0

Here is my setup and what I am trying to accomplish -

I have a Front End Server(s) [FE], backend server(s) [BE]. I am trying to setup my own VPC. The FE and BE are in different Zones of the same Region. The FE has its own service account - fe-sa, the BE has its own service account - be-sa.

By reading documentation I understand we can setup firewall rules based on Service Accounts to allow/deny access to group of instances.

I have tried switching Target & filters, but it does not help. I have tried replacing Filters with FE server IP - This seems to work (but i know this is not the correct approach) I have also tried deleting all and trying it out a fresh

 Name       Type     Target  Filters    Protocol    Action  Priority
 fe-to-be   Ingress  be-sa   fe-sa      icmp        ALLOW   999

 where,  
 be-sa - is the Service account associated with Back end. 
 fe-sa - is the service account associated with Front end.

Below are complete list of other Firewall Rules, which work as expected:
Name                Type     Target        Filters  Protocol    Action  Priority
be-disable-internet egress   be-sa         0.0.0.0/0    icmp    DENY    1000
fe-enable-internet  egress   fe-sa         0.0.0.0/0    icmp    ALLOW   1000
allow-ssh-for-all   ingress  open-ssh-tag  0.0.0.0/0    tcp 22  ALLOW   1000
fe-incoming         ingress  fe-sa         0.0.0.0/0    icmp    ALLOW   1000

However this seems to block all incoming requests to BE from any source (both internal and external IPs).

I would expect a successful ping from FE -> BE & a ping from local laptop -> BE blocked.

Currently with the above rule i see both FE -> BE and laptop -> BE are both blocked.

Rohit C
  • 19
  • 4
  • Do you use internal or external IP of your VM? – guillaume blaquiere Sep 02 '19 at 13:19
  • I got both, internal & external; both don't work. – Rohit C Sep 02 '19 at 13:57
  • I tested in my project, and it works. However I had 2 different subnets. Is it your case ? Or the VM are in the same subnet ? (defaut subnets are per region and not per zone) – guillaume blaquiere Sep 02 '19 at 19:06
  • @guillaumeblaquiere, below are details pertaining to my VM setup - Additional Details of the FE and BE Vms: 1. Frontend VM: name - fe, us-central, zone-a, m/c: f1-micro, debian, SA: fe-sa, n/w tag: open-ssh-tag, n/w interface: rott-vpc (10.128.0.0/20)[the cutom vpc i created] 2. Backend VM: name - be, us-central, zone-b, m/c: f1-micro, debian, SA: be-sa, n/w tag: open-ssh-tag, n/w interface: rott-vpc (10.128.0.0/20) Both are in differnt Zones however same subnet (not changed, default) – Rohit C Sep 03 '19 at 04:37
  • @guillaumeblaquiere, i figured out one more thing ping by internal IP works !!! it's only the external that's blocked.. so i guess it's expected? – Rohit C Sep 03 '19 at 04:38

0 Answers0