Step 1 – Create an encrypted overlay network

In this step you will create two overlay networks. The first will only have the control plane traffic encrypted. The second will have control plane and data plane traffic encrypted.

All Docker overlay networks have control plane traffic encrypted by default. To encrypt data plane traffic you need to pass the --opt encrypted flag to the docker network create command.

Perform all of the following commands from a Manager node in your lab. The examples in this lab guide will assume you are using node1. Your lab may be different.

1. Create a new overlay network called net1

   $ docker network create -d overlay net1
   xt3jwgsq20ob648uc5f8ow95q
   

2. Inspect the net1 network to check for the encrypted flag

   $ docker network inspect net1
   [
    {
        "Name": "net1",
        "Id": "xt3jwgsq20ob648uc5f8ow95q",
        "Created": "0001-01-01T00:00:00Z",
        "Scope": "swarm",
        "Driver": "overlay",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": []
        },
        "Internal": false,
        "Attachable": false,
        "Containers": null,
        "Options": {
            "com.docker.network.driver.overlay.vxlanid_list": "4097"
        },
        "Labels": null
    }
   ]
   

   Notice that there is no encrypted flag under the Options section of the output. This indicates that data plane traffic (application traffic) is not encrypted on this network. Control plane traffic (gossip etc) is encrypted by default for all overlay networks.

3. Create another overlay network, but this time pass the --opt encrypted flag. Call this network net2.

   $ docker network create -d overlay --opt encrypted net2
   uaaw8ljwidoc5is2qo362hd8n
   

4. Inspect the net2 network to check for the encrypted flag

   $ docker network inspect net2
   [
    {
        "Name": "net2",
        "Id": "uaaw8ljwidoc5is2qo362hd8n",
        "Created": "0001-01-01T00:00:00Z",
        "Scope": "swarm",
        "Driver": "overlay",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": []
        },
        "Internal": false,
        "Attachable": false,
        "Containers": null,
        "Options": {
            "com.docker.network.driver.overlay.vxlanid_list": "4098",
            "encrypted": ""
        },
        "Labels": null
    }
   ]
   

   Notice the presence of the encrypted flag below the VXLAN ID in the Options field. This indicates that data plane traffic (application traffic) on this network will be encrypted.