You're not completely off point, but in this situation, since there's ALREADY a tunneling-type device on the blue network (that router), adding another tunneler (ziti-host) won't do much good (well i mean, there's redundancy-related reasons but i'm leaving that off the table right now).
This is where things get more complex, really quickly... Recently, (a few months ish ago) @qrkourier made an excellent discovery with respect to docker. He discovered that one can basically assign a docker container as the "network" for another docker container. When you do this, it effectively melds the two containers into one bigger container. If you're familiar with kubernetes even a little, this is very similar to the "pod" idea where basically two or more containers can all be aggregated together.
This was really exciting to me, because in general when you're using docker, we had no great way to accomplish this sort of design. If you use ziti-edge-tunnel and want to have it intercept packets it works by making a TUN device but that needs to happen on the actual OS itself. That means everything on the machine will have access to that TUN and that's not what we wanted...
Instead, ziti-router has a mode called tproxy that allows one to shuttle bytes to a process without the need for a TUN which means now we can use ziti-router within docker for strategic intercept-type modes but we could also use something like ziti-edge-tunnel in host mode (where it only offloads data) to offload data specifically for one (or more containers)...
I'll pause here, as I'm getting deep into the weeds now. Here's an attempt to demonstrate that visually though... Here's the example I'm recommending you start with.You'll see the "new-ubuntu-svr" is in the blue network and accessed from the ziti-private-blue router:
But, with the container as another container's network approach, it MIGHT look more like this... Notice the the ziti-private-blue was removed and replaced with a ziti-edge-tunnel in host mode (which is basically what ziti-host is) and each "network" has two containers, the ziti-host 'network' and then the 'server' container that uses that ziti-host network... Hopefully this all makes sense, like i said, it can get complex quickly ! 
