-1

I have two projects A and B.

I am running my future workload in project B that is behind a GLB and through an Nginx proxy.

In order for me to send requests from project A to project B, I am using an internet network end point group pointing to the GLB of project B(this is part of the migration plan so one backend it removed and other is attached to go to project through INEG).

Now on project B I have a security policy that is attached to the backend service which does a deny all expect a few whitelisted IP's that need to hit our service.

At this point unless I open project B to internet, requests from project A's GLB backend internet network end point group are getting blocked.

The questions is what ip ranges of google does an internet end point group use and how do i allow it in project B locking it to be accessible from project A?

PS: I have enabled trueclient-ip at nginx in project B but that has too many public IP's its hard to figure it out and not certain if all are captured for me to set up a rule against it in security policy(cloud armor). Thanks!

Tried allowing only the cloud NAT ip's of project A thinking the egress would be from the NAT but it doesn't work unless opened to internet

Puteri
  • 3,348
  • 4
  • 12
  • 27
thedevopsguy
  • 11
  • 2
  • Hi! I'm having a little trouble understanding your requirements here. Is your project B service supposed to be private? (i.e. you want to only allow project A to reach?) – Glen Yu Apr 02 '22 at 15:23
  • Thanks for your response. No it needs to be accessible through public end point too @GlenYu – thedevopsguy Apr 07 '22 at 16:28

1 Answers1

0

This can easily by checking the docs. The Authenticating requests mention the following:

To allow an external HTTP(S) load balancer to send requests to your external backend:

Query the _cloud-eoips.googleusercontent.com DNS TXT record using a tool like dig or nslookup.

So you can run:

dig _cloud-eoips.googleusercontent.com txt @8.8.8.8

#or

nslookup -q=TXT _cloud-eoips.googleusercontent.com 8.8.8.8

Keep in mind you will get CIDR block and not specific IP for your LB since you cannot reserve an static IP. As well Cloud NAT cannot be used so I suggest to understand the purpouse of that service first

Puteri
  • 3,348
  • 4
  • 12
  • 27
  • Hi @ferregina-pelona, really appreciate your input. This certainly works but I don't wish to open up to such a wide CIDR range. Alertnatively, what I did was create a simple proxy instance as a internet backend service that will route to the GLB into project B. The proxy is created in the VPC network that egresses through the NAT so i am whitelisting them in the security policy attached on the backend in GLB on projectB. – thedevopsguy Apr 07 '22 at 16:27