The syntax with “A.B.C.D:YYYY:XXXX” is meant to publish the containers port (XXXX) on the host’s IP A.B.C.D as port YYYY. Since you’re using a swarm cluster, there’s not a way to pin it to a particular swarm node’s IP while having the benefits of swarm (rescheduling the service on another node in case that node goes down). So while the docker-compose file format allows that syntax, it isn’t allowed using
docker stack deploy and also not when you try it manually via
docker service create.
If you’re looking to restrict who can access this service by client IP, you’ll probably want to front it with something like haproxy and use the haproxy config to restrict which clients can reach the service. Additionally, you’ll probably want to put the service you want to restrict access to an on “internal” network.
Setup (minus the actual haproxy configuration):