diff --git a/daemon/cluster/cluster.go b/daemon/cluster/cluster.go
index 36f785ccc7..0b2696c451 100644
--- a/daemon/cluster/cluster.go
+++ b/daemon/cluster/cluster.go
@@ -810,7 +810,7 @@ func (c *Cluster) CreateService(s types.ServiceSpec, encodedAuth string) (string
 	ctx, cancel := c.getRequestContext()
 	defer cancel()
 
-	err := populateNetworkID(ctx, c.client, &s)
+	err := c.populateNetworkID(ctx, c.client, &s)
 	if err != nil {
 		return "", err
 	}
@@ -867,7 +867,7 @@ func (c *Cluster) UpdateService(serviceID string, version uint64, spec types.Ser
 	ctx, cancel := c.getRequestContext()
 	defer cancel()
 
-	err := populateNetworkID(ctx, c.client, &spec)
+	err := c.populateNetworkID(ctx, c.client, &spec)
 	if err != nil {
 		return err
 	}
@@ -1208,10 +1208,14 @@ func (c *Cluster) RemoveNetwork(input string) error {
 	return nil
 }
 
-func populateNetworkID(ctx context.Context, c swarmapi.ControlClient, s *types.ServiceSpec) error {
+func (c *Cluster) populateNetworkID(ctx context.Context, client swarmapi.ControlClient, s *types.ServiceSpec) error {
 	for i, n := range s.Networks {
-		apiNetwork, err := getNetwork(ctx, c, n.Target)
+		apiNetwork, err := getNetwork(ctx, client, n.Target)
 		if err != nil {
+			if ln, _ := c.config.Backend.FindNetwork(n.Target); ln != nil && !ln.Info().Dynamic() {
+				err = fmt.Errorf("network %s is not eligible for docker services", ln.Name())
+				return errors.NewRequestForbiddenError(err)
+			}
 			return err
 		}
 		s.Networks[i].Target = apiNetwork.ID
diff --git a/daemon/cluster/executor/backend.go b/daemon/cluster/executor/backend.go
index 3a4ff0fc1b..9fa8ef70b1 100644
--- a/daemon/cluster/executor/backend.go
+++ b/daemon/cluster/executor/backend.go
@@ -10,6 +10,7 @@ import (
 	"github.com/docker/engine-api/types/events"
 	"github.com/docker/engine-api/types/filters"
 	"github.com/docker/engine-api/types/network"
+	"github.com/docker/libnetwork"
 	"github.com/docker/libnetwork/cluster"
 	networktypes "github.com/docker/libnetwork/types"
 	"golang.org/x/net/context"
@@ -19,6 +20,7 @@ import (
 type Backend interface {
 	CreateManagedNetwork(clustertypes.NetworkCreateRequest) error
 	DeleteManagedNetwork(name string) error
+	FindNetwork(idName string) (libnetwork.Network, error)
 	SetupIngress(req clustertypes.NetworkCreateRequest, nodeIP string) error
 	PullImage(ctx context.Context, image, tag string, metaHeaders map[string][]string, authConfig *types.AuthConfig, outStream io.Writer) error
 	CreateManagedContainer(config types.ContainerCreateConfig, validateHostname bool) (types.ContainerCreateResponse, error)