GCLB GFE IP ranges for firewall rules

[Michal Witkowski]

After playing around with HTTP(S) Load Balancing Beta, there is a bit of a quirk. 

a) It seems that both health-checks and GFE > VM traffic travels over the public IP ranges and not private ones

b) it seems that you have to have an explicit Firewall rule on your machine that allows traffic from *external* sources (because the GFE and health-checks look external) to the instance ports. I guess it should be obvious because unlike for L3 "Network Load Balancing" you don't specify the Network anywhere

This becomes a problem in a use case where your app is serving only HTTP and you want to put it behind the GCLB HTTPS load balancer and hide some paths using URL Maps. That's because now your whole URL space is exposed to the worlds through the explicit open Firewall rule.

A nicer solution would be if healthchecks and GFE forwarded traffic travelled over the private network instead of public, but I understand that it could be technically harder to achieve.

However, in order to secure our stuff, it would be great to have a "Source filter" within  "Firewall > Edit" that allows you to specify "HTTP Load Balancers", so it will only the ports to GFEs. 

In the medium term, can we please have a list of GFEs that are used for traffic and healthchecking so we can specify the Source IP Ranges?? So far I managed to find three (based on our service logs):

 * 130.211.1.159

 * 130.211.1.106

 * 130.211.1.199

Is 130.211.1.0/24 a netmask that would cover all?

Thanks,

Michal

Head of Infrastructure

Improbable

[Faizan (Google Cloud Support)]

Hello Michal,

For HTTP load balancer health checks come from the addresses in the range 130.211.0.0/22. As such, you need to update your firewall rule to allow the traffic from these IPs. You can refer to this link for more information.

I hope that helps.

Faizan