← Back to Infrastructure Documentation

Network Topology

Docker Network Architecture on linuxserver.lan

Docker Networks

Containers

Core Networks

Service Networks

Entry/Routing

Security

AI Services

Data Storage

Applications

Observability

Network Flow Architecture

Traffic flows through network layers from external access to internal services:

Entry Layer (traefik-net)

Internet

Traefik (:443)

40+ Services

↓

Security Layer (keycloak-net)

Keycloak SSO

16 OAuth2 Proxies

Token Validation

↓

AI/MCP Layer (mcp-net, litellm-net)

MCP Code Executor

LiteLLM

OpenMemory

MCP Servers (10+)

↓

Data Layer (postgres-net, redis-net, mongodb-net, etc.)

PostgreSQL

TimescaleDB

Redis

MongoDB

Qdrant

ArangoDB

↓

Observability Layer (loki-net, monitoring-net)

Loki

Promtail

Grafana

Netdata

Dozzle

Core Networks (Critical Infrastructure)

These 5 networks form the backbone of the infrastructure. Most services connect to multiple core networks.

`traefik-net`

All externally accessible services. Traefik routes HTTPS traffic to containers on this network.

Connected: 40+ containers

traefik keycloak litellm grafana-auth-proxy gitlab portainer +35 more

`keycloak-net`

OAuth2 proxies connect here to validate tokens with Keycloak. Essential for SSO.

Connected: 21 containers

keycloak alist-auth-proxy grafana-auth-proxy portainer-auth-proxy +12 proxies

`postgres-net`

PostgreSQL database connectivity. Services needing relational data connect here.

Connected: 16 containers

postgres keycloak-postgres timescaledb keycloak litellm n8n mcp-postgres

`mcp-net`

Model Context Protocol servers communicate here. Central to AI agent operations.

Connected: 18 containers

mcp-code-executor mcp-filesystem mcp-postgres mcp-playwright mcp-n8n litellm openmemory-api

`loki-net`

Log aggregation network. Promtail sends logs to Loki; Grafana queries Loki.

Connected: 5 containers

loki promtail grafana loki-ui loki-auth-proxy

All Networks (29 Total)

Entry/Routing Networks

traefik-net 40+ containers

Primary entry point for all external traffic. Traefik reverse proxy routes HTTPS requests.

Security Networks

keycloak-net 21 containers

SSO authentication layer. OAuth2 proxies validate tokens with Keycloak.

AI/MCP Networks

mcp-net 18 containers

MCP server communication. All MCP tools connect through this network.

litellm-net 5 containers

LiteLLM proxy network for unified LLM API access.

mcp-ib-net 2 containers

Interactive Brokers MCP server network.

Data Storage Networks

postgres-net 16 containers

PostgreSQL database access for relational data storage.

timescaledb-net 4 containers

TimescaleDB for time-series data and metrics storage.

redis-net 6 containers

Redis cache and session storage.

mongodb-net 4 containers

MongoDB document database access.

qdrant-net 3 containers

Qdrant vector database for embeddings/similarity search.

arangodb-net 2 containers

ArangoDB multi-model database (graph, document, key-value).

minio-net 3 containers

MinIO S3-compatible object storage.

Observability Networks

loki-net 5 containers

Log aggregation with Loki, Promtail, Grafana.

monitoring-net 3 containers

System monitoring and metrics collection.

netdata-net 2 containers

Real-time system performance monitoring.

grafana-net 2 containers

Grafana visualization and dashboards.

dozzle-net 2 containers

Real-time Docker log viewer.

Application Networks

gitlab-net 3 containers

GitLab source code management.

n8n-net 4 containers

n8n workflow automation.

guacamole-net 3 containers

Apache Guacamole remote desktop gateway.

mailserver-net 2 containers

Email server infrastructure.

dashy-net 2 containers

Dashy dashboard application.

alist-net 2 containers

AList file manager and storage aggregator.

Network Connection Patterns

Standard patterns for connecting containers to networks based on service type:

3-Network Pattern (OAuth2 Protected Service)

Used for services requiring SSO protection and external access.

traefik-net keycloak-net {service}-net

Examples: Grafana, Portainer, Dozzle

2-Network Pattern (Database Client)

Used for services that need external access and database connectivity.

traefik-net postgres-net

Examples: Keycloak, LiteLLM, n8n

1-Network Pattern (Simple Service)

Used for standalone services with only external access needs.

traefik-net

Examples: Draw.io, Stirling PDF, Bitwarden

MCP Server Pattern

Used for MCP servers that need tool access and inter-server communication.

mcp-net {resource}-net

Examples: mcp-postgres (mcp-net + postgres-net), mcp-filesystem (mcp-net only)

Network Troubleshooting

Common Commands

# List all networks
docker network ls

# Inspect a network (see connected containers)
docker network inspect traefik-net

# Connect container to network
docker network connect keycloak-net {container-name}

# Disconnect container from network
docker network disconnect {network} {container}

# Test connectivity from container
docker exec {container} ping -c 1 {target-container}

# Check container network settings
docker inspect {container} --format '{{json .NetworkSettings.Networks}}' | jq .
            

Common Issues

Container can't reach another container: Verify both are on the same network
DNS not resolving: Container names are DNS names within Docker networks
OAuth2 proxy timeout: Auth proxy likely not on keycloak-net
502 Bad Gateway: Auth proxy not on same network as backend service
MCP tool not responding: Check mcp-net connectivity