Related: Relay Behind NAT with no forwarding
I would strongly recommend having the relay on the docker host have port 52311 exposed, in which case it should be able to get updates without the need for this.
You would only be able to expose a single relay per docker host this way.
Command polling would be the right solution for docker container clients so they can get things from their parent relay, but something like _BESRelay_GatherMirror_UpstreamCheckPeriodMinutes=10 is most likely required for an isolated relay to get updates from it’s parent.
I’m not sure why that setting wouldn’t have helped, though it might require relay service restart for that config to get picked up.
I wonder if this setting causes extra messaging in the Relay Log about it doing this?