My Docker hosts have two nics: eth0 for the internet and eth1 for networking between Docker hosts.

The private network is very fast and I do not pay for bandwidth. The public network is somewhat slower and I have a limited amount of bandwidth.

How do I best use these two networks so containers may be connected to either network or both networks depending on their needs?

Don’t worry.i think you can use them both depend which you need.

I think by default a docker container will have access to both networks that the docker daemon host has access to(should be easy enough to test, start a container, get a shell in it, then try to ping something on each network from inside the container and see what happens). If you want a particular container to only use one of the 2, you have to tell it so on start I believe

I have similar set up on Rackspace.

To allow traffic only from the internal network(s) you can explicitly bind a published port to a specific IP to ensure it’s only accessible from that network.

When you invoke docker run you can use either -p IP:host_port:container_port or -p IP::port to specify the external interface for one particular binding.

Would this help?