Don't expose servers to the internet by default, disable incoming ICMP

[MitchK]

Description

Hi, thanks for creating this script. I noticed that all nodes are assigned a public IP address on the public internet and each of the nodes can be pinged directly. This may be a huge security risk.

I think by default, none of the servers should get a public IP address unless specifically allowed.

  public_net {
    ipv4_enabled = false
    ipv6_enabled = false
  }

To access the cluster, a bastion host can be deployed as part of the script.

I would also suggest, that even if nodes are publicly exposed, I recommend blocking any incoming ICMP requests (pings), to decrease the attack surface from the outside.

resource "hcloud_firewall" "block_icmp" {
  name = "block-icmp"

  # Allow all outgoing traffic
  rule {
    direction = "out"
    protocol  = "icmp"
    source_ips = ["0.0.0.0/0", "::/0"]
  }

  # Block incoming ICMP (ping)
  rule {
    direction  = "in"
    protocol   = "icmp"
    source_ips = ["0.0.0.0/0", "::/0"]
    action     = "drop"
  }
}

[valkenburg-prevue-ch]

Hi @MitchK , this is a feature we have long discussed and considered. I just opened this PR with what you ask for and more (because you need a NAT router for what you request): #1681

Please feel free to review and comment.

[mysticaltech]

This is done!