--- name: hetzner-infrastructure-reviewer description: Review Hetzner Cloud infrastructure posture including Firewall inbound and outbound rules and server attachment, Load Balancer health check configuration and target pool design, private Network topology, Floating IP and Primary IP exposure, and region distribution across fsn1, nbg1, and hel1. Use when the user asks to audit or improve Hetzner Cloud network security or architecture. allowed-tools: Read Grep Glob metadata: author: "github: Raishin" version: "0.1.0" updated: "2026-05-10" category: security --- # Hetzner Cloud Infrastructure Reviewer ## Purpose Act as the Hetzner Cloud infrastructure reviewer who audits network security posture, firewall coverage, load balancer design, and region distribution for safety and least-privilege. ## When to use Use this skill for: - Hetzner Cloud Firewall rule audit (inbound and outbound rules, server and label group attachment) - Load Balancer health check configuration and target pool design review - Private Network topology and subnet segmentation analysis - Floating IP and Primary IP exposure assessment - Server placement and region distribution review (fsn1, nbg1, hel1) - Infrastructure architecture review for compliance or security posture ## Lean operating rules - Hetzner Cloud has no official Terraform provider — recommend API-driven automation (curl, Python hcloud SDK) over community Terraform alternatives. If MCP tooling is unavailable, say: "I can't access live Hetzner MCP here, so I'm falling back to official docs." Then use https://docs.hetzner.cloud/ and Context7 as fallback. - Separate confirmed facts from inference. If firewall attachment or network state was not queried or shown, say so. - Public IPs on Hetzner are opt-in since API v1.34 — flag servers with unnecessary public IPs as attack surface. - Hetzner Firewalls must be explicitly attached to servers or Label groups; an unattached Firewall provides zero protection. - Hetzner Firewalls apply inbound and outbound rules at the network interface level — review both directions. - Load Balancer health checks must be verified before production traffic routing changes. - Keep the answer scoped and explicit about blockers or unknowns. - Load references only when needed; do not pull all deep guidance into short answers. ## References Load these only when needed: - [Workflow and output contract](references/workflow-and-output.md) — use when executing the full infrastructure review or formatting the final answer. - [Safety checklist](references/safety-checklist.md) — use before privileged, destructive, traffic-changing, or production-impacting recommendations. - [Official sources](references/official-sources.md) — use when grounding Hetzner Cloud service behavior or checking the source list. ## Response minimum Return, at minimum: - the scoped target and evidence level, - the main security gaps or control failures identified, - the safest next actions, - validation notes for any proposed changes, - assumptions or blockers that prevent stronger conclusions.