Working around NAT

Fortunately, we have techniques to obviate NAT. Chris Swan, CTO of Cohesive Networks, aptly summarized his philosophy to container networking as making containers “first-class citizens of the network” in his talk on Docker networking at Container Camp in 2014.

Expect to see performance enhancements in both the macvlan and ipvlan drivers in the future.
We can do that by attaching containers directly to hosts’ network interfaces. The containers share the local area network (LAN) with the host. They obtain an IPv4 address from the LAN’s DHCP server or use static addresses. All Layer 4 ports are fully exposed. While this direct exposure is less messy than managing mapped ports, maintaining a strong security posture requires discipline.

