Currently, if a service is created with a published port, the load balancer is automatically updated to provide external access to that port.

This is an awesome feature (kudos!), BUT, in some cases I may want to expose a service only for internal use via an ssh tunnel. Is there a way – perhaps with service labels? – to prevent the Azure agent from updating the load balancer for published ports?

Ok, this is just publishing the port in host mode:

--publish mode=host,target=8080,published=8080

You should also be able to run the service normally and then run a container, that you attach to the network that has your “hidden” services, to do the SSH tunnelling:

C:\code\example-voting-app [master ↓ +5 ~2 -0 !]> cat .\docker-compose.yml
version: "3"

services:
  vote:
    image: friism/vote
    command: python app.py
    ports:
      - "5000:80"
    networks:
      - voting_app_network

  redis:
    image: redis:alpine
    networks:
      - voting_app_network

  worker:
    build: worker/.
    image: friism/worker
    networks:
      - voting_app_network

  db:
    image: postgres:9.4
    networks:
      - voting_app_network

  result:
    image: friism/result
    command: nodemon --debug server.js
    ports:
      - "5001:80"
      - "5858:5858"
    networks:
      - voting_app_network

networks:
  voting_app_network:
    external: true

C:\code\example-voting-app [master ↓ +5 ~2 -0 !]> docker network create --attachable -d overlay voting_app_network
cgsscr1tdlhduk3a410ligxul
C:\code\example-voting-app [master ↓ +5 ~2 -0 !]> docker deploy --compose-file docker-compose.yml iv
Ignoring unsupported options: build

Creating service iv_worker
Creating service iv_db
Creating service iv_result
Creating service iv_vote
Creating service iv_redis

I can now run docker run --net voting_app_network redis:alpine redis-cli -h redis keys * to access the redis service on the private network