diff --git a/terraform/aws/internal-modules/aws-vpc/main.tf b/terraform/aws/internal-modules/aws-vpc/main.tf
index d501937..9105fcc 100644
--- a/terraform/aws/internal-modules/aws-vpc/main.tf
+++ b/terraform/aws/internal-modules/aws-vpc/main.tf
@@ -62,3 +62,13 @@ resource "aws_security_group_rule" "internal_vpc_ingress_ipv6" {
   protocol          = "-1"
   ipv6_cidr_blocks  = [module.vpc.vpc_ipv6_cidr_block]
 }
+
+resource "aws_security_group_rule" "tailscale_ingress" {
+  security_group_id = aws_security_group.tailscale.id
+  type              = "ingress"
+  from_port         = 41641
+  to_port           = 41641
+  protocol          = "udp"
+  cidr_blocks       = ["0.0.0.0/0"]
+  ipv6_cidr_blocks  = ["::/0"]
+}
diff --git a/terraform/azure/internal-modules/azure-linux-vm/main.tf b/terraform/azure/internal-modules/azure-linux-vm/main.tf
index 77d3143..e3b95fa 100644
--- a/terraform/azure/internal-modules/azure-linux-vm/main.tf
+++ b/terraform/azure/internal-modules/azure-linux-vm/main.tf
@@ -34,11 +34,28 @@ resource "azurerm_network_interface" "primary" {
   enable_ip_forwarding = module.tailscale_install_scripts.ip_forwarding_required
 }
 
-resource "azurerm_network_interface_security_group_association" "primary" {
-  count = length(var.network_security_group_ids)
-
+resource "azurerm_network_interface_security_group_association" "tailscale" {
   network_interface_id      = azurerm_network_interface.primary.id
-  network_security_group_id = var.network_security_group_ids[count.index]
+  network_security_group_id = azurerm_network_security_group.tailscale_ingress.id
+}
+
+resource "azurerm_network_security_group" "tailscale_ingress" {
+  location            = var.location
+  resource_group_name = var.resource_group_name
+
+  name = "nsg-tailscale-ingress"
+
+  security_rule {
+    name                       = "AllowTailscaleInbound"
+    access                     = "Allow"
+    direction                  = "Inbound"
+    priority                   = 100
+    protocol                   = "Udp"
+    source_address_prefix      = "Internet"
+    source_port_range          = "*"
+    destination_address_prefix = "*"
+    destination_port_range     = "41641"
+  }
 }
 
 resource "azurerm_linux_virtual_machine" "tailscale_instance" {
diff --git a/terraform/azure/internal-modules/azure-linux-vm/variables.tf b/terraform/azure/internal-modules/azure-linux-vm/variables.tf
index 9caeecf..336ec8c 100644
--- a/terraform/azure/internal-modules/azure-linux-vm/variables.tf
+++ b/terraform/azure/internal-modules/azure-linux-vm/variables.tf
@@ -25,11 +25,6 @@ variable "primary_subnet_id" {
   description = "The primary subnet (typically PUBLIC) to assign to the virtual machine"
   type        = string
 }
-variable "network_security_group_ids" {
-  description = "The network security groups to assign to the virtual machine"
-  type        = list(string)
-  default     = []
-}
 variable "machine_size" {
   description = "The machine size to assign the virtual machine"
   type        = string
diff --git a/terraform/google/internal-modules/google-compute-instance/main.tf b/terraform/google/internal-modules/google-compute-instance/main.tf
index 5cbb65e..240010c 100644
--- a/terraform/google/internal-modules/google-compute-instance/main.tf
+++ b/terraform/google/internal-modules/google-compute-instance/main.tf
@@ -17,6 +17,40 @@ module "tailscale_install_scripts" {
   additional_after_scripts  = var.additional_after_scripts
 }
 
+data "google_compute_subnetwork" "selected" {
+  self_link = "https://www.googleapis.com/compute/v1/${var.subnet}" # requires full URL - https://github.com/hashicorp/terraform-provider-google/issues/9919
+}
+
+resource "google_compute_firewall" "tailscale_ingress_ipv4" {
+  name    = "tailscale-ingress-ipv4"
+  network = data.google_compute_subnetwork.selected.network
+
+  allow {
+    protocol = "udp"
+    ports    = ["41641"]
+  }
+
+  source_ranges = [
+    "0.0.0.0/0",
+  ]
+  target_tags = var.instance_tags
+}
+
+resource "google_compute_firewall" "tailscale_ingress_ipv6" {
+  name    = "tailscale-ingress-ipv6"
+  network = data.google_compute_subnetwork.selected.network
+
+  allow {
+    protocol = "udp"
+    ports    = ["41641"]
+  }
+
+  source_ranges = [
+    "::/0",
+  ]
+  target_tags = var.instance_tags
+}
+
 data "google_compute_image" "ubuntu" {
   project = "ubuntu-os-cloud"
   family  = "ubuntu-2204-lts"
@@ -27,7 +61,6 @@ resource "google_compute_instance" "tailscale_instance" {
   name         = var.machine_name
   machine_type = var.machine_type
 
-
   boot_disk {
     initialize_params {
       image = data.google_compute_image.ubuntu.self_link
@@ -36,6 +69,9 @@ resource "google_compute_instance" "tailscale_instance" {
 
   network_interface {
     subnetwork = var.subnet
+    access_config {
+      // Ephemeral public IP
+    }
   }
 
   metadata = var.instance_metadata