Relationship between bridge and veth for Docker network

Question

On my Ubuntu 22.04 host, I've created a Docker network with the bridge driver and started up a container within that network.

Running ip addr on my host, I see these two interfaces:

5: br-fc7599764562: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:d4:4f:b9:39 brd ff:ff:ff:ff:ff:ff
    inet 172.21.0.1/16 brd 172.21.255.255 scope global br-fc7599764562
        valid_lft forever preferred_lft forever
    inet6 fe80::42:d4ff:fe4f:b939/64 scope link
        valid_lftforever preferred_lft forever
6: vethe6879a0@if14: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-fc7599764562 state UP group default
    link/ether e2:e8:0f:5b:37:a0 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::e0e8:fff:fe5b:37a0/64 scope link
        valid_lft forever preferred_lft forever

Clearly, these two interfaces are related as the second lists the first as "master". What is the relationship?

Some context for the question: I actually have two Docker networks with one container inside each. Using iptables, I've set up NAT between them (or, at least, I think I have) and am trying to ping one container from the other. Running Wireshark on the host, I see the ICMP packet come in on the bridge interface and going out on the veth interface (instead of the other bridge).

Answer 1

A bridge device is a virtual switch. A veth interface is a virtual ethernet cable that connects the container to the "switch": when you create a veth device, you get two interfaces; Docker puts one interface inside the container (that becomes eth0 in the container), and the other end of the device is attached to the bridge.

This article has some additional details on veth devices and a general overview of various other virtual interface types.