Is it possible to isolate docker container in user-defined overlay network from outside internet?

With new network feature in docker 1.10 it is possible to create isolated overlay networks – which works very well. Containers in 2 separate networks can not talk to each other. Is it possible, however, to deny container in overlay network to reach public internet? Eg to make ping 8.8.8.8 fail, while having docker host connected to internet.

  • Environment variables passed to docker run
  • Making a karaf/docker service read a configuration file
  • How do you remove the deploymentConfig, image streams, etc using Openshift OC?
  • Downgrading from PHP 7 to PHP 5 on a Docker Server
  • /var/run/docker.sock unaccessible in container running on centos 7
  • Docker failed to initialize
  • Docker access localhost
  • Run asp.net 4.5 in Docker
  • Heroku run Docker image with port parameter
  • Docker Compose - [link/mount volume/volume_from] sharing data between containers, not using host
  • babel-watch doesn't work from docker container on windows host when mounting a host directory as a network share
  • Docker image seemingly having missing layers
  • One Solution collect form web for “Is it possible to isolate docker container in user-defined overlay network from outside internet?”

    If you add the --internal flag when creating a network with the docker network create command, then that network will not have outbound network access:

    docker network  create --internal --subnet 10.1.1.0/24 mynetwork
    

    I assume — but have not tested — that this works for overlay networks as well as for host-local networks.

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.