Project · gcp-mcp-standalone · ADRs

0002 — Deny all public ingress; reach the box only via outbound channels

type adrstatus activegcp · security · firewall · decision

Status

Accepted

Context

GCP's default network auto-creates permissive rules (default-allow-ssh, -rdp, -icmp) from 0.0.0.0/0 that live outside our Terraform state. Simply removing our own allow rule would leave SSH publicly reachable.

Decision

Add a Terraform-managed deny-all INGRESS rule at priority 100 (0.0.0.0/0, all protocols, target tag mcp-broker) — it overrides the default permissive rules. All access is outbound-established: Tailscale for admin, Cloudflare-Tunnel for the broker. Keep the external IP for egress only.

Consequences

  • Zero public inbound ports regardless of the default network's rules.
  • Tailscale/cloudflared still work (stateful return traffic + DERP fallback).
  • Keeping the egress IP (~$3/mo) is far cheaper than Cloud NAT (~$32/mo) and equally private.
Compiled from wiki/projects/gcp-mcp-standalone/adr/0002-deny-all-public-ingress.md · git is the source of truth