Hi @tgross, you pushed me in the right direction, thank you! Checking Consul, I found that my service instances have registered with the public IPs which are blocked. However, this triggers my next question: how can I tell Consul to pick the internal network address instead (I do not want to use the external IPs)? Is there a config setting for it?
The private network I have set up is 10.0.0.0/16 and my consul as well as my nomad nodes are registering correctly in this network (set up with --retry-join 10.0.0.x).