Why the need to publish the port at all? If your service is attached to overlay network all nodes will have access to each other via docker’s overlay network with no access from public network.
If the service needs to be consumed by another container (e.g. nginx) attach that service to cluster’s overlay network and only expose ports of that service.
What I meant is that you can create mysql cluster by
docker service create --name mysql --replicas 3 --network my_overlay yourimagename
tasks running in this cluster will be able to talk to each other but will not be available to public network since you do not publih any ports. Then you can create nginx service:
docker service create --name nginx --network my_overlay -p 80:80 nginxcontainer
If you inspect the second task you will notice that it will have two network interfaces - one attached the the my_overlay network and another one attached to ingress network. The code that will be served by this task will be able to reach your db cluster under it’s name (e.g. mysql:3306) thanks to docker’s mesh network and internal dns and at the same time will be available to outside world on port 80 to serve www sites.