I have a docker swarm cluster with 3 nodes (just for testing) the host VM's subnet is 10.100.24.0/24
I also have a jump server outside the swarm subnet....which is at 10.0.0.0/24 subnet range
The problem I have here, my services are exposed (eg; Portainer) with port 8080 in dockerswarm. However, when I tried connecting port 8080 on swarm nodes it was not reachable from my Jump server.
Other than docker swarm, If I tried connecting any port it's allowing. example 22 or 80 etc., Because we have proper VNET peering in place.
Here are the details:
From Swarm
docker service ls
ID NAME MODE REPLICAS IMAGE PORTS
q30eer0sshyd portainer_agent global 3/3 portainer/agent:2.16.2
qxrndq63jklh portainer_portainer replicated 1/1 portainer/portainer-ce:2.16.2 *:8080->9000/tcp
From my Jump server
nc -v 10.100.24.24 22
Connection to 10.100.24.24 22 port [tcp/ssh] succeeded!
nc -v 10.100.24.22 80
Connection to 10.100.24.22 80 port [tcp/http] succeeded!
nc -v 10.100.24.24 8080 (get connection timed out)
Docker uses 172.31.0.0/12 in /16 increments and 192.168.0.0/16 in /20 increments for bridge networks. Docker swarm's overlay networks are assigned in 10.0.0.0/8 in /24 increments. This means, without any reconfiguration, the only truly safe range for your lan out af all the reserved NAT ranges is 172.16.0.0/16. pragmatically, your lan can use 10.1.0.0-10.255.255.255 without issue as its unlikely that you will allocate close to 256 networks, and 192.168.0.0 is usually safe as bridge networks are not commonly created either.
Now, looking at your system, your jump box is in the 10.0.0.0/24 range, which is going to conflict with the first overlay network swarm creates - usually ingress iirc. Anyway, to sort this out you need to tear the swarm down, and then re-create it, passing the --default-addr-pool to shift overlay networking into an unused range.