About FW rules that allow clients to access only LB

21 views
Skip to first unread message

宇治桜

unread,
Feb 23, 2021, 6:12:21 AM2/23/21
to gce-discussion
<Structure>
============================
ClientVM-> LB (TCP LB)-> WEB
============================
ClientVM: 10.10.10.2
LB: 10.10.10.3
WEB: 10.10.11.2

<Question>
Please tell me about the firewall settings.
What rule should I create if I only want to allow TCP80 from ClientVM to LB?

Gagandeep Toor

unread,
Feb 23, 2021, 4:37:10 PM2/23/21
to gce-discussion
Hello ujisakura@, 

For setup - 
SourceClientVM: 10.10.10.2
Internal TCP LB: 10.10.10.3
DestinationWEB: 10.10.11.2

Internal TCP/UDP load balancers are not proxies, they pass the traffic to backends on the same protocol and port. For your scenario, you would like to have a Firewall rule that allows incoming connections to the backend VM (DestinationWEB) from SourceClientVM using specified target tags [0][1].

Here, I would recommend creating a firewall rule applicable to specific instances by using target tags and source tags:
1. You can add tags to an existing VMs (Source & Target Tags) using gcloud command:
gcloud compute instances add-tags [INSTANCE-NAME] \
    --zone [ZONE] \
    --tags [TAGS]

2. Create a firewall rule with highest priority with the network tag using gcloud command:
gcloud compute --project=[Project_ID] firewall-rules create [Name] \
    --network=[VPC_network] \
   --priority=1000 \
    --action=allow \
    --direction=INGRESS \
    --target-tags=[target-tag-name] \
    --source-tags=[source-tag-name]  \
    --rules=tcp:80

Note: If DestinationWEB resides in the same default VPC network as SourceClientVM. By default, there are pre-populated rules in the default network for default-allow-internal (Allows ingress connections for all protocols and ports among instances in the network) [2]. However, for a custom VPC network you would like to create a firewall rule with higher priority to permit incoming connections to ‘DestinationWEB’ from SourceClientVM.

Additionally, you would also need a firewall rule to allow health checks from the IP ranges of Google Cloud probe systems, so backends properly respond to traffic. More information can be found here [3].

ujisakura

unread,
Feb 24, 2021, 5:46:15 AM2/24/21
to gce-discussion
Hello @gagan...

You gave me an inspiration!
The pass-through load balancer understands that the source is the client.

I tried it in a verification environment.
Communication control was successful.

I'm not good at English. Thank you for answering my question.

-----
ujisakura

2021年2月24日水曜日 6:37:10 UTC+9 gagan...@google.com:
Reply all
Reply to author
Forward
0 new messages