diff --git a/docs/advanced-config/README.md b/docs/advanced-config/README.md
index 962c3422..ebd9734b 100644
--- a/docs/advanced-config/README.md
+++ b/docs/advanced-config/README.md
@@ -1,5 +1,53 @@
 # Advanced Configuration
 
+## Best Practice: Use a docker network
+
+For those who have a few of their upstream services running in docker on the same docker
+host as NPM, here's a trick to secure things a bit better. By creating a custom docker network,
+you don't need to publish ports for your upstream services to all of the docker host's interfaces.
+
+Create a network, ie "scoobydoo":
+
+```bash
+docker network create scoobydoo
+```
+
+Then add the following to the `docker-compose.yml` file for both NPM and any other
+services running on this docker host:
+
+```yml
+networks:
+  default:
+    external:
+      name: scoobydoo
+```
+
+Let's look at a Portainer example:
+
+```yml
+version: '3'
+services:
+
+  portainer:
+    image: portainer/portainer
+    privileged: true
+    volumes:
+      - './data:/data'
+      - '/var/run/docker.sock:/var/run/docker.sock'
+    restart: always
+
+networks:
+  default:
+    external:
+      name: scoobydoo
+```
+
+Now in the NPM UI you can create a proxy host with `portainer` as the hostname,
+and port `9000` as the port. Even though this port isn't listed in the docker-compose
+file, it's "exposed" by the portainer docker image for you and not available on
+the docker host outside of this docker network. The service name is used as the
+hostname, so make sure your service names are unique when using the same network.
+
 ## Docker Secrets
 
 This image supports the use of Docker secrets to import from file and keep sensitive usernames or passwords from being passed or preserved in plaintext.
@@ -34,7 +82,7 @@ services:
       DB_MYSQL_PORT: 3306
       DB_MYSQL_USER: "npm"
       # DB_MYSQL_PASSWORD: "npm"  # use secret instead
-      DB_MYSQL_PASSWORD__FILE: /run/secrets/MYSQL_PWD 
+      DB_MYSQL_PASSWORD__FILE: /run/secrets/MYSQL_PWD
       DB_MYSQL_NAME: "npm"
       # If you would rather use Sqlite uncomment this
       # and remove all DB_MYSQL_* lines above
@@ -55,7 +103,7 @@ services:
       MYSQL_DATABASE: "npm"
       MYSQL_USER: "npm"
       # MYSQL_PASSWORD: "npm"  # use secret instead
-      MYSQL_PASSWORD__FILE: /run/secrets/MYSQL_PWD 
+      MYSQL_PASSWORD__FILE: /run/secrets/MYSQL_PWD
     volumes:
       - ./data/mysql:/var/lib/mysql
 ```