Status
Accepted
Context
GCP's default network auto-creates permissive rules (default-allow-ssh, -rdp, -icmp)
from 0.0.0.0/0 that live outside our Terraform state. Simply removing our own allow rule
would leave SSH publicly reachable.
Decision
Add a Terraform-managed deny-all INGRESS rule at priority 100 (0.0.0.0/0, all
protocols, target tag mcp-broker) — it overrides the default permissive rules. All access is
outbound-established: Tailscale for admin, Cloudflare-Tunnel for the broker. Keep the
external IP for egress only.
Consequences
- Zero public inbound ports regardless of the default network's rules.
- Tailscale/cloudflared still work (stateful return traffic + DERP fallback).
- Keeping the egress IP (~$3/mo) is far cheaper than Cloud NAT (~$32/mo) and equally private.
Compiled from
wiki/projects/gcp-mcp-standalone/adr/0002-deny-all-public-ingress.md · git is the source of truth