Network load balancer firewall

[Patrick Scott]

I have a simple question about network load balancing. I have set up a HTTP load balancer and was able to open the firewall by allowing traffic from the load balancer ip block (130.211.0.0/22). This has worked very well for the HTTP load balancer.

Now, I need to set up a network load balancer for a few tcp and udp ports but want to protect my instances from other traffic. Since network load balancers do not rewrite packets, the source ip is external to my network and is blocked by the firewall.

I really don't want to open up traffic to these instances from any ip address. Is there any way to restrict traffic to traffic from the network load balancer?

Thanks,

Patrick

[Raghav P]

I too like Patrick, would be interested in knowing about putting restrictive firewall for network loadbalancer. As far as I have understood, the firewall needs to be open to all IPs [0.0.0.0/0] for the required ports and protocol.

[Kamran (Google Cloud Support)]

Hello Patrick,

As far as I understand your question, you want to restrict the direct traffic to your VM instances and respond only to the traffic come through your network load balancer. If this is the case, then a workaround is running your instances without assigning them external IP addresses.

If this is not the case, please feel free to help clarify your question.

Sincerely,

Kamran

[Patrick Scott]

That is basically what I want to do.

I guess my concern with removing the external ip address is that the instances will have to route through another machine to access the internet. Setting up another machine just as a NAT seems excessive. I was hoping there was already an easy way to accomplish something like this.

[Vladimir Sol]

Hi everyone,

Has a solution to this problem come to be (not a workaround)? Cutting all external communication to restrict port 80 (for instance) to accept traffic only from the LB can't be acceptable for everyone, I assume?

It feels like ability to tag your LB is what we're lacking, it would fit in nicely with firewall rule creation for a single port you'd like to hide behind the LB layer.

[Kamran (Google Cloud Support)]

Hello Vladimir, 

You can have external IP addresses for your VM instances, but only accept HTTP(S) traffics from your HTTP(S) load balancing service.  Please visit this article and follow the steps. Then, by configuring different firewall rules you can directly reach to your VM instances through other ports.

Sincerely,

Kamran

[Patrick Scott]

This only applies to http(s) load balancing and not general network load balancing.

The network load balancer does not change the source IP so the firewall cannot use a netblock restriction. Are there any plans to support firewall restrictions for a network load balancer?

On Thu, Aug 27, 2015 at 10:28 AM, Kamran (Google Cloud Support) <khas...@google.com> wrote:

Now you can have external IP addresses for your VM instances, but only accept HTTP(S) traffics from your HTTP(S) load balancing service.  Please visit this article and follow the steps. 

Sincerely,

Kamran

 


On Thursday, August 27, 2015 at 2:54:22 AM UTC-4, Vladimir Sol wrote:

Hi everyone,

Has a solution to this problem come to be (not a workaround)? Cutting all external communication to restrict port 80 (for instance) to accept traffic only from the LB can't be acceptable for everyone, I assume?

It feels like ability to tag your LB is what we're lacking, it would fit in nicely with firewall rule creation for a single port you'd like to hide behind the LB layer.

On Tuesday, July 28, 2015 at 4:56:44 AM UTC+8, Patrick Scott wrote:

That is basically what I want to do.

I guess my concern with removing the external ip address is that the instances will have to route through another machine to access the internet. Setting up another machine just as a NAT seems excessive. I was hoping there was already an easy way to accomplish something like this.

On Mon, Jul 27, 2015 at 4:51 PM, Kamran (Google Cloud Support) <khas...@google.com> wrote:

Hello Patrick,

As far as I understand your question, you want to restrict the direct traffic to your VM instances and respond only to the traffic come through your network load balancer. If this is the case, then a workaround is running your instances without assigning them external IP addresses.

If this is not the case, please feel free to help clarify your question.

Sincerely,

Kamran

On Saturday, July 25, 2015 at 3:45:03 PM UTC-4, Patrick Scott wrote:

I have a simple question about network load balancing. I have set up a HTTP load balancer and was able to open the firewall by allowing traffic from the load balancer ip block (130.211.0.0/22). This has worked very well for the HTTP load balancer.

Now, I need to set up a network load balancer for a few tcp and udp ports but want to protect my instances from other traffic. Since network load balancers do not rewrite packets, the source ip is external to my network and is blocked by the firewall.

I really don't want to open up traffic to these instances from any ip address. Is there any way to restrict traffic to traffic from the network load balancer?

Thanks,

Patrick

--
© 2014 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043
 
Email preferences: You received this email because you signed up for the Google Compute Engine Discussion Google Group (gce-dis...@googlegroups.com) to participate in discussions with other members of the Google Compute Engine community and the Google Compute Engine Team.
---
You received this message because you are subscribed to a topic in the Google Groups "gce-discussion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/gce-discussion/u-9yILh4zls/unsubscribe.
To unsubscribe from this group and all its topics, send an email to gce-discussio...@googlegroups.com.
To post to this group, send email to gce-dis...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/gce-discussion/f992232c-eafb-4a96-8e49-56c76e306bc0%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Kamran (Google Cloud Support)]

Hello Patrick,

The GCE network load balancer forwards the packets to the VM instances with destination IP address of the load balancer. You can simply bind your web servers to listen only on load balancer's IP address. This will stop serving requests that comes to the VMs directly (bypassing the network load balancer).

Alternatively, you can specify a rule on your VM instance iptables firewall (or Windows firewall) to deny or drop the packets that has destination IP addresses of your instances for the port 80 or 443.

Sincerely,

Kamran

Email preferences: You received this email because you signed up for the Google Compute Engine Discussion Google Group (gce-discussion@googlegroups.com) to participate in discussions with other members of the Google Compute Engine community and the Google Compute Engine Team.

---
You received this message because you are subscribed to a topic in the Google Groups "gce-discussion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/gce-discussion/u-9yILh4zls/unsubscribe.

To unsubscribe from this group and all its topics, send an email to gce-discussion+unsubscribe@googlegroups.com.
To post to this group, send email to gce-discussion@googlegroups.com.

[SC Lincoln]

This doesn't address the issue.  When the GCE load balancer forward traffic to the VM instances, it does not change the source ip address to the GCE load balancer, instead, it keeps the original source ip address.  This creates a problem because I have a firewall rule on my VM instances that restrict inbound traffic from the GCE load balancer on port 443 (only).  Is there a way to configure the GCE load balancer such that it rewrites the source ip address with it's own ip address?

Email preferences: You received this email because you signed up for the Google Compute Engine Discussion Google Group (gce-dis...@googlegroups.com) to participate in discussions with other members of the Google Compute Engine community and the Google Compute Engine Team.

---
You received this message because you are subscribed to a topic in the Google Groups "gce-discussion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/gce-discussion/u-9yILh4zls/unsubscribe.

To unsubscribe from this group and all its topics, send an email to gce-discussio...@googlegroups.com.
To post to this group, send email to gce-dis...@googlegroups.com.

[Bob Silverstein]

i spoke with one of the engineers on the cloud networking team, and they suggested you try using SSL Proxy load balancing, which is currently in beta.

Bob Silverstein |

Senior User Researcher |

bob...@google.com |

206-877-3344

--
© 2016 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043
 
Email preferences: You received this email because you signed up for the Google Compute Engine Discussion Google Group (gce-discussion@googlegroups.com) to participate in discussions with other members of the Google Compute Engine community and the Google Compute Engine Team.
---
You received this message because you are subscribed to the Google Groups "gce-discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gce-discussion+unsubscribe@googlegroups.com.
To post to this group, send email to gce-discussion@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/gce-discussion/f68b0623-76d9-47a8-9228-15e795438c6b%40googlegroups.com.