My thought with using an api in between the ui and the backend is to provide a more scalable solution while keeping the two ends separate. However, I am not very familiar with flask and how to properly secure it.
The goal here is to have these services available in the local network. The api would be simply routing the params coming from the frontend (with the proper validation and auth) to the appropriate backend service.
The ui would be running on a docker container and sending the params to the api (running on the host), which would then invoke the appropriate service.
The question I have is: How can I make sure that the api won't be expose to the local network and only be available for the ui to talk to it?
The easiest way to secure the application is probably to use API keys or HTTP Basic Auth to get some basic security. How is your frontend secured? Do people login or can they just access the UI?
A more complicated setup would be OAuth2 but you would need an Auth provider your company may or may not have already. The good things is, your application only lives inside the local network which hopefully makes it less accessible to attacks anyway.
I think everything related to security should be discussed in the team you are working in. You are an intern and cannot know. If you were my intern I would not put you into the position to decide security related things.
Also, why is the UI running in docker but the backend on the host directly? I would run both in docker containers.