I learned this lesson the hard way. Docker lets us expose ports from our application to the host machines. My docker-compose file looked something like this:

But here's the catch: this setup also exposes our MongoDB to the host's 27017 port. So, if someone accidentally opens up the server where this docker-compose file is running to the world, anyone can ping my Mongo database.

Here's the fix:

Map your restricted ports to localhost, so that only the host and other docker services can access Mongo.