Based on the docs, it seems docker cloud creates one giant subnet for all my containers. Why is the design done like this? I would certainly think its more intuitive to create subnets based on stacks or at least let me shape the network a bit.
How do people expose ports just to certain hosts? for example if I have DB in stackA and DB in stackB, how can I prevent any service from StackA to reach DB in stackB? Do you always handle it on lower level meaning nodes e.g. AWS VPC