I’m running my own swarm and would like to have many hundreds, if not thousands of tenants running their own (untrusted) microservices as swarm services.

I’d like to partition network traffic so that each tenant can only directly address their own microservices. Is it feasible to run each tenant in its own overlay network? If not, is there a better way to restrict outgoing network traffic to only a few approved ports and/or services?