content/manuals/security/faqs/networking-and-vms.md
Docker Desktop doesn't have a built-in mechanism for this, but you can use process-level firewalls on the host. Apply rules to the com.docker.vpnkit user-space process to control where it can connect (DNS allowlists, packet filters) and which ports/protocols it can use.
For enterprise environments, consider Air-gapped containers which provide network access controls for containers.
Yes. Docker Desktop uses a user-space process (com.docker.vpnkit) for network connectivity, which inherits constraints like firewall rules, VPN settings, and HTTP proxy properties from the user that launched it.
No. The DockerDesktopVM name is hard-coded in the service, so you cannot use Docker Desktop to create or manipulate other virtual machines.
Docker Desktop uses the same VM processes for both WSL 2 (in the docker-desktop distribution) and Hyper-V (in DockerDesktopVM). Host/VM communication uses AF_VSOCK hypervisor sockets (shared memory) rather than network switches or interfaces. All host networking is performed using standard TCP/IP sockets from the com.docker.vpnkit.exe and com.docker.backend.exe processes.
For more information, see How Docker Desktop networking works under the hood.