Firstly, thanks for your quick answer.
For the setup, I got 3 couchbase servers separately on 3 nodes of my swarm cluster mode. The docker swarm cluster is hosted on VMs of our data center. The application client does operations from my local pc with a vpn connection. On the swarm cluster, we have a reverse proxy to handle tcp and http. So the application client does not to be on the same overlay network with couchbase servers.
For the exposed container ports, I did open 8091, 8092, 11210, 11211. The other ports I wondered that they are not necessary because I dont have SSL or XDCR at this moment.