Skip to main content
Virtual machines (VMs) running Docker cannot reach remote private IPv4 addresses in the 172.17.0.0/16 CIDR block. If you assign a VM an address from this range, other VMs that run Docker cannot reach it. Because default boot disk images come with Docker preinstalled, this affects most VMs in your VPC network. This happens because Docker uses 172.17.0.0/16 for its default bridge network and adds a kernel route for that range on every host where it runs. When a VM running Docker sends traffic to an address in this range, the route directs the packets to the local Docker bridge instead of the network interface, so they never leave the VM or reach the VPC network. To resolve the conflict, do one of the following:
  • Assign the VM a subnet outside 172.17.0.0/16.
  • Reconfigure the default Docker bridge to use a non-overlapping range. To do this, on every VM that runs Docker and needs to reach an address in 172.17.0.0/16, add the following parameters to the cloud-init configuration: 
    write_files:
  - path: /etc/docker/daemon.json
    content: |
      {
        "bip": "192.168.200.1/24"
      }
    owner: root:root
    permissions: '0644'

runcmd:
  - systemctl restart docker
    The bip value sets the subnet of the default Docker bridge. Replace 192.168.200.1/24 with any range that does not overlap with the private IP addresses used in your VPC network. For more information about configuring the default Docker bridge, see Docker bridge network driver documentation.

See also