In my docker setup, I'm running two containers:

1) Python-Flask app running on port 5000 managed by the supervisor

2)NGINX workload managed by supervisor listening to python-flask app container on port 5000 as reverse-proxy

These two containers are managed by a docker bridge network with a subnet range of 15.1.0.0/16. Here, I'm not exposing/publishing any ports from the python-flask app container to the docker host. I'm just exposing port 80 of the NGINX container to access my app.

As expected, I can access my app in the docker host using the IP address of the NGINX container. But the problem is, without exposing any ports in the Python-Flask app container, I can able to access the app from the host machine.

For example, let's take the IP address of the python-flask app container as 15.1.1.10 and the app is running on port 5000, when I run "curl http://15.1.1.10:5000" on my host machine, I can able to access my app which is not the expected behavior. 

How do I stop exposing my app container to the host machine? Should I have to add any additional configurations in the supervisord.conf file? Please help.