke-WebRequest -UseBasicParsing -Uri "https://download.docker.com/win/static/stable/x86_64/docker-20.10.9.zip" -OutFile "C:docker.zip"
Expand-Archive C:docker.zip -DestinationPath C:
$env:Path += ";C:docker"
[Environment]::SetEnvironmentVariable("Path", $env:Path, [System.EnvironmentVariableTarget]::Machine)
dockerd --register-service
Start-Service dockerUnderstanding Windows Container Network Drivers
Windows Server 2019 supports several container network drivers, each suited to different use cases. The nat driver creates an internal network with NAT, suitable for single-host container deployments where outbound internet access is needed. The transparent driver connects containers directly to the physical network via a bridge. The overlay driver creates distributed VXLAN-based networks spanning multiple hosts, used with Docker Swarm or Kubernetes. The l2bridge driver connects containers to the physical network with MAC address rewriting. The l2tunnel driver is used with Azure for cloud-scale networking.
Creating a NAT Network
The default network created by Docker on Windows is a NAT network named “nat”. To create a custom NAT network with a specific subnet:
docker network create `
--driver nat `
--subnet 172.20.0.0/16 `
--gateway 172.20.0.1 `
--opt com.docker.network.windowsshim.hnsnetworkname=CustomNAT `
CustomNATVerify the network was created:
docker network ls
docker network inspect CustomNATCreating a Transparent Network
A transparent network allows containers to appear as physical devices on the LAN, receiving IPs from the physical DHCP server. First, identify the network adapter to use:
Get-NetAdapter | Select Name, InterfaceDescription, StatusCreate the transparent network bound to the physical adapter:
docker network create `
--driver transparent `
--subnet 192.168.10.0/24 `
--gateway 192.168.10.1 `
--opt com.docker.network.windowsshim.interface="Ethernet 2" `
TransparentNetCreating an Overlay Network for Multi-Host Communication
Overlay networks allow containers on different hosts to communicate directly. They require either Docker Swarm mode or a key-value store (etcd/Consul). Initialize Docker Swarm on the manager node:
docker swarm init --advertise-addr 10.0.0.1Join worker nodes to the swarm using the token output from the init command:
docker swarm join --token SWMTKN-1-xxxxx 10.0.0.1:2377Create an overlay network on the manager:
docker network create `
--driver overlay `
--subnet 10.10.0.0/16 `
--attachable `
OverlayNetManaging Container Networks with HNS PowerShell
The Host Networking Service can be managed directly with PowerShell for more granular control. Install the HNS module:
Install-Module -Name HNS -Force -AllowClobberList all HNS networks on the host:
Get-HnsNetwork | Select Name, Type, AddressPrefix, SubnetPolicies | Format-TableList all HNS endpoints (one per connected container):
Get-HnsEndpoint | Select FriendlyName, IpAddress, MacAddress, VirtualNetwork | Format-TableCreate an HNS network directly (useful for Kubernetes CNI plugins):
$networkJson = @"
{
"Name": "l2bridge",
"Type": "l2bridge",
"Subnets": [{
"AddressPrefix": "10.244.0.0/24",
"GatewayAddress": "10.244.0.1",
"Policies": []
}]
}
"@
New-HnsNetwork -JsonString $networkJsonConfiguring DNS for Container Networks
Containers inherit DNS settings from the Docker daemon configuration by default. Configure custom DNS servers in the Docker daemon configuration file:
$daemonConfig = @{
"dns" = @("8.8.8.8", "8.8.4.4")
"dns-search" = @("contoso.local")
"fixed-cidr" = "172.20.0.0/16"
} | ConvertTo-Json
Set-Content -Path "C:ProgramDatadockerconfigdaemon.json" -Value $daemonConfig
Restart-Service dockerConfiguring Network Policies and ACLs
Windows Server 2019 supports network security policies applied per-endpoint through HNS. Apply an ACL policy to a specific container endpoint:
$endpoint = Get-HnsEndpoint | Where-Object {$_.FriendlyName -eq "MyContainer"}
$policy = @{
"Type" = "ACL"
"Protocol" = 6
"LocalPort" = 8080
"Direction" = "In"
"Action" = "Allow"
"Priority" = 100
}
Invoke-HnsRequest -Method POST -Type endpoint/$($endpoint.Id)/policy -Data ($policy | ConvertTo-Json)Verifying Container Connectivity
After network configuration, verify container connectivity by running a test container:
docker run --rm --network CustomNAT mcr.microsoft.com/windows/nanoserver:1809 cmd /c "ipconfig && ping 8.8.8.8 -n 3"Inspect a running container’s network configuration:
docker inspect --format "{{json .NetworkSettings}}" | ConvertFrom-Json | Select -ExpandProperty NetworksContainer networking on Windows Server 2019 is a rich environment with multiple driver options and deep integration with the host networking stack through HNS. Understanding which driver to use for each scenario — NAT for single-host development, transparent or l2bridge for physical network integration, and overlay for multi-host orchestration — ensures your containers have the right level of connectivity and isolation.
