Networking
The VM has no external IP. All outbound and inbound traffic flows through controlled paths:
Internet
│
│ (outbound only, via Cloud NAT in iac-foundation)
▼
Cloud NAT ──► cloudflared ──► Cloudflare Edge (TCP 443 or UDP 7844)
Private Google Access (no NAT)
▼
Cloud Run *.run.app TCP 443
GCP Secret Manager TCP 443
Instance Metadata Server HTTP 169.254.169.254
Traffic paths
| Path | Mechanism | Firewall tag | Ranges |
|---|---|---|---|
| cloudflared → CF edge | Cloud NAT + allow-cf-tunnel egress | allow-cf-tunnel | 0.0.0.0/0 (Cloudflare uses dynamic IPs) |
| cf-proxy → Cloud Run | Private Google Access (restricted VIPs) | allow-pga | 199.36.153.8/30 |
| cf-proxy → Secret Manager | Private Google Access (restricted VIPs) | allow-pga | 199.36.153.8/30 |
| cloudflared binary download | Cloud NAT + GitHub egress | allow-github-download | 0.0.0.0/0 (GitHub uses dynamic IPs) |
| MIG health check → :2000 | GCP health check prober ingress | allow-health-check | 130.211.0.0/22, 35.191.0.0/16 |
| SSH (ops only) | IAP TCP tunnel | allow-iap-ssh | 35.235.240.0/20 |
| All other egress | Denied | deny-all-egress (iac-foundation) | 0.0.0.0/0 |
Subnet
gateway-subnet, 10.0.2.0/24, europe-west1, private_ip_google_access = true.
Subnet allocation
VPC eigenoid-vpc uses the 10.0.0.0/8 private range. Current allocations:
| CIDR | Subnet | Region | Repo | Status |
|---|---|---|---|---|
10.0.0.0/24 | — | — | — | 🟢 Available |
10.0.1.0/24 | — | — | — | 🟢 Available (was gateway-subnet in us-central1, freed after europe-west1 migration) |
10.0.2.0/24 | gateway-subnet | europe-west1 | iac-api-gateway | 🔴 In use |
10.0.3.0/24 – 10.0.255.0/24 | — | — | — | 🟢 Available |
GCP requires unique CIDRs across all regions within a VPC. When adding subnets, always check this table and update it after allocation to prevent CIDR conflicts during Terraform operations.
Firewall rules
Firewall rules are managed in iac-foundation (network/firewall.tf) and select VMs by network tag. Tags are set on the instance template in vm.tf. All rules are on VPC eigenoid-vpc.
Ingress
| Rule | Protocol / Ports | Source ranges | Target tag | Purpose |
|---|---|---|---|---|
deny-all-ingress | all | 0.0.0.0/0 | (all instances) | Default deny — no inbound traffic unless explicitly allowed |
allow-health-check | TCP 2000 | 130.211.0.0/22, 35.191.0.0/16 | allow-health-check | GCP health check probers → cloudflared readiness |
allow-iap-ssh | TCP 22 | 35.235.240.0/20 | allow-iap-ssh | Identity-Aware Proxy SSH tunneling (ops debugging) |
Egress
| Rule | Protocol / Ports | Destination ranges | Target tag | Purpose |
|---|---|---|---|---|
deny-all-egress | all | 0.0.0.0/0 | (all instances) | Default deny — no outbound traffic unless explicitly allowed |
allow-egress-cloudflare | TCP 443, 7844 + UDP 7844 | 0.0.0.0/0 | allow-cf-tunnel | cloudflared → Cloudflare edge (QUIC preferred, HTTP/2 fallback) |
allow-egress-google-apis | TCP 443 | 199.36.153.8/30 | allow-pga | Private Google Access restricted VIPs (Cloud Run, Secret Manager) |
allow-egress-github | TCP 443 | 0.0.0.0/0 | allow-github-download | cloudflared binary download from GitHub at VM boot |
allow-egress-cloudflare and allow-egress-github use 0.0.0.0/0 because Cloudflare and GitHub publish dynamic IP ranges. The target tags ensure only the gateway VM can use these rules.
Related pages
- Gateway VM — network tag assignments
- Repository map — where firewall rules and subnet definitions live