Agreed, I prefer trunk with native to the vlan for services, each container that the reverse proxy will hit in its own vlan (or multiples for differing sets of services, but I can be excessive).
I'd block any traffic initiated from that vlan to all others, and I'd also only allow the specific ports needed for the services. Then fully open initiated from the general internal vlan.