ADR 0005: No Inbound NAT for Internal Services

The platform hosts both public and internal services. Internal services must never be internet-routable to preserve a strong trust boundary. The architecture already assumes split-horizon DNS and internal ingress controls, but the routing posture must be explicit and enforceable.

Decision

There will be no inbound NAT or port-forwarding from the internet to internal service IPs. All internal services are reachable only from LAN or VPN networks through the internal ingress.

Consequences

Internet-originated traffic can never reach internal services directly.
Public exposure is limited to explicitly designated public services via the public ingress.
Network policies and firewall rules must reflect the absence of inbound NAT.

Homelab Project

ADR 0005: No Inbound NAT for Internal Services

Status

Context

Decision

Consequences

Keyboard shortcuts

Homelab Project

ADR 0005: No Inbound NAT for Internal Services

Status

Context

Decision

Consequences