So far, we successfully launched an HTTP service and accessed the service from the Docker host as well as another container within the same Docker host. Furthermore, as demonstrated in the Building images from containers section of Chapter 2, Handling Docker Containers, the container is able to successfully install the wget package by making a connection to the publicly available APT repository over the Internet. Nonetheless, the outside world cannot access the service offered by a container by default. At the outset, this might seem like a limitation in the Docker technology. However, the fact is, the containers are isolated from the outside world by design.

Docker achieves network isolation for the containers by the IP address assignment criteria, as enumerated here:

• Assigning a private IP address to the container, which is not reachable from an external network
• Assigning an IP address to the container outside the host's IP network

Consequently, the Docker container is not reachable even from the systems that are connected to the same IP network as the Docker host. This assignment scheme also provides protection from an IP address conflict that might otherwise arise.

Now, you might wonder how to make the services run inside a container that is accessible to the outside world, in other words, exposing container services. Well, Docker bridges this connectivity gap in a classy manner by leveraging the Linux iptables functionality under the hood.

At the frontend, Docker provides two different building blocks for bridging this connectivity gap for its users. One of the building blocks is to bind the container port using the -p (publish a container's port to the host interface) option of the docker run subcommand. Another alternative is to use the combination of the EXPOSE instruction of Dockerfile and the -P (publish all exposed ports to the host interfaces) option of the docker run subcommand.