@@ -47,6 +47,8 @@ func (cli *DockerCli) CmdNetworkCreate(args ...string) error {

 	cmd.Var(flIpamAux, []string{"-aux-address"}, "auxiliary ipv4 or ipv6 addresses used by Network driver")

 	cmd.Var(flOpts, []string{"o", "-opt"}, "set driver specific options")

+	flInternal := cmd.Bool([]string{"-internal"}, false, "restricts external access to the network")

+

 	cmd.Require(flag.Exact, 1)

 	err := cmd.ParseFlags(args, true)

 	if err != nil {

@@ -72,6 +74,7 @@ func (cli *DockerCli) CmdNetworkCreate(args ...string) error {

 		IPAM:           network.IPAM{Driver: *flIpamDriver, Config: ipamCfg},

 		Options:        flOpts.GetAll(),

 		CheckDuplicate: true,

+		Internal:       *flInternal,

 	}

 	resp, err := cli.client.NetworkCreate(nc)

@@ -13,7 +13,7 @@ type Backend interface {

 	GetNetworksByID(partialID string) []libnetwork.Network

 	GetAllNetworks() []libnetwork.Network

 	CreateNetwork(name, driver string, ipam network.IPAM,

-		options map[string]string) (libnetwork.Network, error)

+		options map[string]string, internal bool) (libnetwork.Network, error)

 	ConnectContainerToNetwork(containerName, networkName string, endpointConfig *network.EndpointSettings) error

 	DisconnectContainerFromNetwork(containerName string,

 		network libnetwork.Network) error

@@ -92,7 +92,7 @@ func (n *networkRouter) postNetworkCreate(ctx context.Context, w http.ResponseWr

 		warning = fmt.Sprintf("Network with name %s (id : %s) already exists", nw.Name(), nw.ID())

 	}

-	nw, err = n.backend.CreateNetwork(create.Name, create.Driver, create.IPAM, create.Options)

+	nw, err = n.backend.CreateNetwork(create.Name, create.Driver, create.IPAM, create.Options, create.Internal)

 	if err != nil {

 		return err

 	}

@@ -101,7 +101,7 @@ func (daemon *Daemon) GetAllNetworks() []libnetwork.Network {

 }

 // CreateNetwork creates a network with the given name, driver and other optional parameters

-func (daemon *Daemon) CreateNetwork(name, driver string, ipam network.IPAM, options map[string]string) (libnetwork.Network, error) {

+func (daemon *Daemon) CreateNetwork(name, driver string, ipam network.IPAM, options map[string]string, internal bool) (libnetwork.Network, error) {

 	c := daemon.netController

 	if driver == "" {

 		driver = c.Config().Daemon.DefaultDriver

@@ -116,6 +116,9 @@ func (daemon *Daemon) CreateNetwork(name, driver string, ipam network.IPAM, opti

 	nwOptions = append(nwOptions, libnetwork.NetworkOptionIpam(ipam.Driver, "", v4Conf, v6Conf, nil))

 	nwOptions = append(nwOptions, libnetwork.NetworkOptionDriverOpts(options))

+	if internal {

+		nwOptions = append(nwOptions, libnetwork.NetworkOptionInternalNetwork())

+	}

 	n, err := c.NewNetwork(driver, name, nwOptions...)

 	if err != nil {

 		return nil, err

@@ -114,6 +114,7 @@ This section lists each version from latest to oldest.  Each listing includes a

 * `POST /containers/create` now allows you to set the static IPv4 and/or IPv6 address for the container.

 * `POST /networks/(id)/connect` now allows you to set the static IPv4 and/or IPv6 address for the container.

 * `GET /info` now includes the number of containers running, stopped, and paused.

+* `POST /networks/create` now supports restricting external access to the network by setting the `internal` field.

 ### v1.21 API changes

@@ -2985,13 +2985,15 @@ Content-Type: application/json

 {

   "Name":"isolated_nw",

-  "Driver":"bridge"

+  "Driver":"bridge",

   "IPAM":{

     "Config":[{

       "Subnet":"172.20.0.0/16",

       "IPRange":"172.20.10.0/24",

       "Gateway":"172.20.10.11"

     }]

+  },

+  "Internal":true

 }

 ```

@@ -18,6 +18,7 @@ parent = "smn_cli"

     -d --driver=DRIVER       Driver to manage the Network bridge or overlay. The default is bridge.

     --gateway=[]             ipv4 or ipv6 Gateway for the master subnet

     --help                   Print usage

+    --internal               Restricts external access to the network

     --ip-range=[]            Allocate container ip from a sub-range

     --ipam-driver=default    IP Address Management Driver

     -o --opt=map[]           Set custom network plugin options

@@ -120,6 +121,11 @@ docker network create -d overlay

 ```

 Be sure that your subnetworks do not overlap. If they do, the network create fails and Engine returns an error.

+### Network internal mode

+

+By default, when you connect a container to an `overlay` network, Docker also connects a bridge network to it to provide external connectivity.

+If you want to create an externally isolated `overlay` network, you can specify the `--internal` option.

+

 ## Related information

 * [network inspect](network_inspect.md)

@@ -10,6 +10,7 @@ docker-network-create - create a new network

 [**-d**|**--driver**=*DRIVER*]

 [**--gateway**=*[]*]

 [**--help**]

+[**--internal**]

 [**--ip-range**=*[]*]

 [**--ipam-driver**=*default*]

 [**-o**|**--opt**=*map[]*]

@@ -120,6 +121,11 @@ docker network create -d overlay

 ```

 Be sure that your subnetworks do not overlap. If they do, the network create fails and Engine returns an error.

+### Network internal mode

+

+By default, when you connect a container to an `overlay` network, Docker also connects a bridge network to it to provide external connectivity.

+If you want to create an externally isolated `overlay` network, you can specify the `--internal` option.

+

 # OPTIONS

 **--aux-address**=map[]

   Auxiliary ipv4 or ipv6 addresses used by network driver

@@ -133,6 +139,9 @@ Be sure that your subnetworks do not overlap. If they do, the network create fai

 **--help**

   Print usage

+**--internal**

+  Restricts external access to the network

+

 **--ip-range**=[]

   Allocate container ip from a sub-range