diff --git a/ansible/roles/docker-registry/defaults/main.yml b/ansible/roles/docker-registry/defaults/main.yml
index 7d25a518e3b67a7434b7f2a7badc17a92ee8cf1a..66c631ee1de3cf6a10e226e85851873cc9c4fdb1 100644
--- a/ansible/roles/docker-registry/defaults/main.yml
+++ b/ansible/roles/docker-registry/defaults/main.yml
@@ -17,6 +17,11 @@ docker_registry_enabled: true
 # pull through cache.
 docker_registry_env: {}
 
+# Dict of environment variables setting a listen port for docker registry
+# container.
+docker_registry_env_listen:
+  REGISTRY_HTTP_ADDR: "0.0.0.0:{{ docker_registry_port }}"
+
 # Dict of environment variables to provide to the docker registry container
 # when TLS is enabled.
 docker_registry_env_tls:
@@ -38,11 +43,11 @@ docker_registry_services:
      {{ {} |
         combine(docker_registry_env_tls if docker_registry_enable_tls | bool else {}) |
         combine(docker_registry_env_basic_auth if docker_registry_enable_basic_auth | bool else {}) |
+        combine(docker_registry_env_listen) |
         combine(docker_registry_env) }}
     enabled: "{{ docker_registry_enabled }}"
     image: "{{ docker_registry_image_full }}"
-    ports:
-      - "{{ docker_registry_port }}:5000"
+    network_mode: host
     volumes: "{{ docker_registry_volumes | select | list }}"
 
 # The port on which the docker registry server should listen.
diff --git a/ansible/roles/docker-registry/tasks/deploy.yml b/ansible/roles/docker-registry/tasks/deploy.yml
index e8bb7f7f08316b68a0bb7e85c8b6bbba20416560..ca038c7e45668e07cf62d161113ad122c58da305 100644
--- a/ansible/roles/docker-registry/tasks/deploy.yml
+++ b/ansible/roles/docker-registry/tasks/deploy.yml
@@ -6,6 +6,7 @@
     env: "{{ item.value.env }}"
     image: "{{ item.value.image }}"
     name: "{{ item.value.container_name }}"
+    network_mode: "{{ item.value.network_mode }}"
     ports: "{{ item.value.ports | default(omit) }}"
     privileged: "{{ item.value.privileged | default(omit) }}"
     read_only: "{{ item.value.read_only | default(omit) }}"
diff --git a/releasenotes/notes/docker-registry-network-mode-ef7de6a7463ca5e5.yaml b/releasenotes/notes/docker-registry-network-mode-ef7de6a7463ca5e5.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..506b0f7da5c5cd24cb1d8636f5cf2a87cb966c9d
--- /dev/null
+++ b/releasenotes/notes/docker-registry-network-mode-ef7de6a7463ca5e5.yaml
@@ -0,0 +1,6 @@
+---
+upgrade:
+  - |
+    The ``docker_registry`` network mode has been changed from ``bridge`` to
+    ``host`` for compatibility when Docker is prevented from manipulating iptables
+    (default behaviour in Wallaby).