Docker Containers on Windows sometimes unable to get ports during startup

I have recently started making more use of Docker Desktop on my Windows 11 workstation, particularly in conjunction with VS Code's Remote - Containers extension and the iris-python-template repo from @Guillaume Rongier

Sometimes the container would start smoothly, but other times it would fail and report being unable to use a port.

Eventually I tracked the problem down. The Windows NAT Driver service apparently uses an OS facility to reserve a large range of ports.

Here's what an admin-level command shell showed when the container wouldn't start:

PS C:\WINDOWS\system32> netsh int ipv4 show exclude proto=tcp

Protocol tcp Port Exclusion Ranges

Start Port    End Port
----------    --------
        80          80
       443         443
      5357        5357
     49685       49784
     49785       49884
     49885       49984
     50000       50059     *
     50160       50259
     50260       50359
     50360       50459
     50460       50559
     50560       50659
     52182       52281
     52579       52678
     52679       52778
     52779       52878
     52879       52978
     52979       53078
     53170       53269
     53270       53369
     53370       53469
     53470       53569
     53582       53681
     53682       53781

* - Administered port exclusions.

PS C:\WINDOWS\system32>

Notice how these reservations include ones that the docker-compose.yml of iris-python-template specifies:

    ports:
    - 52775:52773

Solution was to restart the winnat service:

PS C:\WINDOWS\system32> net stop winnat

The Windows NAT Driver service was stopped successfully.

PS C:\WINDOWS\system32> netsh int ipv4 show exclude proto=tcp

Protocol tcp Port Exclusion Ranges

Start Port    End Port
----------    --------
        80          80
       443         443
      5357        5357
     50000       50059     *

* - Administered port exclusions.

PS C:\WINDOWS\system32> net start winnat

The Windows NAT Driver service was started successfully.

PS C:\WINDOWS\system32> netsh int ipv4 show exclude proto=tcp

Protocol tcp Port Exclusion Ranges

Start Port    End Port
----------    --------
        80          80
       443         443
      5357        5357
     50000       50059     *

* - Administered port exclusions.

PS C:\WINDOWS\system32>

Interestingly the service didn't immediately reserve the port ranges again. I haven't dug any deeper, but am posting this article in case someone else hits the same problem.