Is it possible to isolate docker container in user-defined overlay network from outside internet?

With new network feature in docker 1.10 it is possible to create isolated overlay networks – which works very well. Containers in 2 separate networks can not talk to each other. Is it possible, however, to deny container in overlay network to reach public internet? Eg to make ping 8.8.8.8 fail, while having docker host connected to internet.

  • Use Docker, Gunicorn, Nginx in django development environment but can only see nginx welcome page?
  • Docker compose volumes causing ERROR: Container command not found or does not exist
  • How Can I Run A Command That Does Not Exit Upon Failure Until It Succeeds?
  • Docker daemon image list duplicate IDs but different tags, where one of the image tags is “<none>”
  • Unable to verify the Docker daemon is listening: Maximum number of retries (10) exceeded
  • dante-sever fail to bind ip by interface name in docker container
  • How to connect to a remote Docker container via JMX
  • Would Docker or Vagrant be help in creating test machine for our enterprise product
  • How to test and deploy a Docker production image?
  • linkings several docker containers together
  • error while setting file capabilities in Docker
  • Docker container stuck after enter in container
  • One Solution collect form web for “Is it possible to isolate docker container in user-defined overlay network from outside internet?”

    If you add the --internal flag when creating a network with the docker network create command, then that network will not have outbound network access:

    docker network  create --internal --subnet 10.1.1.0/24 mynetwork
    

    I assume — but have not tested — that this works for overlay networks as well as for host-local networks.

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.