[newbie] Confused about internal loadbalancer

I am trying to configure things so I can restrict access to some services to only those on the same (rancher) network (i.e. vpn).

I am at the point where I can VPN in and then ping and connect to <service>.<stack>, but the ports aren’t redirected so if I am using a Tomcat server for example, I need to point at the-tomcat.the-stack:8080.

I can configure a public load balancer so requests coming in on port 80 are mapped to 8080 and that works great. But I don’t want these publicly exposed.

I thought I could simply create an ‘Internal’ mapping in the loadbalancer for <service>.<stack>:80->8080, in otherwords simply changing the loadbalancer entry from “Public” to “Internal” and the hostname from “public-hostname” to <service>.<stack>. However, the service still remains unavailable at :80.

What have I missed? Thanks :-)!