Restrict a container to only be accessible via a bridge network with another container on the same machine

I need to put two containers on a machine where container A serves up a website, but it makes use of a Web API hosted in the other container B. I don’t want container B to accessible directly, only via container A. I’ve got this working using a -network shared-net switch on both containers, and container B has no -p switch when it is run.

However, docker ps shows PORTS as “80/tcp, 443/tcp”.(without any port forwarding -> stuff). I just wanted to confirm that Docker is only reporting on the internal ports opened by the contained Web API, and that these aren’t bound to any default port that I don’t know about? It doesn’t seem to be, but it’s like trying to prove a negative!