Docker Container Port Reference — Default Ports for Common Docker Images

This Docker port reference lists the default exposed ports for the most commonly used Docker container images — databases, web servers, message queues, monitoring tools and development services. Use this guide when writing docker-compose files, configuring Kubernetes services, setting up reverse proxies, or opening firewall rules for containerised applications.

How Docker Port Mapping Works

Docker containers run in isolated networks. To access a container service from the host or external network, you must publish a port using -p host_port:container_port (e.g. -p 8080:80 maps host port 8080 to container port 80). In docker-compose, this is configured under the ports key. In Kubernetes, ports are exposed via Service objects of type ClusterIP, NodePort or LoadBalancer.

Docker Security — Port Exposure Best Practices

• Only publish ports that need to be externally accessible — databases should never be published to the host
• Bind to specific interfaces: 127.0.0.1:3306:3306 restricts MySQL to localhost only
• Use Docker networks for inter-container communication — containers on the same network can reach each other by service name without publishing ports
• Place all public-facing services behind a reverse proxy (nginx, Traefik, Caddy) and only publish ports 80 and 443
• Use Docker secrets or environment variable files (not command-line flags) for sensitive configuration — port 5432 accessible with a weak PostgreSQL password is a critical vulnerability

docker-compose Port Mapping Example

In a typical web application stack, only your reverse proxy needs published ports. Your app server, database and cache containers should communicate via an internal Docker network with no published ports — protecting them from direct external access even if the host firewall is misconfigured.