We have the stacks running on Digital Ocean. To improve security the docker swarm all runs on the private network (eth1) on the Droplets. We have some management services that we do not want to expose on the public IP, but on the private IP.
Is it possible to expose a port on a specific interface? Or possible to create another ingress network that only expose ports on the private IP?
The workaround we have now is that those services we just run as normal containers, and exposing the ports on the private IP address.
When using overlay network driver (which uses the ingress network), there is only one ingress, defined with --data-path-addr during docker swarm init/join. You can use a private network for Swarm "control plane" --advertise-addr but that's the only control you'd have.
If you need to control access to specific groups of logins/IP's, then I'd recommend putting a proxy in front of them and controlling that way. Here's some nginx info on that. You might be able to set that up in Docker Flow Proxy or Traefik.
Another thing you could do is setup service constraints where a set of servers are for public access and another set is listening on private IP's and have specific node labels so you can deploy services with constraints that only deploy to the private/public servers.