As of this writing, the IRCD service has a NAT exception from cloud to production.
Recently, the server kraz has been removed and replaced by irc1001 and irc2001, which seems like a perfect moment to re-evaluate the NAT exception.
The irc1001/2001 boxes host an independent IRC service that is only used to provide recent changes activity feeds in the form of read-only irc channels organized by project+language (https://wikitech.wikimedia.org/wiki/IRCD). This NAT exception would allow our irc boxes to see which Cloud VPS instance a connected bot is coming from. Because the channels are read only to attached clients I"m not sure that has a lot of operational value though (no reason to block/k-line spammers/harassers in a read-only environment).
I think we should just drop the NAT exception and see what happens.