You are. I'm tunneling a /23 which I let Vultr announce via BGP over WireGuard to a local router VM. I have a nftables firewall in place before routing the traffic through the tunnel. I block everything except for exposed IPs and ports/protocols just to keep my limited bandwidth free of noise.