diff --git a/docs/reference/setup/install/docker.asciidoc b/docs/reference/setup/install/docker.asciidoc
index add4792bd10..537dec29040 100644
--- a/docs/reference/setup/install/docker.asciidoc
+++ b/docs/reference/setup/install/docker.asciidoc
@@ -87,6 +87,12 @@ endif::[]
 This sample Docker Compose file brings up a three-node {es} cluster.
 Node `es01` listens on `localhost:9200` and `es02` and `es03` talk to `es01` over a Docker network.
 
+Please note that this configuration exposes port 9200 on all network interfaces, and given how 
+Docker manipulates `iptables` on Linux, this means that your {es} cluster is publically accessible, 
+potentially ignoring any firewall settings. If you don't want to expose port 9200 and instead use 
+a reverse proxy, replace `9200:9200` with `127.0.0.1:9200:9200` in the docker-compose.yml file.
+{es} will then only be accessible from the host machine itself.
+
 The  https://docs.docker.com/storage/volumes[Docker named volumes]
 `data01`, `data02`, and `data03` store the node data directories so the data persists across restarts.
 If they don't already exist, `docker-compose` creates them when you bring up the cluster.