Remotely managed tunnel for several docker apps - best practice? (Newbie...)

I am utterly confused. I have severals docker applications using docker-compose (currently on two different devices in my network). I would run one separate container with cloudflared to establish the tunnel. I understand I could use ingress rules in that tunnel to connect to applications in other container if they are connected via a docker network. But it seems to me that now best practice is to use remotly managed tunnels via the dashboard. This is where I am getting lost - I don’t have IPs for the other containers, only docker networks.

Is there a best practice example? I find a lot of advice but mostly not combining docker and dashboard management.

Objective is managed with Cloudflare, then access: → connect to the vaultwarden (nginx) application (set up with docker-compose) → connect ot the inventree application

These applications do not need to talk to each other and are generally isolated from my physical network. A tunnel is a security exposure, I
want the tunnel to end in those applications. Until now I had only used Wireguard to VPN into these applications, now I want to make them available via Cloudflare.

Thank you for any advice!