Understanding why ports need to be exposed for inter container communication on docker0

Question

I was going through docker official docs to understand the difference between user-defined and default bridge. Link to specific page - https://docs.docker.com/network/bridge/

In first point of section "Differences between user-defined bridges and the default bridge", it is stated that

If you run the same application stack on the default bridge network, you need to open both the web port and the database port, using the -p or --publish flag for each.

I don't understand this specific text, as to why it is need to explicitly publish(-p) required port of database container when it will be used only by some other container connected to the same bridge. My existing understanding is that, unless explicitly blocked, containers connected to the docker0 can freely communicate with each other.

So, this extract has confused me. Can somebody help ?

Answer 1

If you take away one thing from that page, it's that you should always docker create network and then docker run --net containers on that network, if you're using plain Docker commands. (Docker Compose does this automatically for you; Kubernetes's networking model is fundamentally different.)

If you docker run a container without a --net option then you wind up using a backwards-compatiblitiy networking mode. In this mode (the "default bridge network") from the page you cite containers cannot communicate with each other by default. Your two options are for the server to publish a port (docker run -p) and the client to connect to the published port on the host, or for the server to expose a port (almost always done with an EXPOSE directive in the Dockerfile) and the client to --link to it.

There's no real reason to be using this "default" mode at this point, and in practice the paragraph you cite shouldn't matter except for fairly old scripted Docker setups.