changes from review

Author: yrobla

docs/toolhive/guides-cli/network-isolation.mdx

@@ -240,6 +240,36 @@ thv run --isolate-network --permission-profile none --volume /home/user/aws-diag
 This approach is more flexible since you can easily change the host directory
 without editing a profile file.
 
+## Accessing other workloads on the same container network
+
+To allow an MCP server to access other workloads on the same network, you need
+to configure network isolation to include the appropriate hostnames and ports.
+This is commonly needed when your MCP server needs to communicate with
+databases, APIs, or other services that are running on your local host during
+development.
+
+For example, in Docker environments, you can use `host.docker.internal` to
+access services on the host. Create a permission profile that allows this
+hostname and the required port:
+
+```json title="internal-access-profile.json"
+{
+  "network": {
+    "outbound": {
+      "insecure_allow_all": false,
+      "allow_host": ["host.docker.internal"],
+      "allow_port": [3000]
+    }
+  }
+}
+```
+
+Run the MCP server with this profile:
+
+```bash
+thv run --isolate-network --permission-profile ./internal-access-profile.json <SERVER>
+```
+
 ## Related information
 
 - [`thv run` command reference](../reference/cli/thv_run.md)