Hello,I need some help on network segregation.I have a webservice container using a database.The webservice is reachable on port 80.It needs to communicate with the db but shoudl not communicate to the internet.I would like to block it at the docker-compose level.

docker-compose.yml

version: '2'

services:
  db:
    image: mariadb
    environment:
      <...>
    volumes:
      <...>

  web:
    image: myWebService
    environment:
      <...>
    depends_on:
      - db
    links:
      - db:db
    ports:
      - "80:80"
    volumes:
      <...>
    networks:
      - no-internet


# Block internet access
networks:
  no-internet:
    driver: bridge
    driver_opts:
      com.docker.network.bridge.enable_ip_masquerade: "false"

But this also block traffic between the webservice and the db.I guess I need 2 networks, but how the webservice will know which network to use to get to the db and to try accessing the internet ?Could you please help ?

Thank you