Assigning a firewall rule based on service account for HTTPS Load Balancer
118 views
Skip to first unread message
Daniel Compton
Sep 21, 2017, 9:06:46 AM9/21/17
to gce-discussion
Hi folks
When creating a firewall rule to allow a load balancer, is it possible to specify a service account? The docs talk about the source addresses required to allow the load balancer in. I thought it could be cleaner and more self-documenting if I could point to the service account instead.
Is this possible?
Thanks, Daniel.
Navi Aujla (Google Cloud Support)
Sep 21, 2017, 12:23:35 PM9/21/17
to gce-dis...@googlegroups.com
Hello Daniel,
You can set firewall rules assignment with the service account (beta). Service accounts are used by the applications to call the Google API of a service.
GCE VM instance may run as a service account, and that account can be given permissions to access the resources it needs. As such, creating firewall rule with "Source service account" or "Target service account" allow/deny communication among the services associated with the respective service accounts.
The firewall rule for the IP ranges 130.211.0.0/22 and 35.191.0.0/16 should allow traffic from both the HTTP(s) load balancer and the health checker. Network load balancing, the health check probes come from addresses in the ranges 209.85.152.0/22, 209.85.204.0/22, and 35.191.0.0/16. For HTTP(S), SSL proxy, TCP proxy, and Internal load balancing, the health check probes come from addresses in the ranges 130.211.0.0/22 and 35.191.0.0/16. It is not possible to bind the load balancers and health check IP ranges to a service account. As such, it is not possible to define the firewall rule based on the service account.
You can set firewall rules assignment with the service account (beta). Service accounts are used by the applications to call the Google API of a service.
GCE VM instance may run as a service account, and that account can be given permissions to access the resources it needs. As such, creating firewall rule with "Source service account" or "Target service account" allow/deny communication among the services associated with the respective service accounts.
The firewall rule for the IP ranges 130.211.0.0/22 and 35.191.0.0/16 should allow traffic from both the HTTP(s) load balancer and the health checker. Network load balancing, the health check probes come from addresses in the ranges 209.85.152.0/22, 209.85.204.0/22, and 35.191.0.0/16. For HTTP(S), SSL proxy, TCP proxy, and Internal load balancing, the health check probes come from addresses in the ranges 130.211.0.0/22 and 35.191.0.0/16. It is not possible to bind the load balancers and health check IP ranges to a service account. As such, it is not possible to define the firewall rule based on the service account.
Daniel Compton
Oct 5, 2017, 4:40:21 PM10/5/17
to gce-discussion
Hi Navi
Thanks for looking into this, and good to know that it's not possible, at least not currently.
--
Daniel.
Reply all
Reply to author
Forward
0 new messages