Status
Accepted (2026-07-02)
Context
Docker Compose originally published the broker as 8002:8002, i.e. 0.0.0.0 — listening
on the VM's public IP and on the tailnet. The only thing preventing direct internet access
to the broker (admin API included) was the single deny-all firewall rule: one control, and
one misconfiguration away from full exposure that would bypass Cloudflare entirely.
Decision
Publish as 127.0.0.1:8002:8002. cloudflared — the sole intended client — connects via
localhost, so the tunnel is unaffected.
Consequences
- The firewall rule is now defence-in-depth rather than the single control; even with the
rule gone,
:8002is unreachable from outside the box. - The broker is also invisible to the tailnet: admin API access from the Mac becomes
ssh -L 8002:localhost:8002 ubuntu@gcp-mcp-broker. - Change lives in the broker fork's
docker-compose.yml(branchconnectors), so it applies wherever the fork is deployed.
Compiled from
wiki/projects/gcp-mcp-standalone/adr/0006-localhost-only-broker-bind.md · git is the source of truth