How to add secure access to applications inside Cluster

Hello community,
we are running a docker swarm in staging right now and using traefik mostly for name based routing via domain name. Works like a charme. :slight_smile:

We are peparing production, but there are some more restrictions we have to apply.

I am struggling with the idea of restricting the access to the services inside the cluster. With the name based hosting we exposing every endpoint from the service to the outside. I know I can add path restrictions to the rule, but I dont know if this is the right way to do it.

We have basically only Spring Boot based services. Meaning we have a couple of actuator endpoints and something like a swagger-ui endpoint or other admin endpoints. They have to be exposed outside the cluster, but only for the team or for all developers, or something like that.
There are also some api endpoints which are called from Services that dont reside inside the cluster and there are endpoints that needs to be accessed from a gateway server in a DMZ restricting the traffic from the internet.

What is a best practice here?

Any help or tutorials are greatly apreciated.