Is it possible to isolate docker container in user-defined overlay network from outside internet?

With new network feature in docker 1.10 it is possible to create isolated overlay networks – which works very well. Containers in 2 separate networks can not talk to each other. Is it possible, however, to deny container in overlay network to reach public internet? Eg to make ping 8.8.8.8 fail, while having docker host connected to internet.

  • Docker COPY behaving inconsistently
  • docker mongodb replication on same server
  • Can't run webapplication on tomcat using Docker
  • Error response from daemon: oci runtime error: exec: “./run.sh”: stat ./run.sh: no such file or directory
  • Getting error installing nodejs when building from docker
  • Nginx seems to crash on Sinatra app in Docker
  • Docker mysql container cannot use a data volume defined on startup
  • enabling flash player in docker chrome and firefox browser containers
  • Exclude folders in .dockerignore
  • Establish PSSession to Windows docker container from remote machine (not container host)
  • DashDB local (docker) failed to start because database services didn't start
  • Creating a CI pipeline for .net containerized applications
  • One Solution collect form web for “Is it possible to isolate docker container in user-defined overlay network from outside internet?”

    If you add the --internal flag when creating a network with the docker network create command, then that network will not have outbound network access:

    docker network  create --internal --subnet 10.1.1.0/24 mynetwork
    

    I assume — but have not tested — that this works for overlay networks as well as for host-local networks.

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.