I have a Java application that is launched with a runtime variable as Dhttp.host=0.0.0.0 The HTTP server must be exposed for health check end-points. However, I would like to keep the exposure restrictive.

1. Does this mean all services across all networks in the Docker host have access to this application?
2. How do I restrict the visibility only to those services running in a give network?
3. Or, at least, not expose this server to outside of the Docker engine - let alone the Docker host?

Unless you are using the host network, processes inside containers can only listen on ip addresses available inside the container. 0.0.0.0 will mean it will listen on oopback interfaces and for example on 172.18.0.2 if that is the ip of the container. You can access it from the host or from another container in the same network. Even if you forward a port from the host to the container, you can forward it from a specific ip address:

ports:
  - 192.168.1.2:443:443

Ok.

Is there a way to define “ingress” rules such that the container health check endpoint at port 80 is restricted only to Compose?

What kind of healthcheck? I don’t think you need to forward anything to have Docker’s built-in healthchecks. Can you be more specific?

The app exposes health check endpoints at :80/health. I want it to be accessible only to Docker not any other service, host or external.

Ákos already presented the available method:

Make it 127.0.0.1:80:80 and only your host will be able to access port 80 of the container. Docker has no control after the port level. So if you want just a specific url context to be not reachable, then you will need to implement it yourself with a reverse proxy.