[waynesonfire]

I've applied the same principal to my network. Though, I do have plans to re-open some additional ports beyond just SSH / VPN.

Thinking through how I would achieve this introduced me to the concept of a DMZ-zone. The DMZ places publicly accessible services in a highly locked down environment.

[bayindirh]

DMZ is a very old concept, and applying it is easy when everything is in a single room, connected to a single network, and everything can be isolated there.

When the network is distributed on multiple sites, things get exponentially harder if you don't own a dark fiber from site to site and have essentially a single network.

I personally manage enough servers to scratch that itch, so I yearn for simplicity. If Tailscale gives me that isolation for free (which it does), I'd rather use that for my toy network rather than an elaborate multi-site DMZ setup.