Some helpful info here: Does wifi-connect need to be mounted to host instead of port?
App can be reached by database using the IP address 172.17.0.1. Database can be reached by App by opening the port in the compose file and then using 0.0.0.0:portnumber from within App container.
To restrict external access to App, add in IPTable rules or a restriction in your app to only accept requests from ip addresses starting 172.
To restrict external access to Database add the port as 127.0.0.1:80:80 where 80 is your port of choice. See this for more info: https://www.chrissearle.org/2018/09/21/ufw-with-docker/