A systems administrator is deploying multiple Linux containers on a single host. The containers need to reach Internet resources, but they must not be directly addressable from outside the host, and the administrator must avoid assigning a public IP address to every container. Which host-level network configuration BEST satisfies these requirements?
Place the containers on a dedicated 802.1Q VLAN.
Attach every container to a macvlan network that bridges to the physical LAN.
Run each container in host network mode.
Enable IP masquerading (source NAT) on the container bridge interface.
Enabling IP masquerading (source NAT) on the container bridge interface translates each container's source address to the host's address for outbound traffic. Containers retain private addresses, remain unreachable from the Internet unless ports are explicitly published, and no additional public IPs are consumed.
Host network mode also avoids extra IPs but removes network isolation and causes port-binding conflicts, making it less suitable. A macvlan network places each container directly on the upstream network, so each would still need its own routable address. Merely isolating the containers in a separate 802.1Q VLAN provides segmentation but does not perform address translation, so external connectivity would still require individual routable IPs.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Network Address Translation (NAT)?
Open an interactive chat with Bash
How does bridge networking differ from NAT in containerized environments?
Open an interactive chat with Bash
Why is VLAN tagging not a suitable solution for container external connectivity?