In a non Docker environment, I would break my web application, middle tier and database tier into separate subnets. For example, I would create a DMZ for the public facing web application, and then only allow the applicable ports to be open between the DMZ and the middle tier, and similar for the traffic going through to the database subnet.

Being new to Docker I am trying to understand how this would work in a container based environment where all of the above are in images.

In particular my questions are:

1. Is it common practice to still use separate subnets and deploy separate Docker clusters into each subnet?
2. Is it common practice with Docker to have different Docker containers within the same cluster (and potentially on the same Docker host) that would have, in a non Docker environment, been separated by subnets? i.e. have a web application, middle tier and database in the same Docker cluster and control the traffic between them using networking rules in Docker?

Any general guidance on how to structure an n-tier type application where all tiers are in Docker would be useful.

Thanks in advance