envoyproxy returning 503 error, "UC, upstream connection termination", when attempt to read from Docker-hosted Tomcat

Question

I am running straight Docker (no Kubernetes). In that Docker system, I am running two containers, one running an envoyproxy and the other running Tomcat. The goal is to have envoyproxy front-end all containers in this Docker system.

I always get 503 errors, "UC, upstream connection termination". It almost seems that the Tomcat container does not want to accept any traffic from the envoy container. The envoy container can curl the very same addresses/ports with no problems. The envoy container also can successfully proxy its own administrative api.

Here are is my route to a Tomcat container named "manpants". Basically, display the built-in Tomcat documentation for examples.

          - match:
              prefix: "/examples/"
            route:
              cluster: cluster1

Here is the cluster.

  - name: cluster1
    connect_timeout: 1.25s
    type: logical_dns
    lb_policy: round_robin
    http2_protocol_options: {}
    hosts:
    - socket_address:
        address: manpants
        port_value: 8080

I can see in the logs the correct IP address being resolved for 'manpants', but the result is always the same:

[2020-04-03 18:33:52.804][11][debug][router] [source/common/router/router.cc:990] [C3][S9650117757932019245] upstream reset: reset reason connection termination
[2020-04-03 18:33:52.804][11][debug][http] [source/common/http/conn_manager_impl.cc:1417] [C3][S9650117757932019245] Sending local reply with details upstream_reset_before_response_started{connection termination}

and

[2020-04-03T18:32:13.391Z] "GET /examples/ HTTP/1.1" 503 UC 0 95 4 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36" "8c1f0c3e-d007-4132-8151-c69d1c67f5c5" "myserver.mydomain.com" "172.18.0.3:8080"

If I 'docker exec' into a Docker container, I can curl that very address.

$ curl 172.18.0.3:8080/examples/
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more...

So that address is accepting connections from other Docker containers.

Also, the envoyproxy can proxy its own internal interface. This works like a champ.

Route:

              - match:
                  prefix: "/server_info"
                route:
                  cluster: admin

Cluster:

  - name: admin
    connect_timeout: 5.25s
    type: logical_dns
    lb_policy: round_robin
    http2_protocol_options: {}
    hosts:
    - socket_address:
        address: envoy
        port_value: 9901

I have tried so many things. I am at a loss for where to go next.