Project · gcp-mcp-standalone

Network & Access Paths

The broker VM exposes **zero public inbound ports**. Every path into the box is either an outbound connection the VM itself initiates (Cloudflare Tunnel, Telegram long-poll) or a private WireGuard mesh (Tailscale). Arrow direction in the diagram = who initiates the connection.

type componentstatus activenetwork · security · tailscale · cloudflare

network-access.drawio.svg

Key points

  • GCP firewall deny-public-ingress-mcp-broker (priority 100) denies ALL inbound traffic from the internet — including SSH port 22. Scanning the public IP answers nothing.
  • Public traffic (claude.ai → bobsmcp.uk) arrives only via the Cloudflare Tunnel: cloudflared on the VM dials OUT to Cloudflare's edge and pulls broker traffic back through that connection. The broker itself binds 127.0.0.1:8002 only.
  • Admin access ("SSH") exists solely inside the Tailscale mesh: sshd listens, but is reachable only over the WireGuard-encrypted tailnet interface. An attacker would first need to be a device on the tailnet.
  • Telegram bot: claudebot long-polls Telegram's API outbound — no inbound webhook.
  • Connector egress: the broker reaches GCP APIs with a metadata-server token capped by custom role mcpBrokerOps, the Tailscale API with a read-only OAuth client, and Notion/GitHub/Cloudflare with stored OAuth tokens (see gcp-mcp-standalone/connectors-gcp-tailscale).
  • Failure modes: if the VM hangs, both doors (tunnel + tailnet) die with it — recovery is then gcloud/Cloud Console from the Mac, or the GCP mobile app. The broker's own gcp connector cannot rescue the VM it runs on.

Details

The diagram source is assets/diagrams/network-access.drawio.svg — a draw.io file (openable/editable at diagrams.net or with the Obsidian draw.io plugin) that renders as a plain SVG on the published site.

Sources

Compiled from wiki/projects/gcp-mcp-standalone/network-access.md · git is the source of truth