@dmnelson @vkc Yep, that's how DigitalOcean and Hetzner work as well. It's nice to have multiple lines of defense, be it at the virtual network level before it hits your droplet network stack and more fine-grained control afterwards.